Monitoring Azure Virtual WAN
This article provides an overview of the monitoring capabilities for Azure Virtual WAN, helping you gain insights into the health, performance, and security of your virtual network connectivity.
Key Monitoring Tools and Services
Azure Virtual WAN integrates seamlessly with several Azure services to provide comprehensive monitoring:
- Azure Monitor: The foundational service for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. It provides metrics, logs, and alerts for Virtual WAN resources.
- Azure Network Watcher: Offers tools to monitor, diagnose, and view metrics for Azure network resources. Key features include connection monitoring, IP flow verify, and topology.
- Log Analytics: A part of Azure Monitor, Log Analytics enables you to query and analyze log data from various sources, including Virtual WAN.
- Azure Activity Log: Provides insights into subscription-level events that have occurred in your Azure subscription.
Monitoring Virtual WAN Components
You can monitor the following key components of Azure Virtual WAN:
Virtual Hubs
Virtual hubs are the central points of connectivity in Virtual WAN. Monitoring their health and performance is vital. You can view metrics such as:
- VNet connections count
- Site-to-site VPN connections count
- User VPN connections count
- Data In/Out (throughput)
Connections (VPN & ExpressRoute)
Monitor the status and performance of your VPN and ExpressRoute connections to ensure reliable connectivity to your on-premises networks or other cloud environments.
- Connection Status: Online/Offline indicators.
- Throughput: Data transferred in and out of the connection.
- Latency: Round-trip time for data packets.
- Packet Loss: Percentage of packets not successfully delivered.
Firewall (Azure Firewall integrated with Virtual WAN)
If you're using Azure Firewall within your Virtual WAN hub, you can monitor its activity, rules, and threat intelligence.
- Network traffic logs
- Application traffic logs
- Threat intelligence logs
- Connection status
Routing
Understanding your routing tables is essential for troubleshooting connectivity issues. While not directly a monitoring metric, tools like Network Watcher can help diagnose routing problems.
Using Azure Monitor for Virtual WAN
Azure Monitor provides a centralized experience for monitoring Azure Virtual WAN. You can:
View Metrics
Navigate to your Virtual WAN resource or specific Virtual Hub in the Azure portal. Under the 'Monitoring' section, you can view various performance metrics over different time ranges. You can also pin these metrics to your Azure dashboard for quick access.
Figure 1: Example of Virtual WAN metrics in Azure Monitor.
Configure Diagnostic Settings
To collect detailed logs for analysis, configure diagnostic settings for your Virtual WAN resources. You can send logs to:
- Log Analytics workspace for querying.
- Storage account for archival.
- Event Hubs for integration with other services.
# Example: Sending logs to Log Analytics (Conceptual)
# In Azure Portal: Navigate to Virtual WAN -> Diagnostic settings -> Add diagnostic setting
# Select desired logs (e.g., AzureFirewallNetworkLog, AzureFirewallApplicationLog, VpnConnectionDiagnosticLog)
# Destination: Log Analytics Workspace
# Subscription: Your Subscription
# Log Analytics Workspace: YourWorkspaceName
Set Up Alerts
Create alert rules in Azure Monitor to be notified when specific conditions are met. This is crucial for proactive issue resolution. Examples include:
- Alert when a VPN connection goes offline.
- Alert when network throughput exceeds a threshold.
- Alert on critical firewall events.
Using Azure Network Watcher
Network Watcher provides advanced network diagnostic and monitoring tools:
- Connection Monitor: Monitor the reachability and latency of network paths between endpoints, including Virtual WAN connections.
- IP Flow Verify: Diagnose whether traffic is allowed or denied to or from a Virtual Machine based on NSG rules and Azure Firewall rules.
- Topology: Visualize the network topology, showing the relationships between your Virtual WAN, hubs, and connected resources.
Analyzing Logs with Log Analytics
Once logs are sent to a Log Analytics workspace, you can use Kusto Query Language (KQL) to perform powerful analysis.
Example KQL Query: VPN Connection Events
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "VpnConnectionDiagnosticLog"
| where ActivityLog_ cóntains "ConnectionEstablished"
| project TimeGenerated, ResourceId, CallerSourceIpAddress, CallerTargetIpAddress, ActivityStatus, ActivityDetails
| order by TimeGenerated desc
Example KQL Query: Firewall Network Logs
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "AzureFirewallNetworkLog"
| where RuleCollectionName == "DenyRuleCollection" // Example: Analyzing denied traffic
| project TimeGenerated, RuleCollectionName, RuleCollectionGroupName, Priority, SourceIP, DestinationIP, DestinationPort, Protocol
| order by TimeGenerated desc
Best Practices for Virtual WAN Monitoring
- Define SLOs/SLIs: Establish Service Level Objectives (SLOs) and Service Level Indicators (SLIs) for your Virtual WAN connectivity.
- Automate Alerts: Configure alerts for critical events and performance thresholds to enable proactive response.
- Regularly Review Logs: Periodically analyze logs in Log Analytics to identify patterns, potential security threats, and performance bottlenecks.
- Utilize Dashboards: Create custom Azure dashboards to consolidate key metrics and logs for a holistic view of your Virtual WAN health.
- Implement Network Monitoring Tools: Leverage Network Watcher for in-depth diagnostics and troubleshooting.
By implementing a robust monitoring strategy, you can ensure the reliability, security, and performance of your Azure Virtual WAN deployment.