Merge pull request #296228 from mbender-ms/avnm-ga-vnet-verify

virtual network manager | Maintenance | Updates for VNet Verify GA

Author: JillGrant615

articles/virtual-network-manager/concept-virtual-network-verifier.md

@@ -1,26 +1,26 @@
 ---
-title: What is Virtual Network Verifier?
-description: Learn how Virtual Network Verifier helps you verify your network policies allow or disallow traffic between your Azure network resources.
+title: What is network verifier in Azure Virtual Network Manager?
+description: Learn how network verifier helps you verify your network policies allow or disallow traffic between your Azure network resources.
 author: mbender-ms
 ms.author: mbender
 ms.topic: concept-article
 ms.service: azure-virtual-network-manager
-ms.date: 05/20/2024
+ms.date: 03/13/2025
 ---
 
-# How does Virtual Network Verifier work?
+# What is network verifier?
 
-In Azure Virtual Network Manager, Virtual Network Verifier enables you to check if your network policies allow or disallow traffic between your Azure network resources. It can help you answer simple diagnostic questions to triage why reachability isn't working as expected and prove conformance of your Azure setup to your organization’s security compliance requirements. When you run a reachability analysis in Virtual Network Verifier, it can answer questions such as why two virtual machines can't communicate with each other.
+In Azure Virtual Network Manager, network verifier is a tool that enables you to check if your network policies allow or disallow traffic between your Azure network resources. There are several moving parts between connectivity, security, routing, and resource-specific configurations -- so how do you know that what you've set up in your Azure environment is actually achieving the reachability you desire among your network resources? Whether you're diagnosing why reachability isn't working as expected or proving conformance of your Azure setup to your organization’s security compliance requirements, network verifier can provide the answers. When you run a reachability analysis in network verifier, it can answer questions such as why two virtual machines can't communicate with each other by providing the full reachability path and blockers.
 
 [!INCLUDE [virtual-network-verifier-preview](../../includes/virtual-network-verifier-preview.md)]
 
-## How does Verifier Workspace work?
+## How does network verifier work?
 
-Virtual Network Verifier is available in every network manager instance through a resource called a verifier workspace, which acts as a container for Virtual Network Verifier's child resources and capabilities. A network manager can have one or more verifier workspaces and these verifier workspaces can be delegated to non-network manager users. A verifier workspace uses the following workflow to gather and analyze network data.
+Network verifier is available in every network manager instance through a resource called a verifier workspace, which acts as a container for network verifier's child resources and capabilities. A network manager can have one or more verifier workspaces and these verifier workspaces can be delegated to non-network manager users. A verifier workspace uses the following workflow to gather and analyze network data.
 
 ### Create a verifier workspace
 
-A verifier workspace is a child resource of a network manager. Its permissions can be delegated to non-network manager admin users and it's discoverable from the Azure portal. The verifier workspace includes its own child resources of reachability analysis intents and reachability analysis results, and it uses its parent network manager's scope as the boundary to run analysis.
+A verifier workspace is a child resource of a network manager. Its permissions can be delegated to non-network manager admin users and it's discoverable from the Azure portal. The verifier workspace includes its own child resources of reachability analysis intents and reachability analysis results, and it uses its parent network manager's scope as the boundary to run analysis. Any Azure resource, configuration, and rule within this scope can be evaluated in the reachability analysis without needing to elevate user permissions for the subscriptions and management groups of its parent network manager's scope.
 
