Merge pull request #298579 from AvirupCha/vtap-public-preview

Vtap public preview updates

Author: denrea

articles/virtual-network/media/virtual-network-tap/architecture.png

@@ -6,21 +6,21 @@ author: asudbring
 manager: ganesr
 ms.service: azure-virtual-network
 ms.topic: how-to
-ms.date: 04/17/2025
+ms.date: 04/21/2025
 ms.author: allensu
 ms.custom: devx-track-azurecli
 ---
 
 # Work with a virtual network TAP using the Azure CLI
 
-> [!IMPORTANT]
-> Virtual network TAP Preview is currently in Preview in select Azure regions. You can sign up for our Previews using the sign form (https://forms.office.com/r/EWqbgLGNcV) and we'll notify you when you're selected. In the interim, you can use agent based or NVA solutions that provide TAP/Network Visibility functionality through our [Packet Broker partner solutions](virtual-network-tap-overview.md#virtual-network-tap-partner-solutions) available in [Azure Marketplace Offerings](https://azuremarketplace.microsoft.com/marketplace/apps/category/networking?page=1&subcategories=appliances%3Ball&search=Network%20Traffic&filters=partners).
+Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a [network virtual appliance](https://azure.microsoft.com/solutions/network-appliances/) partner. For a list of partner solutions that are validated to work with virtual network TAP, see [partner solutions](virtual-network-tap-overview.md#virtual-network-tap-partner-solutions).
 
-Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a [network virtual appliance](https://azure.microsoft.com/solutions/network-appliances/) partner. For a list of partner solutions that are validated to work with virtual network TAP, see [partner solutions](virtual-network-tap-overview.md#virtual-network-tap-partner-solutions). 
+> [!IMPORTANT]
+> Virtual network TAP is now in Public Preview. For more information, see the [Overview](virtual-network-tap-overview.md) article.
 
 ## Create a virtual network TAP resource
 
-Read [prerequisites](virtual-network-tap-overview.md#prerequisites) before you create a virtual network TAP resource. You can run the commands that follow in the [Azure Cloud Shell](https://shell.azure.com/bash), or by running the Azure CLI from your computer. The Azure Cloud Shell is a free interactive shell that doesn't require installing the Azure CLI on your computer. You must sign in to Azure with an account that has the appropriate [permissions](virtual-network-tap-overview.md#permissions). This article requires the Azure CLI version 2.0.46 or later. Run `az --version` to find the installed version. If you need to install or upgrade, see [Install Azure CLI 2.0](/cli/azure/install-azure-cli). Virtual network TAP is currently available as an extension. To install the extension you need to run `az extension add -n virtual-network-tap`. If you're running the Azure CLI locally, you also need to run `az login` to create a connection with Azure.
+Read [prerequisites](virtual-network-tap-overview.md#prerequisites) before you create a virtual network TAP resource. You can run the commands that follow in the [Azure Cloud Shell](https://shell.azure.com/bash), or by running the Azure CLI from your computer. The Azure Cloud Shell is a free interactive shell that doesn't require installing the Azure CLI on your computer. You must sign in to Azure with an account that has the appropriate [permissions](virtual-network-tap-overview.md#permissions). This article requires the Azure CLI version 2.0.46 or later. Run `az --version` to find the installed version. If you need to install or upgrade, see [Install Azure CLI 2.0](/cli/azure/install-azure-cli). Virtual network TAP is currently available as an extension. To install the extension, you need to run `az extension add -n virtual-network-tap`. If you're running the Azure CLI locally, you also need to run `az login` to create a connection with Azure.
 
 1. Retrieve the ID of your subscription into a variable that is used in a later step:
 
@@ -155,4 +155,5 @@ Read [prerequisites](virtual-network-tap-overview.md#prerequisites) before you c
    ```
 
 ## Next steps
-- [Virtual network TAP overview](virtual-network-tap-overview.md)
+
+Learn how to [create a virtual network TAP](tutorial-virtual-network-tap-portal.md) using the Azure portal.

articles/virtual-network/media/virtual-network-tap/portal-tutorial-add-destination.png

@@ -0,0 +1,68 @@
+---
+title: Create, change, or delete a virtual network TAP - Azure portal
+description: Learn how to create, change, or delete a virtual network TAP using the Azure portal.
+services: virtual-network
+author: avirupcha
+ms.service: azure-virtual-network
+ms.topic: how-to
+ms.date: 04/21/2025
+ms.author: avirupcha
+---
+
+# Work with a virtual network TAP using the Azure portal
+
+Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a [network virtual appliance](https://azure.microsoft.com/solutions/network-appliances/) partner. For a list of partner solutions that are validated to work with virtual network TAP, see [partner solutions](virtual-network-tap-overview.md#virtual-network-tap-partner-solutions).
+
+> [!IMPORTANT]
+> Virtual network TAP is now in Public Preview. For more information, see the [Overview](virtual-network-tap-overview.md) article.
+
+## Before you begin
+
+Before you create a virtual network TAP resource, review the following items:
+
+* Read the [prerequisites](virtual-network-tap-overview.md#prerequisites) in the Overview article before you create a virtual network TAP resource.
+* You must sign in to Azure with an account that has the appropriate [permissions](virtual-network-tap-overview.md#permissions).
+
+## Create a virtual network TAP resource
+
+The following steps show you how to create a virtual network TAP resource using the [Azure portal](https://aka.ms/VTAPPublicPreview).
+
+[In the portal](https://aka.ms/VTAPPublicPreview), select **Create** to open the Virtual network terminal access points page.
+
+:::image type="content" source="./media/virtual-network-tap/portal-tutorial-create.png" alt-text="Screenshot of virtual network tap Azure portal showing how to start creating a virtual network TAP resource." lightbox="./media/virtual-network-tap/portal-tutorial-create.png":::
+
+1. Select your subscription ID.
+1. Select the Resource Group for your virtual network TAP resource.
+1. Give your virtual network TAP resource a name.
+1. Select the Azure region for your virtual network TAP resource. The destination and source resource must be in the same region as your virtual network TAP resource.
+1. Next, click **Select destination resource** to open the **Add a destination** page.
+
+### Add a destination resource
+
+A virtual network TAP resource can only have a single destination resource and it must be in the same region as the virtual network TAP resource.
+
+:::image type="content" source="./media/virtual-network-tap/portal-tutorial-add-destination.png" alt-text="Screenshot of virtual network tap Azure portal showing how to add destination resource for mirrored traffic." lightbox="./media/virtual-network-tap/portal-tutorial-add-destination.png":::
+
+Use the following steps to add a destination resource.
+
+1. Select between network interface or a load balancer.
+1. Filter for your desired destination resource. You can filter by using the search bar.
+1. Select your destination resource.
+1. After you specify your destination resource, click **Select** to open the **Add source network interfaces** page.
+
+### Add a source resource
+
+You can have multiple sources per virtual network resource. If you have multiple sources, traffic is mirrored to the same destination resource. Sources must be in the same region as the virtual network TAP resource.
+
+:::image type="content" source="./media/virtual-network-tap/portal-tutorial-add-source.png" alt-text="Screenshot of virtual network tap Azure portal showing how to add mirrored traffic source." lightbox="./media/virtual-network-tap/portal-tutorial-add-source.png":::
+
+Configure the following settings to add a source resource:
+
+1. Filter for your desired source network interface.
+1. Select the source network interface.
+1. Click **Add**.
+1. Click **Review and Create** to deploy your virtual network TAP resource.
+
+## Next steps
+
+Learn how to [Create a virtual network TAP](tutorial-tap-virtual-network-cli.md) using CLI.

articles/virtual-network/media/virtual-network-tap/portal-tutorial-add-source.png

@@ -1,78 +1,90 @@
 ---
 title: Azure virtual network TAP overview
 description: Learn about virtual network TAP. Virtual network TAP provides you with a copy of virtual machine network traffic that can be streamed to a packet collector.
-author: asudbring
+author: avirupcha
 ms.service: azure-virtual-network
 ms.topic: concept-article
-ms.date: 03/28/2023
-ms.author: allensu
+ms.date: 04/21/2025
+ms.author: avirupcha
+ms.custom: references_regions
 ---
 
 # Virtual network TAP
 
-> [!IMPORTANT]
-> Virtual network TAP Preview is currently in Private Preview in select Azure regions. You can sign up for our Previews using the sign form (https://forms.office.com/r/EWqbgLGNcV) and we will notify you when you are selected. In the interim, you can use agent based or NVA solutions that provide TAP/Network Visibility functionality through our [Packet Broker partner solutions](#virtual-network-tap-partner-solutions) available in [Azure Marketplace Offerings](https://azuremarketplace.microsoft.com/marketplace/apps/category/networking?page=1&subcategories=appliances%3Ball&search=Network%20Traffic&filters=partners).
-
 Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a [network virtual appliance](https://azure.microsoft.com/solutions/network-appliances/) partner. For a list of partner solutions that are validated to work with virtual network TAP, see [partner solutions](#virtual-network-tap-partner-solutions).
 
+> [!IMPORTANT]
+> Virtual network TAP is now in public preview in select Azure regions. For more information, see the [Supported Region](#supported-regions) section in this article.
+
 The following diagram shows how virtual network TAP works. You can add a TAP configuration on a [network interface](virtual-network-network-interface.md) that is attached to a virtual machine deployed in your virtual network. The destination is a virtual network IP address in the same virtual network as the monitored network interface or a [peered virtual](virtual-network-peering-overview.md) network. The collector solution for virtual network TAP can be deployed behind an Azure Internal Load balancer for high availability.
 
-:::image type="content" source="./media/virtual-network-tap/architecture.png" alt-text="Diagram of how virtual network TAP works.":::
+:::image type="content" source="./media/virtual-network-tap/architecture.png" alt-text="Diagram of how virtual network TAP works." lightbox="./media/virtual-network-tap/architecture.png":::
 
 ## Prerequisites
 
-Before you can create a virtual network TAP, ensure you've received the confirmation email that you're enrolled in the preview. You must have one or more virtual machines created with [Azure Resource Manager](../azure-resource-manager/management/overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) and a partner solution for aggregating the TAP traffic in the same Azure region. If you don't have a  partner solution in your virtual network, see [partner solutions](#virtual-network-tap-partner-solutions) to deploy one. 
+Before you can create a virtual network TAP, ensure you've received the confirmation email that you're enrolled in the preview. You must have one or more virtual machines created with [Azure Resource Manager](../azure-resource-manager/management/overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json), and a partner solution for aggregating the TAP traffic in the same Azure region. If you don't have a  partner solution in your virtual network, see [partner solutions](#virtual-network-tap-partner-solutions) to deploy one. 
 
-You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Microsoft Entra tenant. Additionally, the monitored network interfaces and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region. If you're using this deployment model, ensure that the [virtual network peering](virtual-network-peering-overview.md) is enabled before you configure virtual network TAP.
+You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Microsoft Entra tenant. Additionally, the monitored network interfaces, and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region. If you're using this deployment model, ensure that the [virtual network peering](virtual-network-peering-overview.md) is enabled before you configure virtual network TAP.
 
 ## Permissions
 
 The accounts you use to apply TAP configuration on network interfaces must be assigned to the [network contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json#network-contributor) role or a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) that is assigned the necessary actions from the following table:
 
 | Action | Name |
 |---|---|
-| Microsoft.Network/virtualNetworkTaps/* | Required to create, update, read and delete a virtual network TAP resource |
+| Microsoft.Network/virtualNetworkTaps/* | Required to create, update, read, and delete a virtual network TAP resource |
 | Microsoft.Network/networkInterfaces/read | Required to read the network interface resource on which the TAP is configured |
-| Microsoft.Network/tapConfigurations/* | Required to create, update, read and delete the TAP configuration on a network interface |
+| Microsoft.Network/tapConfigurations/* | Required to create, update, read, and delete the TAP configuration on a network interface |
 
-## Virtual network TAP partner solutions
+## Public preview limitations
+Following are limitations during our preview.
+- Virtual network TAP only supports virtual machine's (VM) network interface as a mirroring source.
+- Virtual network TAP supports Load Balancer or VM's network interface as a destination resource for mirrored traffic.
+- Virtual network doesn't support Live Migration. VM set as source for virtual network TAP will have live migration disabled.
+- VMs behind a Standard Load Balancer with Floating IP enabled can't be set as a mirroring source.
+- VMs behind Basic Load Balancer can't be set as a mirroring source.
+- Virtual network doesn't support mirroring of inbound Private Link Service traffic.
+- VMs in a virtual network with encryption enabled can't be set as mirroring source.
+- Virtual network doesn't support IPv6 isn't supported.
+- When a VM is added or removed as a source, the VM might experience network downtime (up to 60 seconds).
 
