Streamlining Azure Network Watcher Configuration with Terraform

Streamlining Azure Network Watcher Configuration with Terraform: A Step-by-Step Guide

Streamlining Azure Network Watcher Configuration with Terraform


Azure Network Watcher is a crucial tool for monitoring and diagnosing network issues in Azure IaaS environments. In this blog post, I'll guide you through the process of streamlining its configuration with Terraform, allowing you to manage Network Watcher within your Infrastructure-as-Code (IaC) strategy for a more efficient and automated Azure setup.

What is Azure Network Watcher?

Azure Network Watcher provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for Azure IaaS (Infrastructure-as-a-Service) resources. Network Watcher enables you to monitor and repair the network health of IaaS products like virtual machines (VMs), virtual networks (VNets), application gateways, load balancers, etc. Azure Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. For instance, if you're experiencing connectivity issues with a virtual network, Azure Network Watcher can help identify the root cause.
For more information check out the Azure Documentation about Network Watcher.

For Web application monitoring use other techniques like e.g. Application Insights, Azure Monitor and so on. Find a good starting point here.

Automatic creation of Network Watcher

When you create or update a virtual network in your subscription, Network Watcher will be automatically enabled in your Virtual Network's region. This is the default behavior for every Azure subscription. Automatic creation of Network Watcher can lead to unexpected resources being deployed in your Azure subscription, potentially impacting governance. By managing this process through Infrastructure-as-Code (IaC), you maintain control over resource deployment, ensuring consistency and compliance across multiple environments.
Network Watcher is available in nearly every Azure region as you could see here.

Disable automatic creation for Terraform

In the best case when working with Infrastructure-as-Code you want to manage everything inside of your code-base. As you seen above by default for every subscription automatic creation of Network Watcher is enabled for every region.

There are different ways to disable the automatic creation to manage everything in your IaC code-base but we will focus on two of them:

  1. Disable via Azure CLI

     # Register the "DisableNetworkWatcherAutocreation" feature.
     az feature register --name 'DisableNetworkWatcherAutocreation' --namespace 'Microsoft.Network'
     # Register the "Microsoft.Network" resource provider.
     az provider register --name 'Microsoft.Network'
  2. Disable via Terraform with the use of the azapi Provider. As you see above we have create a new Feature and Register the Network provider again to get this working.
    See an example code below how to do this in Terraform for one subscription.

     resource "azapi_resource_action" "disable_nw_watcher" {
       type        = "Microsoft.Network/features@2021-07-01"
       resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Features/providers/Microsoft.Network/features/DisableNetworkWatcherAutocreation"
       action      = "register"
       method      = "POST"
     resource "azapi_resource_action" "register_network_provider" {
       type        = "Microsoft.Resources/providers@2021-04-01"
       resource_id = "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Network"
       action      = "register"
       method      = "POST"
       depends_on = [azapi_resource_action.disable_nw_watcher]

    If you have multiple subscriptions please do not forget to configure this for every Azure subscription in your tenant, which you want to manage via IaC/Terraform.

    Opting-out of Network Watcher automatic enablement is a permanent change. Once you opt out, you cannot opt in without contacting Azure Support!

How to manage Network Watcher inside of Terraform

After we have disabled the automatic creation of Network Watcher, you should now manage it inside your Terraform code. There is a dedicated resource for managing this, as you could see in the Provider documentation.
Find a stripped down example afterwards, where we create a Resource Group with the known value of "NetworkWatcherRG" which is also used on the automatic creation (but you could everything else here) and then add the Network Watcher resource.

resource "azurerm_resource_group" "main" {
  name     = "NetworkWatcherRG"
  location = var.location
  tags = var.tags
resource "azurerm_network_watcher" "main" {
  name                = "NetworkWatcher_${var.location}"
  location            = var.location
  resource_group_name = azurerm_resource_group.main[0].name
  tags = var.tags
  lifecycle {
    ignore_changes = [tags]
We have seen in our tests, that sometimes there are problem with the "tags" property on Network watcher after the initial creation and thats the case why we have added them to 'ignore_changes'.

I hope, that this information was useful and will help you automate your Cloud environment a little bit more and stay tuned for more blog posts in the future. If you want to learn more and stay up to date follow me on LinkedIn or follow my blog.