 ### Delegate a verifier workspace resource
 
@@ -32,10 +32,10 @@ Within a verifier workspace, you create a reachability analysis intent to define
 
 | **Field** | **Description **|
 |-------|-------------|
-| **Source** | The source of the traffic that can be a virtual machine, subnet, or the internet. |
+| **Source** | The source of the traffic that can be a virtual machine, virtual machine scale sets instance, subnet, or the internet. |
 | **Source ports** | The source ports of the traffic. |
 | **Source IP addresses** | The source IP addresses of the traffic. |
-| **Destination** | The destination of the traffic that can be a virtual machine, subnet, Cosmos DB, storage account, SQL server, or the internet. |
+| **Destination** | The destination of the traffic that can be a virtual machine, virtual machine scale sets instance, subnet, Cosmos DB, storage account, SQL server, or the internet. |
 | **Destination ports** | The destination ports of the traffic. |
 | **Destination IP addresses** | The destination IP addresses of the traffic. |
 | **Protocol** | The protocol of the traffic. |
@@ -44,15 +44,15 @@ You can create multiple reachability analysis intents within a verifier workspac
 
 ### Run a reachability analysis
 
-After defining a reachability analysis intent, you need to perform an analysis to get verification results. This static analysis checks if various resources and policy configurations in the network manager's scope preserve reachability between the given source and destination of the reachability analysis intent. Once the analysis is done, it produces a reachability analysis result.
+After defining a reachability analysis intent, you need to run an analysis to receive the reachability analysis result. This static analysis checks if various resources and policy configurations in the network manager's scope preserve reachability between the given source and destination of the reachability analysis intent. Once the analysis is complete, it produces a reachability analysis result.
 
-The reachability analysis result is a JSON object that indicates whether packets can reach the reachability analysis intent's destination from its source. It provides details about the path of connectivity, showing where traffic was blocked if the source and destination couldn't connect. It includes information about the resources on the path and their metadata regardless of the reachability analysis result's outcome.
+The reachability analysis result is a JSON object that details whether packets can reach the reachability analysis intent's destination from its source. It provides details about the path of connectivity, showing where traffic was blocked if the source and destination couldn't connect. It includes information about the resources on the path and their metadata regardless of the reachability analysis result's outcome.
 
 In the Azure portal, this reachability analysis result is visualized to show the forward path of the reachability analysis intent's defined connectivity. Any user with access to the verifier workspace can run a reachability analysis on any reachability analysis intent within that verifier workspace.
 
 ## Supported features of the reachability analysis
 
-When run, a reachability analysis evaluates the following features: 
+When run, network verifier's reachability analysis evaluates the following features: 
 
   - Network security group (NSG) rules 
   - Application security group (ASG) rules 
@@ -63,17 +63,31 @@ When run, a reachability analysis evaluates the following features:
   - Service endpoints & access control lists 
   - Private endpoints 
   - Virtual WAN
+  - Azure Firewall (static L4 only)
 
 This list is subject to expand.
 
+## When should I use network verifier?
+
+Network verifier is designed to help you validate your Azure network configurations and resources, ensuring they align with your intended reachability and comply with internal standards. This tool proves particularly useful during the design and post-deployment phases of your Azure network setup. When you encounter unexpected traffic allowances or disallowances, network verifier helps you pinpoint the origin of these deviations from your expected reachability within your Azure environment. With its detailed reachability analysis results, network verifier can reconstruct the source-to-destination path taken in the Azure control plane, enabling you to track down where the misconfiguration lies.
+
+Network verifier can help you answer several questions regarding your Azure network resource reachability, including:
+
+- Public internet IP address to/from a given virtual machine, subnet, or other resource
+- Validation of security rules enforcing traffic denial and order of evaluation, such as with NSG rules and security admin rules
+- Confirmation of reachability to resources behind a private endpoint
+- Remodel of theoretical traffic path through a virtual WAN
+
+For more complex troubleshooting scenarios, network verifier serves as an excellent starting point. Its reachability analysis results can guide you toward the next steps in your diagnostic journey, directing you to tools specialized in operational monitoring, network performance, and data path-level network troubleshooting.
+
 ## Limits
 
-The limitations in the public preview of Virtual Network Verifier are as follows: 
+The limitations of network verifier are as follows: 
 - A reachability analysis can only be run on a single reachability analysis intent.
 - Subnets selected as the source and/or destination of a reachability analysis intent must have at least one running virtual machine for a reachability analysis result to be provided.
 - Reachability analysis results are based on the evaluation of supported Azure services, resources, and policies listed as supported features here. Actual traffic behavior resulting from services not explicitly listed above can vary from the reachability analysis result.
 
