Forum Discussion
Determine destinations to which traffic is being sent from Azure VM
I need to determine all the destinations where traffic is being sent from a Azure VM. What is the best way to achieve this.
1 Reply
Below steps to build-up a dashboard or alert for unusual outbound traffic.
1. Enable Azure Network Watcher
- Go to Azure Portal > Network Watcher.
- Ensure it’s enabled for the region where your VM is deployed.
This enables tools like:
- NSG Flow Logs: Shows outbound connections from the VM.
- Packet Capture: Captures traffic at the NIC level.
- Connection Monitor: Tracks connectivity between endpoints.
2. Enable NSG Flow Logs
- Go to Network Security Group (NSG) attached to your VM.
- Under Diagnostics, enable Flow Logs.
- Store logs in a Storage Account or send to Log Analytics.
Flow logs show:
- Source IP and port
- Destination IP and port
- Protocol and direction
- Whether traffic was allowed or denied
You can analyze these logs using:
- Azure Monitor Logs (KQL)
- Traffic Analytics
4. Use On-VM Tools for Immediate Insight
If you have access to the VM:
Windows:
netstat -n | findstr ESTABLISHEDLinux:
ss -tunapThese show:
- Active outbound connections
- Destination IPs and ports
- Associated processes
5. Use Azure Monitor + Log Analytics
- Enable Diagnostics on the VM and NIC.
- Send logs to Log Analytics workspace.
- KQL queries:
AzureNetworkAnalytics_CL | where Direction_s == "Outbound" | summarize count() by DestinationIP_s
