Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond

You're reading from   Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond A guide to preparing for the AZ-303 Microsoft Azure Architect Technologies certification exam

Arrow left icon
Product type Paperback
Published in Dec 2020
Publisher Packt
ISBN-13 9781800568570
Length 548 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Authors (3):
Arrow left icon
Sjoukje Zaal Sjoukje Zaal
Author Profile Icon Sjoukje Zaal
Sjoukje Zaal
Sjoukje Zaal Sjoukje Zaal
Author Profile Icon Sjoukje Zaal
Sjoukje Zaal
Brett Hargreaves Brett Hargreaves
Author Profile Icon Brett Hargreaves
Brett Hargreaves
Arrow right icon
View More author details
Toc

Table of Contents (25) Chapters Close

Preface 1. Section 1: Implement and Monitor Azure Infrastructure
2. Chapter 1: Implementing Cloud Infrastructure Monitoring FREE CHAPTER 3. Chapter 2: Creating and Configuring Storage Accounts 4. Chapter 3: Implementing and Managing Virtual Machines 5. Chapter 4: Implementing and Managing Virtual Networking 6. Chapter 5: Creating Connectivity between Virtual Networks 7. Chapter 6: Managing Azure Active Directory (Azure AD) 8. Chapter 7: Implementing Multi-Factor Authentication (MFA) 9. Chapter 8: Implementing and Managing Hybrid Identities 10. Section 2: Implement Management and Security Solutions
11. Chapter 9: Managing Workloads in Azure 12. Chapter 10: Implementing Load Balancing and Networking Security 13. Chapter 11: Implementing Azure Governance Solutions 14. Section 3: Implement Solutions for Apps
15. Chapter 12: Creating Web Apps Using PaaS and Serverless 16. Chapter 13: Designing and Developing Apps for Containers 17. Chapter 14: Implementing Authentication 18. Section 4: Implement and Manage Data Platforms
19. Chapter 15: Developing Solutions that Use Cosmos DB Storage 20. Chapter 16: Developing Solutions that Use a Relational Database 21. Chapter 17: Mock Exam Questions
22. Chapter 18: Mock Exam Answers
23. Assessments 24. Other Books You May Enjoy

Using Network Watcher

Azure provides the Network Watcher tool for monitoring and investigating problems between devices on a Virtual Network (VNET), including the following:

  • Connection Monitoring
  • Performance Monitoring
  • Diagnostics
  • Network Security Group flow logs

    Important note

    A VNET is a private network you can create in your Azure subscription. VNETs are defined with set IP ranges, which in turn can be sub-divided into subnets. Some Azure services, such as VMs, must be connected to a VNET. Other services, such as App Services and Azure SQL, can optionally use VNETs to ensure traffic between them is direct and secure.

You can also see a topology map of devices to understand better the various components involved in the communication flow.

The first step in setting up the Network Watcher capabilities is to ensure it has been enabled for the region(s) you are using by following these steps:

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. In the left-hand menu, select or search for Network Monitor:
    Figure 1.15 – Enabling Network Watcher per Region

    Figure 1.15 – Enabling Network Watcher per Region

  3. If the region that contains the resources you wish to monitor is set to Disabled, click the ellipses at the right and select Enable network watcher.
  4. On the left-hand menu, select the Topology, then select a resource group that contains resources you wish to view. In the following screenshot, I am choosing a group that includes a simple VM:
Figure 1.16 – Network Monitor Topology view

Figure 1.16 – Network Monitor Topology view

Once Network Watcher has been enabled for your region, we can now start to use the different tools, such as Connection Monitor, to troubleshoot and fix common communication problems.

Connection Monitor

When services are running, you may want to be alerted to issues with connectivity. An example might be a web server that needs to maintain a connection to a backend database server. However, the destination can be another VM, a URI, or an IP address. The URI or IP address can be either an internal resource in your Azure subscription or an external resource.

Connection Monitor allows us to set up continual monitors that can trigger alerts when communications are interrupted:

  1. Still in Network Watcher, on the left-hand menu, select Connection Monitor.
  2. Click Add to create a Connection Monitor.
  3. Complete the details to define a source, target, and port. For this example, instead of monitoring connection to another server, we will monitor connections to the internet, specifically to the Packt Publishing website:

    a) Name: InternetConnection

    b) Virtual Machine: Source VM you wish to monitor

    c) Destination:

    --Specify Manually

    --URI: www.packtpub.com

    d) Port: 443

  4. Click Add:
Figure 1.17 – Connection Monitor setup example

Figure 1.17 – Connection Monitor setup example

Once set up, you can select the Connection Monitor you have just created, and it will show basic details of the status and flow of traffic from source to destination. You can also set the time period to see data from the past hour up to the past 30 days as shown in the following screenshot:

Figure 1.18 – Connection Monitor example

Figure 1.18 – Connection Monitor example

Connection Monitor is great for initial investigations and for setting up alerts; for more complex issues we use advanced options such as the Diagnostics tooling.

Diagnostics

When you encounter connectivity issues, Network Watcher diagnostics offers a range of tools to help pinpoint the problem.

The first step in troubleshooting connectivity issues is to confirm that traffic is flowing.

IP Flow Verify

IP Flow Verify allows you to confirm the flow of traffic from a source to a destination is working. Set up a typical test by performing the following steps:

  1. From the Network Watcher blade, select IP flow verify from the left-hand menu.
  2. Select your VM and network interface you wish to test.
  3. Select the desired protocol (TCP or UDP).
  4. Select the direction of traffic you want to check.
  5. Confirm the local (source) IP address and port your traffic flows on.
  6. Enter the remote (destination) IP address and port.

The following figure shows an example request. When the Check button is clicked, we can see a status response returned. In the example, we can see the request has failed, but importantly we see it failed because of the DenyAllOutbound Network Security Group rule:

Figure 1.19 – IP flow verify example

Figure 1.19 – IP flow verify example

IP flow verify helps to confirm that end-to-end communication is functioning, but if you do find problems you can use other Network Watcher tools to continue your investigations.

Next Hop

The subsequent step in identifying communications issues could be to understand the route traffic takes from point a to point b, and the Next Hop service helps with this:

  1. Still in Network Watcher, in the left-hand menu, click Next Hop.
  2. Define the source VM you wish to check connectivity from.
  3. Enter the IP address of the service you are attempting to reach and click the Next Hop button.

The example in the following screenshot shows the next hop to the IP address (one of the Bing.com addresses) is the Azure Internet egress appliance, and the route to it has been defined in the system route table (route tables will be covered in Chapter 4, Implementing and Managing Virtual Networking):

Figure 1.20 – Next Hop configuration example

Figure 1.20 – Next Hop configuration example

Depending on the results from the IP flow verify and Next Hop tools, the next step in your troubleshooting process may be to look at access issues.

Viewing effective security rules

A common cause of issues is a misconfiguration of Network Security Groups (NSG) between devices. We cover NSGs in Chapter 10, Implementing Load Balancing and Network Security. In brief, they allow you to define firewall rules on VNETs or devices.

Restrictions on allowed IP addresses and ports can be set in multiple layers, and as such, can become complex and challenging to manage. For this reason, you can use the effective security rules option:

  1. Still in Network Watcher, in the left-hand menu, click Effective security rules.
  2. Select the Subscription, Resource group, and Virtual machine you wish to check. The following screenshot shows an example:
    Figure 1.21 – Configuring the effective security rules option

    Figure 1.21 – Configuring the effective security rules option

  3. Once your VM has been selected, the effective rules will be listed, separated by NSG, Inbound rules, and Outbound rules. The following screenshot shows a typical result:
Figure 1.22 – Example of effective NSG rules in action

Figure 1.22 – Example of effective NSG rules in action

We will now have a look at using Packet Capture to examine the data.

Packet Capture

When everything looks OK but you are still experiencing issues, you may need to look in detail at the actual traffic being sent and received. Specialist tools are available for analyzing packet information, and through the Network Watcher, you can set up Packet Capture to collect data for a specific amount of time and then examine that traffic:

  1. Still in Network Watcher, in the left-hand menu, click Packet Capture.
  2. Select your VM.
  3. Choose whether to store the Packet Capture data in a storage account (we cover storage accounts and how to create them in Chapter 2, Creating and Configuring Storage Accounts), in the VM itself, or both.
  4. Optionally set the maximum and minimum bytes per capture or a time limit.

    The following screenshot shows an example of what this looks like:

    Figure 1.23 – Example packet capture setup

    Figure 1.23 – Example packet capture setup

  5. Optionally click +Add Filter to enter more precise details of the source and destination for which you want to capture data, as in the following screenshot:
    Figure 1.24 – Packet capture filters

    Figure 1.24 – Packet capture filters

  6. Click Save.
  7. The capture session will automatically start; let it run for a few minutes.
  8. Stop the capture by clicking the ellipsis at the right of the session you created and click Stop.
  9. Click on the session, and the file link will be presented in the lower pane.
  10. Click on the capture link to download it.

    The following screenshot shows an example of how this might look:

Figure 1.25 – Example Packet Capture

Figure 1.25 – Example Packet Capture

The Packet Capture can then be opened in a viewing tool for a detailed examination of the traffic. The following screenshot shows an example of how this might look:

Figure 1.26 – Example traffic details from a Packet Capture

Figure 1.26 – Example traffic details from a Packet Capture

As we have seen, Network Watcher is a robust set of tools to help identify issues with connectivity and to provide a detailed analysis of the flow of traffic. Also, it is important for monitoring traffic and events for security purposes.

You have been reading a chapter from
Implementing Microsoft Azure Architect Technologies: AZ-303 Exam Prep and Beyond - Second Edition
Published in: Dec 2020
Publisher: Packt
ISBN-13: 9781800568570
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image