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Learn to analyze resource reachability with Virtual Network Verifier in Azure Virtual Network Manager](how-to-verify-reachability-with-virtual-network-verifier.md)
+> [Learn to analyze resource reachability with network verifier in Azure Virtual Network Manager](how-to-verify-reachability-with-virtual-network-verifier.md)

articles/virtual-network-manager/how-to-verify-reachability-with-virtual-network-verifier.md

@@ -5,13 +5,13 @@ author: mbender-ms
 ms.author: mbender
 ms.topic: how-to
 ms.service: azure-virtual-network-manager
-ms.date: 12/11/2024
+ms.date: 03/13/2025
 ms.custom: references_regions
 ---
 
-# Verify resource reachability with Virtual Network Verifier - Azure portal
+# Verify resource reachability with network verifier - Azure portal
 
-In this article, you learn how to use Virtual Network Verifier in the Azure portal to verify the reachability of a storage account from a VM based on your applied network policies. As part of the process, you create a verifier workspace, create a reachability analysis intent, run a reachability analysis, and view the reachability analysis results. This article also demonstrates how you can delegate verifier workspaces to other users in your organization so they gain the ability to use a permitted verifier workspace.
+In this article, you learn how to use network verifier in the Azure portal to verify the reachability from one virtual machine to another virtual machine based on your applied network policies. As part of the process, you create a verifier workspace, create a reachability analysis intent, run a reachability analysis, and view the reachability analysis results. This article also demonstrates how you can delegate verifier workspaces to other users in your organization so they gain the ability to use a permitted verifier workspace.
 
 [!INCLUDE [virtual-network-verifier-preview](../../includes/virtual-network-verifier-preview.md)]
 
@@ -31,7 +31,6 @@ In this step, you create a verifier workspace in your network manager to set up
 3. Select **Create** to create a new verifier workspace.
 4. On the **Create a virtual network manager verifier workspace** page, provide a name and optional description for your verifier workspace.
 
-
 ## Create a reachability analysis intent
 
 In this step, you create a reachability analysis intent in your verifier workspace. This analysis intent describes the traffic path being checked for reachability.
@@ -43,32 +42,33 @@ In this step, you create a reachability analysis intent in your verifier workspa
     | --- | --- |
     | **Name** | Enter a name for the reachability analysis intent. |
     | **Protocol** | Select the protocol of the traffic you want to verify. |
-    | **Source type** | Select the source type of either **Public internet**, **Virtual machines**, or **Subnet**. Select **Virtual machines** for this example. |
-    | **Source** | If a virtual machine is selected as the source type, use the selection picker to select an instance from the parent network manager's scope. |
+    | **Source type** | Select the source type of either **Public internet**, **Virtual machines**, **Subnet**, or **Virtual machine scale sets instance**. Select **Virtual machines** for this example. |
+    | **Source** | Depending on the source type, use the selection picker to select an instance from the parent network manager's scope. |
     | **Source IP address** | Enter an IPv4 or IPv6 address or a range using CIDR notation of the source you want to verify. |
-    | **Source port** | Enter a port or a range of the source you want to verify. To specify any port, enter *. |
-    | **Destination type** | Select the destination type of either **Public internet**, **Cosmos DB**, **Storage Account**, **SQL Server**, **Virtual machines**, or **Subnet**. Select **Virtual machines** for this example. |
-    | **Destination** | If a Cosmos DB, storage account, SQL server, or virtual machine is selected as the destination type, use the selection picker to select an instance from the parent network manager's scope. |
+    | **Source port** | Optionally enter a port or a range of the source you want to verify. |
+    | **Destination type** | Select the destination type of either **Public internet**, **Cosmos DB**, **Storage Account**, **SQL Server**, **Virtual machines**, **Subnet**, or **Virtual machine scale sets instance**. Select **Virtual machines** for this example. |
+    | **Destination** | Depending on the destination type, use the selection picker to select an instance from the parent network manager's scope. |
     | **Destination IP address** | Enter an IPv4 or IPv6 address or a range using CIDR notation of the destination you want to verify. |
-    | **Destination port** | Enter a port or a range of the destination you want to verify. To specify any port, enter *. |
+    | **Destination port** | Optionally enter a port or a range of the destination you want to verify. |
 
