Forum Discussion

Kidd_Ip's avatar
Kidd_Ip
MVP
Mar 22, 2025

Believed you are in the right track, please consider:

 

  1. NSG Flow Logs (via Network Watcher)

NSG Flow Logs are ideal for recording network traffic and determining if NSG rules are blocking communication:

  • Enable NSG Flow Logs:
    • Go to Network Watcher > NSG Flow Logs.
    • Enable flow logs for the NSG associated with the affected subnet or NIC.
    • Configure the storage account and retention settings.
  • Analyze Logs:
    • Use a tool like Traffic Analytics to interpret flow logs visually or export them for manual analysis.
    • Logs include information on the source IP, destination IP, protocol, and NSG rule that allowed or denied the traffic.
  1. IP Flow Verify (Network Watcher)

As you've noted, IP Flow Verify is a great tool to test whether specific traffic is allowed or denied by the NSG:

  • Provide the source and destination IPs and the port to verify if traffic is being blocked.
  • It's a "what-if" tool, so it's not live monitoring but useful for troubleshooting specific scenarios.
  1. Packet Capture (Network Watcher)

For real-time traffic analysis, Packet Capture in Network Watcher can be helpful:

  • Create a capture session to monitor traffic on a specific NIC.
  • It records packets to a storage account for deep analysis.
  • Use 3rd party tools to inspect the captured data and identify blocked ports or failed connections.
  1. Azure Monitor Logs

If you want an aggregated view of blocked traffic:

  • Configure Azure Monitor to collect NSG Flow Logs and metrics.
  • Use Log Analytics to query and visualize traffic patterns:
AzureDiagnostics | where ResourceType == "NETWORKSECURITYGROUPS" | where Action_s == "Deny"

 

  •  
Alvin57's avatar
Alvin57
Copper Contributor
Mar 24, 2025
  1. NSG Flow Logs will soon be deprecated. Vnet should be the new thing but I dont't really undestand it really. There is no real documentation how to use it.
  2. Traffic Analytics doesn't seem right, I got one day Information from the specific Server than I didn't get one anymore. 
  3. IP Flow verify is just a "what if" test, it's good for before applying it to the vnet's, but still not for live logging.
  4. We don't want use Packet Capture, we want something visual and want to fast troubleshoot and not searching in third party tool for too long.
  5. It is AzureDiagnostics | where ResourceType == "NETWORKSECURITYGROUPS" | where type_s == "block" and not Action_s == "Deny". 
    I already test it and it looks like just an output of my NSG Configurations that run through.

Is there not a visual live view or log for seeing the blocked ports/ip etc. for troubleshoot?

Resources