Linkedin Profile

clouddevopsinsights

Importance of VNet Flow Logs in Azure for Troubleshooting Network Issues

Abilash Vavilala's photo
Abilash Vavilala
·

4 min read

Cover Image for Importance of VNet Flow Logs in Azure for Troubleshooting Network Issues

Table of contents

Introduction

When managing cloud infrastructure in Azure, network connectivity issues can significantly impact application availability and performance. Azure provides powerful tools for diagnosing and troubleshooting network problems, including Virtual Network (VNet) Flow Logs and IP Flow Verify in Network Watcher. These tools help network engineers and cloud administrators gain visibility into network traffic and quickly pinpoint connectivity issues.

What Are VNet Flow Logs?

VNet Flow Logs capture information about inbound and outbound traffic within a Virtual Network (VNet). These logs provide insights into:

  • Source and destination IP addresses

  • Ports and protocols used

  • Traffic direction (inbound or outbound)

  • NSG rule that allowed or denied the traffic

  • Flow start and end times

VNet Flow Logs are stored in Azure Storage Accounts and can be analyzed using Azure Monitor, Log Analytics, or third-party tools like Splunk. They help in diagnosing network latency, packet drops, and misconfigurations in NSGs.

Enabling VNet Flow Logs

To enable VNet Flow Logs, follow these steps:

  1. Open the Azure Portal and navigate to Virtual Networks.

  2. Select the VNet where you want to enable flow logs.

  3. In the left-hand menu (blade), scroll down to find VNet Flow Logs and click on it.

  4. Click Enable Flow Logs.

  5. Choose a Storage Account to store the logs.

  6. Select Enable Traffic Analytics.

  7. Choose the Log Analytics Workspace where you want to send logs.

  8. Select the specific logs you want to send to the workspace.

  9. Click Save to apply the settings.

Using VNet Flow Logs for Troubleshooting

1. Diagnosing Dropped Traffic

By analyzing VNet Flow Logs, you can determine if network traffic is being dropped due to NSG rules. Example:

  • If an application is not accessible, check the logs to see if traffic from the client IP is being denied by an NSG rule.

  • You can identify if traffic is being routed correctly or if a misconfiguration is blocking access.

2. Identifying Unauthorized Access Attempts

Flow Logs help in identifying suspicious activities, such as repeated failed connection attempts from unknown IP addresses, which could indicate brute-force attacks or unauthorized access attempts.

3. Monitoring Traffic Patterns

By aggregating VNet Flow Logs over time, you can analyze traffic trends, detect anomalies, and optimize NSG rules to allow only necessary traffic while blocking potential threats.

Querying Flow Logs in Log Analytics

To query VNet Flow Logs in Log Analytics, follow these steps:

  1. Navigate to Azure Monitor > Logs.

  2. Select your Log Analytics Workspace.

  3. Use the following Kusto Query Language (KQL) query to analyze traffic entering and leaving the network:

NTANetAnalytics
| where FlowType_s == "VNetFlow"
| project TimeGenerated, SourceIP_s, DestinationIP_s, DestinationPort_d, Protocol_s, Action_s
| sort by TimeGenerated desc
  • To filter allowed traffic, modify the query:
| where Action_s == "Allow"
  • To filter denied traffic, modify the query:
| where Action_s == "Deny"

Querying Traffic Analytics in Log Analytics Workbook

To get a more detailed view of network traffic at the VNet and NSG levels, you can query the NTANetAnalytics table in Log Analytics:

Traffic at VNet Level:

NTANetAnalytics
| where FlowType_s == "VNetTraffic"
| summarize TotalTraffic = sum(TotalBytes_d) by VnetName_s, TimeGenerated
| order by TotalTraffic desc

Traffic at NSG Level:

NTANetAnalytics
| where FlowType_s == "NSGTraffic"
| summarize AllowedTraffic = sum(case(Action_s == "Allow", TotalBytes_d, 0)), 
          DeniedTraffic = sum(case(Action_s == "Deny", TotalBytes_d, 0)) 
  by NSGName_s, TimeGenerated
| order by DeniedTraffic desc

These queries help in understanding traffic volume and security rule enforcement at both the VNet and NSG levels.

IP Flow Verify in Network Watcher

In addition to VNet Flow Logs, IP Flow Verify in Azure Network Watcher allows you to test whether a specific IP flow is allowed or denied based on the configured NSG rules.

How to Use IP Flow Verify

  1. Open Azure Network Watcher in the Azure Portal.

  2. Select IP Flow Verify.

  3. Choose the Virtual Machine to test.

  4. Enter the Source and Destination IP, Port, and Protocol.

  5. Click Check to see if the traffic is allowed or denied.

Use Cases of IP Flow Verify

  • Quickly verifying whether an NSG rule is blocking or allowing traffic without waiting for logs to update.

  • Debugging connectivity issues when deploying new applications or modifying NSG rules.

  • Ensuring compliance with security policies by testing network access.

Conclusion

VNet Flow Logs and IP Flow Verify are essential tools for network troubleshooting in Azure. VNet Flow Logs provide historical data and deep traffic analysis, while IP Flow Verify offers real-time validation of NSG rules. By leveraging these tools, cloud administrators can efficiently diagnose and resolve network issues, improve security, and optimize network performance in Azure.

Would you like to explore how to automate network monitoring using Azure PowerShell or Azure Monitor? Let me know in the comments!