You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/network-watcher/network-watcher-alert-triggered-packet-capture.md
+51-33Lines changed: 51 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,7 +19,7 @@ Network Watcher packet capture creates capture sessions to track traffic in and
19
19
20
20
This capability can be started remotely from other automation scenarios such as Azure Functions. Packet capture gives you the capability to run proactive captures based on defined network anomalies. Other uses include gathering network statistics, getting information about network intrusions, debugging client-server communications, and more.
21
21
22
-
Resources that are deployed in Azure run 24/7. You and your staff can't actively monitor the status of all resources 24/7. For example, what happens if an issue occurs at 2 AM?
22
+
Resources that are deployed in Azure run 24 * 7. You and your staff can't actively monitor the status of all resources 24 * 7. For example, what happens if an issue occurs at 2 AM?
23
23
24
24
By using Network Watcher, alerting and functions from within the Azure ecosystem, you can proactively respond with the data and tools to solve problems in your network.
25
25
@@ -33,7 +33,7 @@ By using Network Watcher, alerting and functions from within the Azure ecosystem
33
33
34
34
## Scenario
35
35
36
-
In this example, your VM is sending more TCP segments than usual and you want to be alerted. TCP segments are used as an example here, but you can use any alert condition.
36
+
In this example, your VM is utilizing more CPU percentage than usual and you want to be alerted. CPU percentage is used as an example here, but you can use any alert condition.
37
37
38
38
When you're alerted, the packet-level data helps to understand why communication has increased. You can take steps to return the virtual machine to regular communication.
39
39
@@ -42,19 +42,19 @@ This scenario assumes that you have an existing instance of Network Watcher and
42
42
The following list is an overview of the workflow that takes place:
43
43
44
44
1. An alert is triggered on your VM.
45
-
1. The alert calls your Azure function via a Webhook.
45
+
1. The alert calls your Azure function.
46
46
1. Your Azure function processes the alert and starts a Network Watcher packet capture session.
47
47
1. The packet capture runs on the VM and collects traffic.
48
48
1. The packet capture file is uploaded to a storage account for review and diagnosis.
49
49
50
-
To automate this process, we create and connect an alert on our VM to trigger when the incident occurs. We also create a function to call in to Network Watcher.
50
+
To automate this process, we create and connect an alert on our VM to trigger when the incident occurs. We also create a function to call Network Watcher.
51
51
52
52
This scenario does the following:
53
53
54
54
* Creates an Azure function that starts a packet capture.
55
55
* Creates an alert rule on a virtual machine and configures the alert rule to call the Azure function.
56
56
57
-
## Create an Azure function
57
+
## Create an Azure function app
58
58
59
59
The first step is to create an Azure function to process the alert and create a packet capture.
60
60
@@ -64,8 +64,9 @@ The first step is to create an Azure function to process the alert and create a
64
64
65
65
2. Select **Create** to open the **Create Function App** screen.
66
66
67
-
2. In the **Basics** tab, enter the following values and select **OK** to create the app:
67
+
:::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/create-function-app.png" alt-text="Screenshot of the Create function app screen.":::
68
68
69
+
2. In the **Basics** tab, enter the following values and select **OK** to create the app:
69
70
1. Under **Project Details**, select the **Subscription** for which you want to create the Function app and the **Resource Group** to contain the app.
70
71
2. Under **Instance details**, do the following:
71
72
1. Enter the name of the Function app. This name will be appended by *.azurewebsites.net*.
@@ -78,9 +79,25 @@ The first step is to create an Azure function to process the alert and create a
78
79
- Consumption (Serverless) - For event-driven scaling for the lowest minimum cost
79
80
- Functions Premium - For enterprise-level, serverless applications with event-based scaling and network isolation
80
81
- App Service Plan - For reusing compute from an existing app service plan.
81
-
82
82
3. Click **Review + create** to create the app.
83
83
84
+
### Create an Azure function
85
+
86
+
1. In the function app that you created, in the **Functions** tab, select **Create** to open the **Create function** pane.
87
+
88
+
:::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/create-function.png" alt-text="Screenshot of the Create function screen.":::
89
+
90
+
2. Select **Develop in portal** from the **Development environment** drop-down.
91
+
3. Under **Select a template**, select **HTTP Trigger**.
92
+
4. In the **Template details** section, do the following:
93
+
1. Enter the name of the function in the **New function** field.
94
+
2. Select **Function** as the **Authorization level** and select **Create**.
95
+
5. After the function is created, go to the function and select **Code + Test**.
96
+
97
+
:::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/code-test.png" alt-text="Screenshot of the Code + Test screen.":::
98
+
99
+
6. Update the [script](#add-powershell-to-the-function) and select **Save**.
100
+
84
101
### Authentication
85
102
86
103
To use the PowerShell cmdlets, you must authenticate. You configure authentication in the function app. To configure authentication, you must configure environment variables and upload an encrypted key file to the function app.
