Monitoring Azure VPN Gateway

Effective monitoring is crucial for ensuring the health, performance, and security of your Azure VPN Gateway connections.

Key Metrics and Logs

Azure VPN Gateway provides a rich set of metrics and logs that can be leveraged for comprehensive monitoring. These include:

  • Data In/Out: Tracks the volume of data transferred through the gateway.
  • Tunnel Egress/Ingress Bytes: Specific to individual tunnels, indicating data flow per connection.
  • Tunnel Egress/Ingress Packets: Tracks the number of packets transmitted and received per tunnel.
  • Tunnel Connection Status: Indicates whether a VPN tunnel is up or down.
  • Gateway Available Bandwidth: Monitors the available bandwidth for your VPN gateway.
  • CPU Utilization: High CPU usage can indicate performance bottlenecks.
  • Connection Latency: Essential for understanding the responsiveness of your VPN connections.

Azure Monitor Integration

Azure Monitor is the primary service for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. For VPN Gateway, this means:

  • Metrics: Visualize real-time and historical metrics in Azure Monitor dashboards. Set up alerts based on metric thresholds.
  • Diagnostic Settings: Configure diagnostic settings to send VPN Gateway logs to Log Analytics, Storage Accounts, or Event Hubs.
  • Log Analytics: Query detailed connection logs, traffic statistics, and error events using Kusto Query Language (KQL).

Configuring Diagnostic Settings

To send logs to Log Analytics:

  1. Navigate to your VPN Gateway resource in the Azure portal.
  2. Under the Monitoring section, select Diagnostic settings.
  3. Click Add diagnostic setting.
  4. Select the logs you wish to collect (e.g., GatewayDiagnosticLog, TunnelDiagnosticLog).
  5. Choose Send to Log Analytics and select your workspace.
  6. Save the settings.

Using Kusto Query Language (KQL)

Here are some example KQL queries for analyzing VPN Gateway logs in Log Analytics:

Tunnel connection status over time:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "GatewayDiagnosticLog"
| where OperationName == "ConnectionEstablished" or OperationName == "ConnectionDisconnected"
| summarize count() by OperationName, bin(TimeGenerated, 1h)
| order by TimeGenerated asc

Traffic volume by connection:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "TunnelDiagnosticLog"
| where TunnelName != ""
| summarize IngressBytes = sum(IngressBytes), EgressBytes = sum(EgressBytes) by TunnelName, bin(TimeGenerated, 1h)
| order by TimeGenerated asc

Azure Network Watcher

Network Watcher offers enhanced network monitoring capabilities, including:

  • Connection Troubleshoot: Helps diagnose connectivity issues between virtual machines and VPN gateways.
  • Packet Capture: Captures network traffic for deep packet inspection.
  • IP Flow Verify: Checks if traffic is allowed or denied to or from a virtual machine.

While not directly on the VPN Gateway resource, Network Watcher tools are invaluable for troubleshooting issues impacting your VPN connections.

Best Practice: Regularly review your VPN Gateway metrics and logs. Configure alerts for critical events such as tunnel disconnections, high latency, or increased error rates to proactively address potential issues.

Visualizing Performance with Dashboards

Create custom dashboards in Azure Monitor to consolidate key VPN Gateway metrics and logs. This provides a single pane of glass for monitoring the health and performance of your hybrid connectivity.

Consider including widgets for:

  • Current tunnel connection status.
  • Data ingress/egress trends.
  • CPU utilization.
  • Latency metrics.
  • Recent error logs.