Ensure that Network Watcher is 'Enabled'

Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.

Risk Level: Low
Cloud Entity: Azure Network Watcher
CloudGuard Rule ID: D9.AZU.NET.28
Covered by Spectral: Yes
Category: Networking & Content Delivery


List<NetworkWatcher> should have items


From Portal

  1. Go to 'Network Watcher' from Azure Management console.
  2. Click on Add.
  3. Select your Azure subscription and select the region that you want to enable Azure Network Watcher for.

From TF
To enable network watcher for any location

resource "azurerm_network_watcher" "example" {
	name                = "NAME"
	resource_group_name = "RESOURCEGROUP"
	location            = "LOCATION"

From Command Line

az network watcher configure --resource-group RESOURCEGROUP --locations LOCATION --enabled


  1. https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-create
  2. https://learn.microsoft.com/en-us/azure/developer/terraform/create-network-watcher-nsg-flow-logs
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher

Azure Network Watcher

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

Compliance Frameworks

  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark