![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 69%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
161 questions
Hello @Rahul Tyagi ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if you can use network watcher to verify connectivity to service tags.
NOTE: AzureKubernetesService is not a valid service tag.
For the list of service tags, please refer: https://video2.skills-academy.com/en-us/azure/virtual-network/service-tags-overview
First, I would like to share some details about Service tags:
- A service tag represents a group of IP address prefixes from a given Azure service.
- You can use service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes.
- You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints.
- Also, we don't recommend allowing traffic from all Azure IPs since IPs used by other Azure customers are included as part of the service tag.
Now, if certain service tags are allowed/denied in the NSGs associated to your VMs/NICs, then you can use "NSG Diagnostics" tool in Azure Network Watcher to verify if network traffic is allowed or denied to the service tags in your Azure Virtual Network along with detailed information for debugging.
If there are no NSGs associated to the VM/NIC, then it will either allow all traffic or none depending upon the Public IP SKU associated to it.
- If the VM has a Basic SKU Public IP and no NSGs associated to it's NIC/subnet, then it is open by default. All traffic is allowed. Provided the VM's OS Firewall is also allowing the traffic.
- If the VM has a Standard SKU Public IP and no NSGs associated to it's NIC/subnet, then it uses secure by default model and will be closed to inbound traffic when used as a frontend. Network security group (NSG) is required to allow traffic.
Refer: https://video2.skills-academy.com/en-us/azure/virtual-network/ip-services/public-ip-addresses#sku
https://video2.skills-academy.com/en-us/azure/virtual-network/network-security-group-how-it-works
If you are looking to include the service tags in your on-premises Firewall, then you can obtain the information programmatically or via a JSON file download as described in the doc below:
Azure Network watcher "Connection monitor" tool only allows the below source or destination endpoints:
Azure VMs/ scale sets, on-premises agents, URLs, and IP addresses.
Even the connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address.
Refer: https://video2.skills-academy.com/en-us/azure/network-watcher/network-watcher-connectivity-overview
So, apart from "NSG Diagnostics" tool mentioned above, there is no other feature/tool that can test connectivity or verify reachability to a service tag.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.