-### Network packet brokers
+## Supported Regions
 
-- [GigaVUE Cloud Suite for Azure](https://www.gigamon.com/solutions/cloud/public-cloud/gigavue-cloud-suite-azure.html)
-
-- [Ixia CloudLens](https://www.ixiacom.com/cloudlens/cloudlens-azure)
-
-- [cPacket Cloud Visibility](https://www.cpacket.com/cloud)
-
-- [Big Switch Big Monitoring Fabric](https://www.arista.com/en/bigswitch)
-
-### Security analytics, network/application performance management
+- Asia East
+- US West Central
 
-- [Awake Security](https://www.arista.com/partner/technology-partners)
+### Coming soon
 
-- [Cisco Stealthwatch Cloud](https://blogs.cisco.com/security/cisco-stealthwatch-cloud-and-microsoft-azure-reliable-cloud-infrastructure-meets-comprehensive-cloud-security)
+- UK South (May 5)
+- US East (May 15)
 
-- [Darktrace](https://www.darktrace.com)
-
-- [Fidelis Cybersecurity](https://fidelissecurity.com/)
-
-- [Flowmon](https://www.flowmon.com/en/blog/azure-vtap)
-
-- [NetFort LANGuardian](https://www.netfort.com/languardian/solutions/visibility-in-azure-network-tap/)
-
-- [Netscout vSTREAM](https://www.netscout.com/technology-partners/microsoft-azure)
-
-- [Noname Security](https://nonamesecurity.com/)
-
-- [Riverbed SteelCentral AppResponse]( https://www.riverbed.com/products/steelcentral/steelcentral-appresponse-11.html)
-
-- [RSA NetWitness® Platform](https://community.netwitness.com/t5/netwitness-platform-integrations/ixia-cloudlens-rsa-netwitness-packets-implementation-guide/ta-p/564238)
+## Virtual network TAP partner solutions
 
-- [Vectra Cognito](https://www.vectra.ai/products/cognito-platform)
+### Network packet brokers
 
-- [Corelight, Inc.](https://corelight.com/)
+|Partner|Product|
+|-------------|----------|
+|**Gigamon**|[GigaVUE Cloud Suite for Azure](https://www.gigamon.com/solutions/cloud/public-cloud/gigavue-cloud-suite-azure.html)|
+|**cPacket -**|[cPacket Cloud Suite](https://www.cpacket.com/cloud)|
+|**Keysight**|[CloudLens](https://www.keysight.com/us/en/products/network-visibility/cloud-visibility/cloudlens-software-suite.html)|
 
-## Next steps
+### Security analytics, network/application performance management
 
-- Learn how to [Create a virtual network TAP](tutorial-tap-virtual-network-cli.md).
+|Partner|Product|
+|-------------|----------|
+|**DarkTrace**|[Darktrace /NETWORK](https://www.darktrace.com/products/network)|
+|**Netscout**|[Omnis Cyber Intelligence NDR](https://www.netscout.com/product/cyber-intelligence)|
+|**Corelight**|[Corelight Open NDR Platform](https://corelight.com/solutions/why-open-ndr)|
+|**Vectra**|[Vectra NDR](https://www.vectra.ai/products/ndr)|
+|**Fortinet**|[FortiNDR Cloud](https://www.fortinet.com/products/network-detection-and-response)|
+|**TrendMicro**|[Trend Vision One™ Network Security](https://www.trendmicro.com/en_ca/business/products/network.html)|
+|**Extrahop**|[Reveal(x)](https://hop.extrahop.com/partners/tech-partners/microsoft/)|
+|**Bitdefender**|[GravityZone Extended Detection and Response for Network](https://www.bitdefender.com/en-us/business/products/gravityzone-xdr)|
+|**eSentire**|[eSentire MDR](https://www.esentire.com/how-we-do-it/signals/mdr-for-network)|
+|**LinkShadow**|[LinkShadow NDR](https://www.linkshadow.com/products/network-detection-and-response)|
+|**AttackFence**|[AttackFence NDR](https://www.attackfence.com/products/ndr)|
+|**Arista Networks**|[Arista NDR](https://www.arista.com/en/products/network-detection-and-response)|
+
+## Next Steps
+
+Learn how to Create a virtual network TAP using [CLI](tutorial-tap-virtual-network-cli.md) or the [Azure portal](tutorial-virtual-network-tap-portal.md).