Merge pull request #273677 from sushantjrao/config-monitoring

Config monitoring

Author: Stacyrch140

articles/operator-nexus/TOC.yml

@@ -46,6 +46,10 @@
           href: concepts-observability.md
         - name: Metrics
           href: reference-operator-nexus-observability-metrics.md
+        - name: Azure Operator Nexus Network Fabric Configuration Monitoring
+          href: concepts-network-fabric-configuration-monitoring.md
+        - name: Azure Operator Nexus Network Fabric Internal Network BGP Metrics
+          href: concepts-internal-network-bgp-metrics.md
     - name: Security
       href: concepts-security.md
     - name: Control Plane Resiliency
@@ -148,7 +152,8 @@
               href: howto-update-access-control-list-for-network-to-network-interconnects.md
             - name: Delete ACLs associated with Network-to-Network Interconnects (NNI)
               href: howto-delete-access-control-list-network-to-network-interconnect.md
-           
+            - name: How to Configure Diagnostic Settings and Monitor Configuration Differences in Nexus Network Fabric
+              href: howto-configure-diagnostic-settings-monitor-configuration-differences.md
     - name: Nexus Kubernetes cluster
       expanded: false
       items:

articles/operator-nexus/concepts-internal-network-bgp-metrics.md

@@ -0,0 +1,64 @@
+---
+title: Azure Operator Nexus Network Fabric internal network BGP metrics
+description: Overview of internal network BGP metrics.
+author: sushantjrao
+ms.author: sushrao
+ms.reviewer: sushrao
+ms.date: 04/29/2024
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+---
+
+# Azure Operator Nexus Network Fabric internal network BGP metrics
+
+Border Gateway Protocol (BGP) Neighbor Monitoring is a critical aspect of network management, ensuring the stability and reliability of communication between routers within internal networks. This concept document aims to provide an overview of BGP Neighbor Monitoring, its significance, and the key metrics involved.
+
+## Established transitions
+
+One key metric in BGP Neighbor Monitoring is Established Transitions, which tracks the connectivity status between the network fabric and its adjacent routers. This metric indicates the stability of neighbor relationships and the efficiency of communication channels.
+
+   :::image type="content" source="media/bgp-transitions.png" alt-text="Screenshot of BGP Transitions Diagram.":::
+
+### Monitored BGP Messages
+
+BGP routers engage in the exchange of several messages to establish, maintain, and troubleshoot network connections. Understanding these messages is essential for network administrators to ensure the stability and efficiency of their networks.
+
+   a.  **Sent Notification:**
+
+   When a router encounters an issue, such as the withdrawal of a route or an unsupported capability, it sends a Notification message to its neighbor. These messages serve as alerts, indicating potential disruptions in network connectivity.
+
+   b. **Received Notification:**
+
+   Conversely, routers also receive Notification messages from their neighbors. Analyzing these messages is crucial for identifying and addressing issues on the neighbor's side that may impact network performance.
+
+   c. **Sent Update:**
+
+   To communicate routing information, a router sends Update messages to its neighbors. These messages contain details about the prefixes it can reach and their associated attributes. By broadcasting this information, routers inform their neighbors about reachable network destinations.
+
+   d. **Received Update:**
+
+   Routers also receive Update messages from their neighbors, containing information about advertised prefixes and their attributes. Monitoring these messages allows administrators to detect any inconsistencies or unexpected changes in routing information, which could signify network issues or misconfigurations.
+
+## BGP Prefix Monitoring
+
+In the realm of BGP (Border Gateway Protocol), monitoring prefixes within a BGP neighbor context is essential. It involves tracking the exchange of prefix information, which is crucial for early issue detection, preventing outages or connectivity disruptions, and troubleshooting network connectivity problems. BGP AFI (Address Family Identifier) and SAFI (Subsequent Address Family Identifier) prefixes play a vital role in routing and ensuring network reachability across diverse network environments.
+
+### Monitored BGP prefixes
+
+a. **AFI-SAFI prefixes installed:**
+
+   These prefixes are learned from a neighbor and installed in the router's routing table. Monitoring these prefixes ensures the routing table is up-to-date and accurate, including IPv4/IPv6 prefixes, paths, and next hops.
+
+   :::image type="content" source="media/afi-safi-prefixes-installed.png" alt-text="Screenshot of installed AFI-SAFI Prefixes.":::
+
+b. **AFI-SAFI prefixes received:**
+
+   These prefixes are advertised by a neighbor in its update messages. Monitoring them helps detect inconsistencies between advertised and installed prefixes in the routing table.
+
+   :::image type="content" source="media/afi-safi-prefixes-received.png" alt-text="Screenshot of received AFI-SAFI Prefixes.":::
+
+c. **AFI-SAFI Prefixes Sent:**
+
+   These prefixes are the ones that a router communicates to its neighbor in its update messages. Monitoring these prefixes provides insight into the network destinations that the router actively announces to other nodes in the network. Understanding these announcements is essential for comprehending the router's routing decisions and its impact on network reachability.
+
+:::image type="content" source="media/afi-safi-prefixes-sent.png" alt-text="Screenshot of sent AFI-SAFI Prefixes.":::