@@ -118,12 +135,9 @@ In the App Service Editor of the function app, create a folder called **keys** u
118
135
The final requirement is to set up the environment variables that are necessary to access the values for authentication. The following list shows the environment variables that are created:
119
136
120
137
* AzureClientID
121
-
122
138
* AzureTenant
123
-
124
139
* AzureCredPassword
125
140
126
-
127
141
#### AzureClientID
128
142
129
143
The client ID is the Application ID of an application in Azure Active Directory.
@@ -140,13 +154,10 @@ The client ID is the Application ID of an application in Azure Active Directory.
140
154
> [!NOTE]
141
155
> The password that you use when creating the application should be the same password that you created earlier when saving the key file.
142
156
143
-
1. In the Azure portal, select **Subscriptions**. Select the subscription to use and select **Access control (IAM)**.
144
-
145
-
157
+
1. In the Azure portal, select **Subscriptions**. Select the subscription to use and select **Access control (IAM)**.
146
158
147
159
1. Choose the account to use and select **Properties**. Copy the Application ID.
148
-
149
-
160
+
150
161
151
162
#### AzureTenant
152
163
@@ -179,14 +190,12 @@ $Encryptedpassword
179
190
180
191
### Store the environment variables
181
192
182
-
1. Go to the function app. Select **Function app settings** > **Configure app settings**.
183
-
184
-
![Configure app settings][functions11]
193
+
1. Go to the function app. Select **Configurations** > **Application settings**.
185
194
195
+
:::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/application-insights.png" alt-text="Screenshot of the Application settings screen.":::
196
+
186
197
1. Add the environment variables and their values to the app settings and select **Save**.
187
198
188
-
![App settings][functions12]
189
-
190
199
### Add PowerShell to the function
191
200
192
201
It's now time to make calls into Network Watcher from within the Azure function. Depending on the requirements, the implementation of this function can vary. However, the general flow of the code is as follows:
@@ -387,24 +396,33 @@ Use the following PowerShell code if you're using the old schema:
387
396
388
397
## Configure an alert on a VM
389
398
390
-
Alerts can be configured to notify individuals when a specific metric crosses a threshold that's assigned to it. In this example, the alert is on the TCP segments that are sent, but the alert can be triggered for many other metrics. In this example, an alert is configured to call a webhook to call the function.
399
+
Alerts can be configured to notify individuals when a specific metric crosses a threshold that's assigned to it. In this example, the alert is on the CPU Percentage that are sent, but the alert can be triggered for many other metrics.
391
400
392
401
### Create the alert rule
393
402
394
-
Go to an existing virtual machine and add an alert rule. More detailed documentation about configuring alerts can be found at [Create alerts in Azure Monitor for Azure services - Azure portal](../azure-monitor/alerts/alerts-classic-portal.md). Enter the following values in the **Alert rule**tab and select **OK**.
403
+
Go to an existing virtual machine and [add an alert rule](../azure-monitor/alerts/alerts-classic-portal.md). Do the following in the **Create an Alert rule**screen.
395
404
396
-
|**Setting**|**Value**|**Details**|
397
-
|---|---|---|
398
-
|**Name**|TCP_Segments_Sent_Exceeded|Name of the alert rule.|
399
-
|**Description**|TCP segments sent exceeded threshold|The description for the alert rule.|
400
-
|**Metric**|TCP segments sent| The metric to use to trigger the alert. |
401
-
|**Condition**|Greater than| The condition to use when evaluating the metric.|
402
-
|**Threshold**|100| The value of the metric that triggers the alert. This value should be set to a valid value for your environment.|
403
-
|**Period**|Over the last five minutes| Determines the period in which to look for the threshold on the metric.|
404
-
|**Webhook**|[webhook URL from function app]| The webhook URL from the function app that was created in the previous steps.|
405
+
1. In the **Select a signal** pane, search for the name of the signal and select it. In the example below, Percentage CPU is the selected signal. It denotes the percentage of allocated compute units that are in use by the VM.
406
+
407
+
:::image type="content" source="./media/network-watcher-alert-triggered-packet-capture/action-group.png" alt-text="Screenshot of the Create action group screen.":::
408
+
409
+
2. In the **Conditions** tab, set the following values and select **Next: Actions >**.
410
+
411
+
|**Setting**|**Value**|
412
+
|---|---|
413
+
|**Threshold**|Static|
414
+
|**Aggregation type**|Average|
415
+
|**Operator**|Greater than|
416
+
|**Threshold value**|3|
417
+
|**Check every**|1 minute|
418
+
|**Lookback period**|5 minutes|
419
+
420
+
3. In the **Actions** tab, select **Create an action group**.
421
+
4. In the **Create action group** screen, select the **Subscription**, **Resource group**, and **Region**. Also enter the Action group name and the display name and select **Next: Notfications >**.
422
+
5. In the screen that appears, select **Action type** as **Azure Function**.
423
+
6. In the Azure Function pane, select the **Subscription**, **Resource group**, **Function app**, and **Azure Function**.
424
+
7. Select **No** in **Enable the common alert schema** slider and select **OK**.
405
425
406
-
> [!NOTE]
407
-
> The TCP segments metric is not enabled by default. Learn more about how to enable additional metrics by visiting [Enable monitoring and diagnostics](../azure-monitor/overview.md).
0 commit comments