MS Docs: Network Views

Understanding Network Visualizations

Network views provide a graphical representation of your network infrastructure, helping you monitor, troubleshoot, and plan your network resources. These views can range from high-level topology maps to detailed traffic flow analysis.

Key components often visualized include:

Virtual Machines (VMs) and Services: Representing your compute resources.
Virtual Networks (VNets) and Subnets: The foundational logical network structures.
Network Interfaces (NICs): Connections to VMs.
Load Balancers and Gateways: For traffic distribution and connectivity.
Firewall Rules and Network Security Groups (NSGs): Demonstrating traffic filtering.
Connections: Showing links between different network components.

Common Network Views in MS Azure

Microsoft Azure offers several powerful tools and views for network visualization:

1. Network Topology

The Network Topology view provides an interactive map of your resources in a virtual network. It shows dependencies and relationships between resources like VMs, VNETs, Load Balancers, and Gateways.

Figure 1: Example of Azure Network Topology view.

This view is invaluable for understanding the layout of your deployed network and identifying potential bottlenecks or misconfigurations.

2. Network Watcher

Azure Network Watcher is a comprehensive network monitoring service. It offers several tools that contribute to network views:

Connection Troubleshoot: Helps diagnose connectivity issues between two endpoints.
IP Flow Verify: Checks if traffic is allowed or denied to or from a VM based on NSG rules.
Next Hop: Determines the next hop for traffic destined for a specific IP address, helping to understand routing.
Packet Capture: Allows capturing network traffic for deeper analysis.
Traffic Analytics: Provides insights into network traffic flow using NSG flow logs, visualizing traffic patterns, identifying top talkers, and understanding communication between resources.

3. Traffic Analytics

Traffic Analytics aggregates and analyzes Network Security Group flow logs. It enriches flow data with information about location, threat intelligence, and traffic type, presenting it in a visualized dashboard.

Figure 2: Sample Traffic Analytics dashboard.

With Traffic Analytics, you can easily visualize:

Traffic flow between Azure resources.
Traffic flow between Azure and the internet.
Traffic flow between Azure and on-premises networks.
Common communication patterns.
Top communication pairs and protocols.

4. VNet Gateway Diagnostics

For VPN gateways and ExpressRoute circuits, specific diagnostic tools provide views into connection status, bandwidth utilization, and error logs.

Best Practices for Using Network Views

Regularly Review Topology: Ensure your network map accurately reflects your current infrastructure.
Monitor Traffic Patterns: Use Traffic Analytics to identify unexpected or excessive traffic, which could indicate security threats or performance issues.
Leverage NSG Flow Logs: Configure and analyze flow logs to gain granular visibility into network traffic.
Utilize Troubleshoot Tools: When connectivity issues arise, start with Network Watcher's diagnostic tools for quick resolution.
Document Your Network: Use the visualization tools to create and maintain up-to-date network documentation.

Example: Visualizing NSG Rules

To understand how Network Security Groups (NSGs) control traffic, you can use the IP Flow Verify tool. Let's consider a scenario where a VM in a subnet needs to communicate with an external service.

Scenario: A web server VM (10.0.1.4) needs to receive inbound HTTP traffic (port 80) from the internet.

Using IP Flow Verify, you would specify:


Direction: Inbound
Protocol: TCP
Local IP address: 10.0.1.4
Local port: 80
Remote IP address: [Any IP from Internet]
Remote port: [Any Port]

The tool would then analyze the NSGs applied to the VM's NIC and subnet. If there's an NSG rule that allows inbound TCP traffic on port 80 from the specified source, the communication will be permitted. Otherwise, it will be denied.

The output might look like:


{
  "flowStatus": "Allowed",
  "ruleResultDetails": [
    {
      "ruleName": "AllowHTTPInbound",
      "ruleType": "UserRule",
      "protocol": "TCP",
      "sourceIpAddress": "*",
      "destinationIpAddress": "*",
      "sourcePortRange": "*",
      "destinationPortRange": "80",
      "access": "Allow",
      "priority": 100,
      "direction": "Inbound"
    }
  ]
}