5.2 Network Traffic Monitoring and Analysis
📘Microsoft Azure Networking Solutions (AZ-700)
What are VNet Flow Logs?
- VNet flow logs are records of network traffic flowing in and out of Azure Virtual Networks (VNets).
- They are part of Azure Network Watcher, which is a tool that monitors, diagnoses, and gains insights into Azure networking.
- VNet flow logs help you see which traffic is allowed, which is denied, and why, which is essential for security, troubleshooting, and compliance.
Where VNet Flow Logs Come From
- Flow logs are enabled on a Network Security Group (NSG).
- They capture the traffic for the network interfaces (NICs) that the NSG is associated with.
- Logs are stored in Azure Storage Accounts in a specific format (JSON) for analysis.
Key points for exam:
- You cannot enable flow logs on a VNet directly; they must be enabled on an NSG.
- Logs are exported to Storage Accounts, Event Hubs, or Log Analytics for further analysis.
What Information is in a VNet Flow Log
Each flow log entry contains several important fields. Understanding them is crucial for interpreting the logs.
| Field | Description | Example in IT context |
|---|---|---|
time | Timestamp of when the traffic was captured | 2026-03-03T12:15:23Z |
sourceIP | The IP address initiating the traffic | 10.0.1.4 (a VM sending a request) |
destinationIP | The IP address receiving the traffic | 10.0.2.5 (a VM receiving the request) |
sourcePort | Port on the source machine | 443 (HTTPS request from a VM) |
destinationPort | Port on the destination | 80 (HTTP service on a VM) |
protocol | Transport protocol | TCP or UDP |
flowState | Whether traffic was allowed or denied | Allow or Deny |
flowDirection | Direction of traffic | Inbound or Outbound |
trafficCategory | Type of traffic | NetworkSecurityGroup (filtered by NSG rules) |
Exam tip: You should be able to identify whether a traffic flow was allowed or blocked, and which NSG rule caused it.
How to Interpret VNet Flow Logs
- Check Flow Direction
- Inbound → traffic coming into a VM.
- Outbound → traffic going out from a VM.
- Check Source and Destination
- Identify which IP or subnet is sending/receiving traffic.
- Helps to know if traffic is internal (within VNet) or external (internet).
- Check Allowed vs Denied Traffic
- Flow logs will explicitly show if traffic was allowed or denied.
- This helps verify NSG rules and identify misconfigurations.
- Check Ports and Protocols
- Helps identify the service being used, e.g., 443 → HTTPS, 22 → SSH.
- Investigate Trends or Patterns
- Frequent denied traffic from a specific IP may indicate a security threat.
- Excessive outbound traffic to the internet may need monitoring or throttling.
Tools to Analyze Flow Logs
- Azure Storage Explorer: Download logs and open JSON files.
- Log Analytics / Azure Monitor: Run queries to analyze patterns.
- Power BI: Visualize traffic flows and trends.
- Third-party SIEM: Some companies send logs to tools like Splunk or Azure Sentinel for advanced analysis.
Exam focus: Know that flow logs can be sent to Storage Accounts, Event Hubs, or Log Analytics, and you should be familiar with basic Kusto Query Language (KQL) queries for analyzing logs in Log Analytics.
Practical IT Examples
- Troubleshooting access issues:
A developer reports they cannot connect to a database. By checking VNet flow logs, you see that traffic from the developer’s VM is denied by the NSG. You find the NSG rule blocking port 1433 (SQL). - Security monitoring:
Suspicious traffic from an external IP is hitting your web servers. Flow logs show multiple denied inbound connections on port 22, indicating possible SSH brute-force attempts. - Compliance auditing:
A company needs to prove only approved traffic flows in and out of VNets. Flow logs can provide a record of allowed and denied traffic for audits.
Exam Tips
- Know that VNet flow logs are NSG-based, JSON format, and can be sent to Storage, Event Hubs, or Log Analytics.
- Understand the key fields (
sourceIP,destinationIP,flowState,direction,protocol,ports). - Be able to read a flow log entry and explain whether traffic was allowed or denied.
- Know how to use Log Analytics or Storage Explorer for further analysis.
- Recognize common troubleshooting or security scenarios from the logs.
Summary Table for Quick Revision
| Topic | Key Point |
|---|---|
| Flow Log Source | Enabled on NSG, captures NIC traffic |
| Storage | Azure Storage Account, Event Hub, Log Analytics |
| Data Format | JSON |
| Key Fields | Source/Destination IP, Ports, Protocol, FlowState, Direction |
| Use Cases | Troubleshooting, Security Monitoring, Compliance |
| Analysis Tools | Storage Explorer, Log Analytics, Power BI, SIEM |
