Search code examples

Why is the Network Watcher on Azure not destroyed by Terraform?

I have a simple Terraform configuration to create azure virtual network. When I do plan and then apply, a virtual network is created inside of a resource group as expected. But in addition to this resource group, there is one more created by the name NetworkWatcherRG, and inside of it I see a network watcher.

Azure Resource Groups

And the network watcher.

Azure network watcher

Now when I run the Terraform destroy command, I expect that every thing is cleaned up, all the Resource groups are destroyed. But instead, everything except for the NetworkWatcherRG and the Network Watcher inside of it are destroyed.

Looks like the Network Watcher along with its resource group, is NOT managed by Terraform. What am I missing?

The network watcher is not immediately obvious. Its not reveled immediately. So to see that, you need to go the simplified view of the resource groups. You need to click the Refresh button atleast 5 times(each time with a 2 second time gap) or you have to wait for long time and then click refresh.

So what is this network watcher and is it that Azure is creating it by itself and not managed by Terraform?

Resource Groups Simplified View

My Terraform configuration file is as follows.

# Terraform settings Block
terraform {
  required_version = ">= 1.0.0"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 2.0"

# Provider Block
provider "azurerm" {
  features {}

# create virtual network
resource "azurerm_virtual_network" "myvnet" {
  name                = "vivek-1-vnet"
  address_space       = [""] # This is a list, it has []. If it has { }, then its a map.
  location            = azurerm_resource_group.myrg.location
  resource_group_name =
  tags = { # This is a map. This is {}
    "name" = "vivek-1-vnet"

# Resource-1: Azure Resource Group
resource "azurerm_resource_group" "myrg" {
  name     = "vivek-vnet-rg"
  location = var.resource_group_location

variable "resource_group_location" {
  default     = "centralindia"
  description = "Location of the resource group."

And finally the commands I use are as follows.

terraform fmt

terraform init

terraform validate

terraform plan -out main.tfplan

terraform apply main.tfplan

terraform plan -destroy -out main.destroy.tfplan

terraform apply main.destroy.tfplan


  • Before applying terraform code i checked in my resource groups with name network watcher resource group for me , by default this resource grpup is created by Azure side.

    enter image description here

    As Mike-Ubezzi wrote on Microsoft forums:

    Network Watcher resources are located in the hidden NetworkWatcherRG resource group which is created automatically. For example, the NSG Flow Logs resource is a child resource of Network Watcher and is enabled in the NetworkWatcherRG.

    The Network Watcher resource represents the backend service for Network Watcher and is fully managed by Azure. Customers do no need to manage it. Operations like move are not supported on the resource. However, the resource can be deleted.

    So terraform destroy will only delete the resource created by you(mentioned in .tfstate file).This is the region you won't able to delete the NetworkWatcherRG Resource Group.