articles/operator-nexus/concepts-network-fabric-configuration-monitoring.md

@@ -0,0 +1,45 @@
+---
+title: Azure Operator Nexus Network Fabric configuration monitoring
+description: Overview of configuration monitoring for Azure Operator Nexus.
+author: sushantjrao
+ms.author: sushrao
+ms.reviewer: sushrao
+ms.date: 04/27/2024
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+---
+
+# Nexus Network Fabric configuration monitoring overview
+
+Nexus Network Fabric stands out as a robust solution, providing comprehensive support for identifying and reporting configuration differences across all devices.
+
+## Understanding configuration differences
+
+Configuration changes within network devices occur frequently, driven by automation or manual interventions such as break glass procedures. Nexus Network Fabric offers a robust mechanism to track these modifications, ensuring transparency and accountability in network management.
+
+## Comprehensive reporting
+
+One of the key features of Nexus Network Fabric is its ability to generate detailed reports on configuration differences. With every modification to the running configuration, whether initiated through Nexus itself or via break glass procedures, Nexus Network Fabric captures and highlights the changes.
+
+## Result categories attributes
+
+Nexus Network Fabric meticulously tracks configuration changes, associating each difference with essential attributes:
+
+| Attribute          | Description                                                                                       |
+|--------------------|---------------------------------------------------------------------------------------------------|
+| Timestamp          | Indicates the time when the configuration change occurred in UTC.                                 |
+| Event Category     | Indicates the type of event captured, such as "systemSessionHistoryUpdates."                       |
+| Fabric ID          | Refers to the ARM ID of the Network Fabric.                                                       |
+| Device Name        | Indicates the device ID, such as TORs, CEs, etc.                                                  |
+| Session Diffs      | Refers to the configuration differences within the device, including additions and deletions.      |
+| Session ID         | Refers to the unique identifier (or name) of the configuration session that initiated the change.  |
+| Device ID/Resource ID | Refers to the ARM ID of the resource such as TORs, CEs, NPBs, MGMT switches.                       |
+
+
+## Enhanced accountability
+
+By monitoring and reporting on configuration changes, Nexus Network Fabric enhances accountability within network management. Administrators can swiftly identify the individuals responsible for initiating modifications, facilitating effective oversight and adherence to security protocols.
+
+## Next steps
+
+[How to configure diagnostic settings and monitor configuration differences](howto-configure-diagnostic-settings-monitor-configuration-differences.md)

articles/operator-nexus/howto-apply-access-control-list-to-network-to-network-interconnects.md

@@ -70,3 +70,8 @@ az networkfabric nni update --resource-group "example-rg" --resource-name "<nni-
 | Parameter         | Description                                                                                                    |
 |-------------------|----------------------------------------------------------------------------------------------------------------|
 | --ingress-acl-id, --egress-acl-id | To apply both ingress and egress ACLs simultaneously, create two new ACLs and include their respective resource IDs. |
+
+
+## Next steps
+
+[Updating ACL on NNI or External Network](howto-update-access-control-list-for-network-to-network-interconnects.md)

articles/operator-nexus/howto-configure-diagnostic-settings-monitor-configuration-differences.md

@@ -0,0 +1,62 @@
+---
+title: How to configure diagnostic settings and monitor configuration differences in Nexus Network Fabric
+description: Process of configuring diagnostic settings and monitor configuration differences in Nexus Network Fabric
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 04/18/2024
+ms.custom: template-how-to
+---
+
+# How to configure diagnostic settings and monitor configuration differences in Nexus Network Fabric
+
+In this guide, we'll walk you through the process of setting up diagnostic settings and monitoring configuration differences in Nexus Network Fabric.
+
+## Step 1: Accessing device settings in Azure Portal
+
+- Sign in to the Azure portal.
+
+- In **Search resources, service, and docs (G+/)** at the top of the portal page, enter **Network Device**.
+
+- :::image type="content" source="media/search-network-device.png" alt-text="Screenshot of search box for Network Device in portal.":::
+
+- Select the appropriate network device from the search results. Ensure that you choose the device for which you need to configure diagnostic settings.
+
+## Step 2: Adding diagnostic setting
+
+- After selecting the appropriate network device, navigate to the monitoring and select diagnostic settings.
+
+- Within the diagnostic settings section, select "Add diagnostic setting".
+
+- :::image type="content" source="media/network-device-dignostics-settings.png" alt-text="Screenshot of diagnostics settings page for network device.":::
+
+- In the diagnostic settings, provide a descriptive name for the diagnostic setting to easily identify its purpose.
+
+- Select the desired categories of data that you want to collect for this diagnostic setting. In this case, select "System Session History Updates" from the list of available categories.
+
+:::image type="content" source="media/network-device-system-session-history-updates.png" alt-text="Showcases specific categories of data to collect in portal.":::
+
+## Step 3: Choosing log destination
+
+- Once the diagnostic setting is added, locate the section where the log destination can be specified.
+
+- Select the log destination from several choices, including Log Analytics Workspace, Storage account, and Event Hubs.
+
+- :::image type="content" source="media/network-device-log-analytics-workspace.png" alt-text="Screenshot of configuration page for selecting Log Analytics Workspace as the log destination for a network device.":::
+
+> [!Note]
+> In our example, we'll push the logs to the Log Analytics Workspace.<br>
+> To set up the Log Analytics Workspace, if you haven't done so already, you might need to create one. Simply follow the prompts to create a new workspace or select an existing one.
+
+- Once the log destination is configured, confirm the settings and save.
+
+## Step 5: Monitoring configuration differences
+
+- Navigate to the Log Analytics Workspace where the logs from the network device are being stored.
+
+- Within the Log Analytics Workspace, access the query interface or log search functionality. 
+
+- :::image type="content" source="media/network-device-config-difference.png" alt-text="Screenshot of comparison of configuration differences for a network device in a visual format.":::
+
+- In the query interface, specify the event category as "MNFSystemSessionHistoryUpdates". This will filter the logs to specifically show configuration updates and changes comprehensively.

articles/operator-nexus/howto-create-access-control-list-for-network-to-network-interconnects.md

@@ -151,3 +151,6 @@ az networkfabric acl create --resource-group "example-rg" --location "eastus2eua
 > After creating the ACL, make sure to note down the ACL reference ID for further reference.
 
 
+## Next Steps
+
+[Applying Access Control Lists (ACLs) to NNI in Azure Fabric](howto-apply-access-control-list-to-network-to-network-interconnects.md)

articles/operator-nexus/howto-update-access-control-list-for-network-to-network-interconnects.md

@@ -103,3 +103,6 @@ az networkfabric fabric commit-configuration --resource-group "<resource-group>"
 
 4. Verify the changes using the `resource list` command.
 
+## Next Steps
+
+[Deleting ACLs associated with Network-to-Network Interconnects (NNI)](howto-delete-access-control-list-network-to-network-interconnect.md)