AZ-104 Microsoft Azure Administrator Associate – Monitor and troubleshoot virtual networking

1. Network Performance Monitor

So in this section we’re going to be talking about some advanced networking within Microsoft Azure. And what we’re going to talk about right now is what’s called Network Performance Monitor or MPM. The Network Performance Monitor is a cloudbased monitoring solution that allows you to monitor various parts of your network infrastructure. It allows you to monitor service endpoints, application endpoints, and even the performance of Microsoft Express route. So this is basically going to allow you to detect errors, blocking any kind of black holes where traffic gets sent somewhere and nothing is on the end to receive it. So basically it’s an advanced monitoring solution for your network. And again, it does include on premises monitoring.

And click the gate button here. Now it’s part of the Microsoft’s Operations Management Suite or OMS and it does require a OMS workspace to work from. Now I happen to have one created on, but you can certainly create a brand new workspace. A workspace for OMS is basically just a repository where all of the log files and basically there’s a storage account associated with it. It’s basically where everything is going to get sent. So I’m not going to create one. I’m going to use my existing part of this already has some in terms of the log analytics workspace. So I’m going to click on that. Now, like I said, network performance monitor. Pretty much three basic capabilities. Let’s go into the settings and we can look at them.

So the three main capabilities of Network Performance Monitor is the Performance Monitor aspect of what’s called Service Connectivity Monitor, which has to do with 365 and other services and Express Rep Monitor. Let’s go. Performance monitor. Now the only choice we have to make here is between using TCP for the transactions or ICMP. ICMP as it says, is simpled up, but is less accurate for monitoring packet loss and network latency. So it’s sort of the simpler but less accurate option. If you choose ICMP, you can always switch to TCP later. The TCP option has more accuracy, but you need to do configuration of OMS agents. Okay? TCP is not supported on Windows client based nodes. So we can see the different options for monitoring performance.

The next thing is Service Connectivity Monitor and we can see that the types of services that are talking about here is Office 365. So we could, if we had Office 365 set up, we could monitor our Office 365 Connectivity and Dynamics 365. Okay, so I don’t have those things set up, but we can sort of see that Network Performance Monitor would be used to monitor the activity between your own offices and Microsoft services and the Express route. Now I don’t have Express circuits on my account either, but if you did have an Express circuit and you had the proper connectivity into your office, then you would need to set up your Express road circuit circuit and it would basically be able to performance monitoring of that. Okay, going to the common settings. In order for service connectivity monitor to be connected, we need to install an OMS agent.

Performance monitor also requires an OMS agent within our network, one for each subnetwork on which you want to monitor network connectivity. So let’s say you have three offices and they’re all connected using site to site into Azure. You’d have to install this OMS agent into each of the three offices in order for you to monitor that connection into Azure. It’s also required for express route in order, again, for you to be able to monitor traffic over your express route circuit. So you download, you require these keys and a workspace ID. You can also set up your firewall ports. And so there’s a shell script that’s going to be required in order for Windows to be able to open the firewall onto the right port, et cetera. So this is all of the application you need to monitor your network performance.

2. Network Watcher

So having talked about the Network Performance Monitor, let’s talk about another service that allows you to monitor your network within Azure, and that’s called Networker. So if you go into All Services, again with the three lines and you choose Network, sure you can see that the Network Watcher service enables you to monitor and diagnose at a network scenario level. Now, the interesting thing about Network Watcher is it does run a regional level. So when right away when you’re inside a Network Watcher, you’ve got this overview that breaks it down by a region. And we can see all of the Azure regions that you have access to. And right now they’re all set to disabled. So we can already get a clue on how we’re going to enable Network Watcher depending on the regions that we’re particularly interested in.

So in order to have Watcher to be useful, let’s start with having a Virtual Machine. We’re going to monitor the network traffic to and from a Virtual Machine. But in order to do that, we need to create one. So I’m creating in the process of creating a brand new Virtual Machine in the Central US. Region. So while that’s going, let’s go back to the Network Watcher. Remember, it’s under all Services Network watcher. And what we need to do is we need to enable Network Watcher for this particular region. Okay, so let’s go down here. And it’s Central US. Region that I’m creating this virtual machine. So I want to enable you a Network Watcher for central region. I click on the three dots and it’s starting to enable that. So that doesn’t take very long.

With these central us. Is now enabled and the rest of them are all disabled, nothing that we can do is we can look at the way that the traffic is traveling through this region over our own networks. So we’re going over to the IP flow verify tool within network watcher. So it’s under network. Watcher. IP flow verify. Now we’re going to basically set up IP flow verify. You see, that it. If a packet is allowed or denied to or from a Virtual Machine, you can set up a packet here the from address and to address all stuff. And we can determine whether or not the packet is going to pass through our Network Security Group settings, for instance. So let’s go into our resource group. We got our logic. Apple Resource Group. The Virtual Machine that I just created is all pre selected and there’s only one network interface card.

And so that’s automatically selected to now I’m going to test the TCP protocol and let’s try outbound traffic. Okay, this is the IP address. It’s already selected for this virtual machine. Let’s try port 60,000 leaving the machine. And let’s see if that machine can access Bing. Now Bing, we would have to know if the address, but I’m going to enter this one, which is one of the servers for bing and port 80. Okay, so this is Bing. com port 80. So what we’re doing is testing if it is allowed to flow from that virtual machine, exiting port 60,000 on that machine and then reaching port 80 of Bing. So let’s check that’s allowed. So it’s going to take a few seconds as loading, and we’ll see that it came back and said access allowed. Because we have in the outbound rules of our network security group that all internet traffic is allowed out from those devices.

If we were to modify the default nurse security group settings could block traffic and we should see access being denied. Now, if we were to reverse the traffic, let’s say we want to check whether the Bing. com can access our local machine, we would expect the narrow security group default settings is to block all incoming traffic from the Internet. Even so, let’s try accessing port, port 80. So I want to see if the port 80 is open on our local virtual machine through the security group settings. Give that a second and you can see it says access denied. Because we have all inbound trick denied even to port 80. We can try four, four, three. We can make all the different ports that we want to coming into the thing. It should all be blocked by our network security group settings.

So one thing we can do then is we can go to our network security group and we can open up port 80 or open up port and then come back to IP will verify. And we would expect that the access would be allowed. So another tool that is used to debug networking issues called a packet capture. Now, you might be familiar with packet capture software that you can install in various systems. Azure makes it pretty easy for you to install, get capture extensions into your virtual machines and be able to actually trap packets that are coming in to be able to examine them later. So if we were to, say, add packet capture, we will choose our subscription resource group, the target virtual machine, to give it a name. So call it Packet, and that capture gets stored. We can put it into a storage account, would have to just either one of our existing storage account or put it into the diagnostics storage account of the logic app.

How many bytes per packet we want to capture, how much per session, how long we want to capture. The real trick, of course, is how you filter it, because you could capture every packet and that would be perhaps a lot of data. And you’re not going to perhaps get as much useful data as you would think. So let’s say I want to capture it. That is from my own IP address. This is my home IP address. We could also signify that it’s only to this virtual machine. But since we are limiting it to the virtual machine, then this would capture traffic only on this IP address and then we can see well, we can use asterisk so this should if I was to try to access that virtual machine from home. You’re going to get packets captured, put into the storage account, and obviously, you can do some sort of troubleshooting by accident. Packet logs from that storage account.