     :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/create-analysis-intent.png" alt-text="Screenshot of Create analysis intent window with settings and values.":::
 
 3. Repeat the process to create more reachability analysis intents in the verifier workspace.
 
 ## Start an analysis
 
-After setting up a reachability analysis intent, you can initiate an analysis. This analysis checks if a path exists between the source and destination specified in the intent, considering the network policies and resources that are currently in place. This analysis evaluates policies and resources within the scope of the verifier workspace's parent network manager.
+After setting up a reachability analysis intent, you can initiate an analysis. This analysis checks if a path exists between the source and destination specified in the intent, considering the Azure resources and network policies that are currently in place. This analysis evaluates policies and resources within the scope of the verifier workspace's parent network manager.
 
 1. Under **Reachability analysis intents**, select the checkbox next to the reachability analysis intent you want to analyze and select **Start analysis**.
 2. In the **Start analysis** pane, enter a name and optional description for the analysis, and then select the **Start analysis** button.
 
     :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/start-analysis-run.png" alt-text="Screenshot of Start analysis window for analysis intent run job.":::
 
 > [!NOTE]
-> The analysis run may take a few minutes to complete. You can monitor the progress of the analysis in the Azure Portal.
+> The analysis run may take a couple minutes to complete. You can monitor the progress of the analysis in the Azure portal.
   
 ## View reachability analysis results
+
 In this step, you view the results of the analysis you started in the previous step.
 
 1. In the verifier workspace, select **Reachability analysis intents** under *Settings* and select the corresponding **View results** for your reachability analysis intent. Alternatively, navigate to **Reachability analysis results** and select the name of the result you want to view.
@@ -79,14 +79,17 @@ In this step, you view the results of the analysis you started in the previous s
 
     :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/view-analysis-results.png" alt-text="Screenshot of Reachability analysis results window with analysis results.":::
 
-3. On the **Reachability analysis results** tab in the **View analysis results** pane, you see the results in a visual format. The visualization shows the path taken by the traffic and the resources traversed.
+3. On the **Reachability analysis results** tab in the **View analysis results** pane, you see the results in a visual format. The visualization shows the path taken by the traffic and the resources traversed and is interactive.
 
     :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/view-analysis-results-visualization.png" alt-text="Screenshot of Reachability analysis results window with visualization of analysis results.":::
 
-4. Select one of the resources in the visualization to view the resource details. You can also select any of the lengths in the visualization to view details of that step.
+4. Select one of the resources in the visualization to view the resource details. You can also select any of the lengths in the visualization to view details of that step. If the results indicate a blockage in the reachability path, select the length immediately before the blockage to see what resource or policy caused the blockage.
 
    :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/network-manager-reachability-results-details.png" alt-text="Screenshot of resource details for network manager from analysis intent results.":::
 
+   :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/view-results-path-edge-details.png" alt-text="Screenshot of step details for a network manager from analysis intent results.":::
+      
+
 5. Select the **JSON output** tab to view the full JSON output of the analysis result. The beginning of the JSON object details the outcome of the result, which indicates whether all packets reached, some packets reached, or no packets reached. Explanations are provided for each outcome and each reachability step.
 
     :::image type="content" source="media/how-to-verify-reachability-with-virtual-network-verifier/view-json-results.png" alt-text="Screenshot of JSON output for reachability analysis results.":::
@@ -108,4 +111,4 @@ Optionally, you can delegate a verifier workspace to other users. This allows ot
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [What is Virtual Network Verifier](concept-virtual-network-verifier.md)
+> [What is network verifier?](concept-virtual-network-verifier.md)