Azure Monitor for Networks

“Azure Monitor Network Insights provides a comprehensive view of health and metrics for all deployed network resources, without requiring any configuration. It also provides access to network monitoring capabilities like Connection Monitor, flow logging for network security groups (NSGs), and Traffic Analytics.”

From <https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-insights-overview>

Monitoring Networks

Go to “azure Portal -> Monitor -> Networks”

From here you can see your different networks and the health status of these networks.

Connection Monitor

https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview

Go to the Connectivity Tab.

There are no connection monitors here by default, you have to create them. Basically these work by setting up a source and destination, then running a number of tests between these.

EG: Your front-end web server VM communicates with a database server VM in a multi-tier application. You want to check network connectivity between the two VMs.

1. Install Monitoring Agents

For connection monitors you need to install a small agent on the endpoint. This is what listens and responds to the test traffic. This can be installed on Azure VMs and on prem machines.

2. Enable Network Watcher on your subscription

All subscriptions that have a virtual network are enabled with Network Watcher. When you create a virtual network in your subscription, Network Watcher is automatically enabled in the virtual network’s region and subscription.

3. Create a connection monitor

The following items need to be configured in the monitor:

• Endpoint – A source or destination that participates in connectivity checks. Examples of endpoints include Azure VMs, on-premises agents, URLs, and IPs.
• Test configuration – A protocol-specific configuration for a test. Based on the protocol you chose, you can define the port, thresholds, test frequency, and other parameters.
• Test group – The group that contains source endpoints, destination endpoints, and test configurations. A connection monitor can contain more than one test group.
• Test – The combination of a source endpoint, destination endpoint, and test configuration. A test is the most granular level at which monitoring data is available. The monitoring data includes the percentage of checks that failed and the round-trip time (RTT).

Scale limits

Connection monitors have the following scale limits:

• Maximum connection monitors per subscription per region: 100
• Maximum test groups per connection monitor: 20
• Maximum sources and destinations per connection monitor: 100
• Maximum test configurations per connection monitor: 20

From <https://docs.microsoft.com/en-us/azure/network-watcher/connection-monitor-overview>

Network Watcher

“Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) products which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc. Note: It is not intended for and will not work for PaaS monitoring or Web analytics.”

From <https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview>

Network Watcher operates at the region level.

Monitoring Network Traffic of a VM

First we have to enable network watcher for the VM

1. Go to All Services -> Network Watcher
2. Go to the region where the VM is and click the 3 dots
3. Click on “Enable Network watcher”

Setup “IP flow Verify”

This allows you to check if traffic to or from a VM is allowed or denied.

In this example we will check outbound TCP traffic on port 60000 to a public web server

1. Set the subscription and Resource Group
2. Set the VM and Nic
3. Protocol: TCP
4. Local IP: The private IP of the VM
5. Local Port: 60000
6. Remote IP address: a public webserver IP address
7. Remote Port: 80
8. Click on Check
9. It will give the result of the check and the security rule that is effecting this.

Packet Capture

“Packet capture is a virtual machine extension that is remotely started through Network Watcher. This capability eases the burden of running a packet capture manually on the desired virtual machine, which saves valuable time. Packet capture can be triggered through the portal, PowerShell, CLI, or REST API. One example of how packet capture can be triggered is with Virtual Machine alerts. Filters are provided for the capture session to ensure you capture traffic you want to monitor. Filters are based on 5-tuple (protocol, local IP address, remote IP address, local port, and remote port) information. The captured data is stored in the local disk or a storage blob. There is a limit of 10 packet capture sessions per region per subscription. This limit applies only to the sessions and does not apply to the saved packet capture files either locally on the VM or in a storage account.”

From <https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview>