Blog Post

Azure Networking Blog
3 MIN READ

Azure virtual network terminal access point (TAP) public preview announcement

AvirupChat's avatar
AvirupChat
Icon for Microsoft rankMicrosoft
Apr 29, 2025

We are excited to announce the public preview of Azure virtual network terminal access point (TAP).

What is virtual network TAP?

Virtual network TAP allows customers continuously stream virtual machine network traffic to a network packet collector or analytics tool. Many security and performance monitoring tools rely on packet-level insights that are difficult to access in cloud environments. Virtual network TAP bridges this gap by integrating with our industry partners to offer:

  • Enhanced security and threat detection: Security teams can inspect full packet data in real-time to detect and respond to potential threats.
  • Performance monitoring and troubleshooting: Operations teams can analyze live traffic patterns to identify bottlenecks, troubleshoot latency issues, and optimize application performance.
  • Regulatory compliance: Organizations subject to compliance frameworks such as Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR) can use virtual network TAP to capture network activity for auditing and forensic investigations.

Why use virtual network TAP?

Unlike traditional packet capture solutions that require deploying additional agents or network appliances, virtual network TAP leverages Azure's native infrastructure to enable seamless traffic mirroring without complex configurations and without impacting the performance of the virtual machine. A key advantage is that mirrored traffic does not count towards virtual machine’s network limits, ensuring complete visibility without compromising application performance. Additionally, virtual network TAP supports all Azure virtual machine SKU.

Deploying virtual network TAP

The portal is a convenient way to get started with Azure virtual network TAP. However, if you have a lot of Azure resources and want to automate the setup you may want to use a PowerShell, CLI, or REST API.

Add a TAP configuration on a network interface that is attached to a virtual machine deployed in your virtual network. The destination is a virtual network IP address in the same virtual network as the monitored network interface or a peered virtual network. The collector solution for virtual network TAP can be deployed behind an Azure Internal Load balancer for high availability.

You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Microsoft Entra tenant. Additionally, the monitored network interfaces and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region.

Partnering with industry leaders to enhance network monitoring in Azure

To maximize the value of virtual network TAP, we are proud to collaborate with industry-leading security and network visibility partners. Our partners provide deep packet inspection, analytics, threat detection, and monitoring solutions that seamlessly integrate with virtual network TAP:

Network packet brokers

Partner

Product

Gigamon

GigaVUE Cloud Suite for Azure

Keysight

CloudLens

Security analytics, network/application performance management

Partner

Product

Darktrace

Darktrace /NETWORK

Netscout

Omnis Cyber Intelligence NDR

Corelight

Corelight Open NDR Platform

LinkShadow

LinkShadow NDR

Fortinet

FortiNDR Cloud

FortiGate VM

cPacket

cPacket Cloud Suite

TrendMicro

Trend Vision One™ Network Security

Extrahop

RevealX

Bitdefender

GravityZone Extended Detection and Response for Network

eSentire

eSentire MDR

Vectra

Vectra NDR

AttackFence

AttackFence NDR

Arista Networks

Arista NDR

See our partner blogs:

  1. Bitdefender + Microsoft Virtual Network TAP: Deepening Visibility, Strengthening Security
  2. Streamline Traffic Mirroring in the Cloud with Azure Virtual Network Terminal Access Point (TAP) and Keysight Visibility | Keysight Blogs
  3. eSentire | Unlocking New Possibilities for Network Monitoring and…
  4. LinkShadow Unified Identity, Data, and Network Platform Integrated with Microsoft Virtual Network TAP
  5. Extrahop and Microsoft Extend Coverage for Azure Workloads
  6. Resources | Announcing cPacket Partnership with Azure virtual network terminal access point (TAP)
  7. Gain Network Traffic Visibility with FortiGate and Azure virtual network TAP

Get started with virtual network TAP

To learn more and get started, visit our website.

We look forward to seeing how you leverage virtual network TAP to enhance security, performance, and compliance in your cloud environment. Stay tuned for more updates as we continue to refine and expand on our feature set!

If you have any questions please reach out to us at azurevnettap@microsoft.com.

Updated Jun 23, 2025
Version 9.0
azure internet analyzer
azure networking
Network Watcher
traffic manager
updates
virtual network

7 Comments

Sort By
  • MichaelG666's avatar
    MichaelG666
    Brass Contributor
    May 28, 2025

    AvirupChat​  We are getting this error when setting up but I don't see FastPath listed as a prerequisite to enable VTAP:

    Failed to update 1 out of 1 network interface TAP configuration(s): ThenameofmyVM: Network interface /subscriptions/subscription-ID/resourceGroups/ResourceGroup/providers/Microsoft.Network/networkInterfaces/ThenameofmyVM is not on FastPath. Only FastPath network interface can be set as source of Virtual Network Tap.

    • AvirupChat's avatar
      AvirupChat
      Icon for Microsoft rankMicrosoft
      May 28, 2025

      Hi,

      Please follow the following steps for resolving error related to fastpath:

      1. If no VTAP resource exists on the subscription of the affected VM, first create VTAP resources (Do not add the source).
      2. Once the VTAP is deployed, STOP the VM, wait for the VM to deallocate and then START the VM.
      3. You can now add the VM as a source

       

      This should have been added to our support section. I will update our overview page with above. Thank you for reaching out.

      • MichaelG666's avatar
        MichaelG666
        Brass Contributor
        May 28, 2025

        AvirupChat​ 
        I did that and now I am getting a different error:

        Failed to update 1 out of 1 network interface TAP configuration(s):

        VM either has None Auxiliary Mode or None Auxiliary SKU. Only network interface which has not None Auxiliary Mode and not None Auxiliary SKU can be set as source of Virtual Network Tap.

  • JGranger's avatar
    JGranger
    Copper Contributor
    Apr 30, 2025

    Any plans to allow filtering or is it all or nothing? Any plans for PaaS integration?

    • AvirupChat's avatar
      AvirupChat
      Icon for Microsoft rankMicrosoft
      May 28, 2025

      We will be adding filtering capabilities post GA. We don't have immediate plans for PaaS integration however it is in on roadmap.