5.2 Network Traffic Monitoring and Analysis
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is IP Flow Verify?
IP Flow Verify is a feature in Azure Network Watcher that allows you to:
- Test the path of incoming or outgoing traffic for a virtual machine (VM).
- Verify if NSG rules allow or deny traffic for a specific IP, port, and protocol.
- Quickly troubleshoot connectivity issues without sending actual packets.
Think of it as a simulation: it doesn’t send real data but checks if the traffic would succeed or fail based on your network configuration.
2. Key Components Needed for IP Flow Verification
Before using IP Flow Verify, you need:
- Network Watcher enabled
- Network Watcher must be enabled in the region where your VM exists.
- Go to Azure Portal → Search for Network Watcher → Enable for your region.
- Virtual Machine (VM) or NIC
- You need the target VM you want to check traffic for.
- IP Flow Verify checks the VM’s NIC for allowed/denied traffic.
- NSG (Network Security Group) rules applied to that VM
- IP Flow Verify uses NSG rules on the subnet or NIC to determine the result.
- Traffic Details to test:
- Source IP address – Where the traffic originates from.
- Destination IP address – Usually the VM IP.
- Port – e.g., 80 for HTTP, 443 for HTTPS, 3389 for RDP.
- Protocol – TCP or UDP.
3. How IP Flow Verification Works
- You provide source IP, destination IP, port, and protocol.
- Azure checks the NSG rules applied to:
- The VM’s network interface (NIC)
- The subnet
- Azure determines whether traffic is allowed or denied.
- The result shows:
- Access: Allowed / Denied
- Rule that applied: Shows the exact NSG rule that caused it
- Direction: Inbound or Outbound
4. Using IP Flow Verify in the Azure Portal
Steps:
- Go to Network Watcher in Azure Portal.
- Click IP Flow Verify under the Tools section.
- Select:
- Subscription
- Resource group
- VM to check
- Enter traffic details:
- Direction: Inbound or Outbound
- Protocol: TCP or UDP
- Local IP address (VM’s IP)
- Remote IP address (source or destination)
- Port (e.g., 22, 80, 443)
- Click Check.
- Result will show:
- Allowed or Denied
- The specific NSG rule responsible
5. Using IP Flow Verify with PowerShell
You can also check IP flow using Azure PowerShell:
$rg = "MyResourceGroup"
$vm = "MyVM"
$nic = Get-AzNetworkInterface -ResourceGroupName $rg -Name "$vm-NIC"
$ipFlow = Test-AzNetworkWatcherIPFlow `
-NetworkWatcherName "NetworkWatcher_eastus" `
-Direction "Inbound" `
-LocalPort 3389 `
-Protocol "TCP" `
-LocalIPAddress $nic.IpConfigurations[0].PrivateIpAddress `
-RemoteIPAddress "203.0.113.5" `
-ResourceGroupName $rg
$ipFlow.Access
Explanation:
Direction: Inbound or Outbound trafficLocalPort: Port on the VMProtocol: TCP or UDPLocalIPAddress: VM’s IPRemoteIPAddress: Source or destination IPAccess: Result shows Allow or Deny
6. Key Points to Remember for the Exam
- IP Flow Verify is a simulation tool – it does not send real packets.
- It is NSG-aware – checks both NIC-level and subnet-level NSGs.
- It helps troubleshoot connectivity between VMs or services.
- Inbound vs Outbound matters – rules are evaluated per direction.
- Works with TCP and UDP protocols.
- Result always shows Access (Allow/Deny) and the NSG rule applied.
- Can be accessed via Azure Portal, PowerShell, or CLI.
7. Common Exam Scenarios
- Scenario 1: You cannot RDP into a VM. Use IP Flow Verify to check if NSG allows TCP port 3389 inbound.
- Scenario 2: A web application VM cannot access a database VM. Use IP Flow Verify outbound from the web VM to check TCP port 1433.
- Scenario 3: Identify which NSG rule is blocking traffic – the tool will show the specific rule.
✅ Summary
- Purpose: Check if traffic is allowed/denied for a VM.
- Tool: Network Watcher → IP Flow Verify
- Inputs: Source/Destination IP, port, protocol, direction
- Outputs: Allowed/Deny + NSG rule responsible
- Use Cases: Troubleshoot connectivity, validate NSG rules
