|
1 | 1 | --- |
2 | | -title: Introduction to IP flow verify |
| 2 | +title: IP flow verify overview |
3 | 3 | titleSuffix: Azure Network Watcher |
4 | | -description: This page provides an overview of Azure Network Watcher IP flow verify capability. |
5 | | -services: network-watcher |
| 4 | +description: Learn about Azure Network Watcher IP flow verify to check if traffic is allowed or denied to and from your Azure virtual machines (VMs). |
6 | 5 | author: halkazwini |
7 | | -ms.service: network-watcher |
8 | | -ms.topic: conceptual |
9 | | -ms.workload: infrastructure-services |
10 | | -ms.date: 10/04/2022 |
11 | 6 | ms.author: halkazwini |
| 7 | +ms.service: network-watcher |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 09/28/2023 |
| 10 | + |
| 11 | +#CustomerIntent: As an Azure administrator, I want learn about IP flow verify so I can use it to check the security rules applied on the VMs to confirm if traffic is allowed or denied. |
12 | 12 | --- |
13 | 13 |
|
14 | | -# Introduction to Azure Network Watcher IP flow verify |
| 14 | +# IP flow verify overview |
| 15 | + |
| 16 | +IP flow verify is a feature in Azure Network Watcher that you can use to check if a packet is allowed or denied to or from an Azure virtual machine based on the configured security and admin rules. It helps you to troubleshoot virtual machine connectivity issues by checking network security group (NSG) rules and Azure Virtual Network Manager admin rules. It's a quick and simple tool to diagnose connectivity issues to or from other Azure resources, the internet and on-premises environment. |
| 17 | + |
| 18 | +IP flow verify looks at the rules of all network security groups applied to a virtual machine's network interface, whether the network security group is associated to the virtual machine's subnet or network interface. It additionally, looks at the Azure Virtual Network Manager rules applied to the virtual network of the virtual machine. |
| 19 | + |
| 20 | +IP flow verify uses traffic direction, protocol, local IP, remote IP, local port, and remote port to test security and admin rules that apply to the virtual machine's network interface. |
| 21 | + |
| 22 | +:::image type="content" source="./media/network-watcher-ip-flow-verify-overview/ip-flow-verify-portal.png" alt-text="Screenshot of IP flow verify in the Azure portal." lightbox="./media/network-watcher-ip-flow-verify-overview/ip-flow-verify-portal.png"::: |
| 23 | + |
| 24 | +IP flow verify returns **Access denied** or **Access allowed**, the name of the security rule that denies or allows the traffic, and the network security group with a link to it so you can edit it if you need to. It doesn't provide a link if a default security rule is denying or allowing the traffic. For more information, see [Default security rules](../virtual-network/network-security-groups-overview.md#default-security-rules). |
15 | 25 |
|
16 | | -IP flow verify checks if a packet is allowed or denied to or from a virtual machine. The information consists of direction, protocol, local IP, remote IP, local port, and a remote port. If the packet is denied by a security group, the name of the rule that denied the packet is returned. While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment. |
| 26 | +:::image type="content" source="./media/network-watcher-ip-flow-verify-overview/access-denied.png" alt-text="Screenshot of IP flow verify result in the Azure portal."::: |
17 | 27 |
|
18 | | -IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. Traffic flow is then verified based on the configured settings to or from that network interface. IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine. Now along with the NSG rules evaluation, the Azure Virtual Network Manager rules will also be evaluated. |
| 28 | +## Prerequisites |
19 | 29 |
|
20 | | -[Azure Virtual Network Manager (AVNM)](../virtual-network-manager/overview.md) is a management service that enables users to group, configure, deploy, and manage Virtual Networks globally across subscriptions. AVNM security configuration allows users to define a collection of rules that can be applied to one or more network groups at the global level. These security rules have a higher priority than network security group (NSG) rules. An important difference to note here is that admin rules are a resource delivered by ANM in a central location controlled by governance and security teams, which bubble down to each vnet. NSGs are a resource controlled by the vnet owners, which apply at each subnet or NIC level. |
| 30 | +To use IP flow verify, you must meet the following prerequisites: |
21 | 31 |
|
22 | | -An instance of Network Watcher needs to be created in all regions where you plan to run IP flow verify. Network Watcher is a regional service and can only be run against resources in the same region. The instance used does not affect the results of IP flow verify, as any route associated with the NIC or subnet is still returned. |
| 32 | +- Network Watcher instance in the Azure subscription and region of the virtual machine. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md). |
| 33 | +- Have the necessary permissions to access the feature. For more information, see [RBAC permissions required to use Network Watcher capabilities](required-rbac-permissions.md). |
23 | 34 |
|
24 | | -![1][1] |
| 35 | +## Considerations |
25 | 36 |
|
26 | | -## Next steps |
| 37 | +- IP flow verify tests TCP and UDP traffic. To test ICMP traffic, use [NSG diagnostics](network-watcher-network-configuration-diagnostics-overview.md). |
| 38 | +- IP flow verify tests security and admin rules applied to a virtual machine's network interface. To test virtual machine scale sets, use [NSG diagnostics](network-watcher-network-configuration-diagnostics-overview.md). |
27 | 39 |
|
28 | | -Visit the following article to learn if a packet is allowed or denied for a specific virtual machine through the portal. [Check if traffic is allowed on a VM with IP Flow Verify using the portal](diagnose-vm-network-traffic-filtering-problem.md) |
| 40 | +## Next step |
29 | 41 |
|
30 | | -[1]: ./media/network-watcher-ip-flow-verify-overview/figure1.png |
| 42 | +To learn how to use IP flow verify, continue to: |
31 | 43 |
|
| 44 | +> [!div class="nextstepaction"] |
| 45 | +> [Diagnose a virtual machine network traffic filter problem](diagnose-vm-network-traffic-filtering-problem.md) |
0 commit comments