Being able to monitor what happens inside your network is always a crucial thing. It helps you investigate outages, security issues, and the flow of your applications. The more applications and elements your system has, the more difficult is to monitor things in a manual manner. This is why being able to leverage external components and automation is always an important feature of any ecosystem of your choice. In this section, we will focus on one Azure service, Network Watcher, which is an extra Azure service that can be enabled for remote network monitoring, packet capturing, and network logs. To understand this section fully, you will have to have deployed an architecture that consists of multiple VMs and that is connected to a VNet.
In my scenario, I had two VMs load-balanced using Application Gateway. They were deployed to the same subnet in the same VNet and both had ports 3389 and 80 opened for management and communication. The actual architecture can be seen in the following diagram:
The reason to have a little more advanced architecture is to be able to really implement a solution that can be monitored in terms of network traffic. If you deploy only a single machine, there will be nothing to watch.
We will start with Network Watcher. Before you use it, make sure it is enabled in your subscription and your region. It is a regional service, which means that once enabled, it will be available for all the networks inside a single region. To check which regions are enabled, search for Network Watcher and verify the regions:
When you check the menu on the left, you will see the available features of Network Watcher:
We can briefly explain them before diving deeper:
- IP flow verify: Allows you to create a configuration determining whether a packet should be approved or blocked
- Next hop: Determines the next place where a packet will go
- Effective security rules: Allows you to quickly validate your security setup
- VPN troubleshoot: A tool for validating your VPN connection
- Packet capture: Allows you to analyze packet flowing by your network
- Connection troubleshoot: A tool for checking the correctness of the network setup
Let’s now describe all the features in detail.
IP flow verify
By using IP flow verify, you can check whether a packet is accepted or blocked based on the provided configuration and attached security rules:
This feature consists of the following fields:
- Subscription: Determining the availability of particular resources
- Resource group
- Virtual machine
- Network interface: The actual network card that we are interested in
- Protocol and Direction: The actual communication flow
- Local and remote address and port: Communication origin and destination
The advantage of this feature is the fact that it displays the result and the name of the rule that provided it.
The next feature, Next hop, makes it easier to understand what the next checkpoint is when reaching the provided destination IP address:
By using Source IP address and Destination IP address, we can decide the actual route of packets. It is a great feature when you want to quickly check whether you are communicating with a VNet, the internet, or any other kind of network resource.
Effective security rules
The Effective security rules feature grants you the possibility to gather all the rules defined for a VNet and inbound/outbound connections. If you want to check whether a machine accepts a connection on port 80, this is the place to start.
VPN troubleshoot, Packet capture, and Connection troubleshoot
VPN troubleshoot and Packet capture are more advanced tools for analyzing connections handled by VPN gateways or transferred packets, respectively.
The last feature, Connection Troubleshoot, allows you to understand what exactly is happening when connecting from one place to another. It works by sending packets from the source VM to the destination VM and checking the result. It will also display the topology and all the hops to give you a better picture of the current situation:
The Network Watcher connection monitor can be added from a VNet instance itself. You can follow these steps to add it:
- Go to your VNet and search for the Connection monitor blade:
- From this screen, you will be able to add a new monitor to diagnose your connection:
Connection monitors diagnose traffic on particular ports and display insights about network behavior. These features are not always enough to define a problem (as there might be issues such as a local network configuration problem or errors on the ISP side, which cannot be told just by using Azure’s capabilities), but should suffice for most of the troubles you may face. Network diagnosis and monitor features in Azure work by being installed on machines’ extensions, which gather the data:
Some of them use in-built or native storage, but still, there are extra features (such as VPN troubleshooting) that require you to provide external storage such as Azure Storage. Thanks to those extensions working on your VMs (and internal features of other Azure services such as Azure Load Balancer), you can gather enough data to diagnose a problem. What’s more, they generate the full topology of your network:
You can access this by going to the Topology blade in your VNet. For bigger networks, this feature will be especially helpful as it gives you a full picture of all the connections.
Diagnosing and monitoring networks in Azure is a really big topic and there is no way to describe it in only one section. Here, you will find some more information about Network Watcher, which we only briefly described in this chapter: https://docs.microsoft.com/en-us/azure/network-watcher/. Besides packets and connection monitoring, you will be able to also find information on how to monitor the performance of your network, or even ExpressRoute.
Monitoring and diagnosing networks when using in-built features in Azure makes the management task much easier. You do not have to implement your own tools to analyze traffic and maintain them—everything is provided as additional components available in the cloud. The next section will describe in detail one of the most common features when it comes to securing a network, which is DDoS protection.