KQL Query for finding out resource's egress going through a specific Virtual Network Gateway

Question

Is there a way to find out individual resources egress that are going through a Virtual Network Gateway VPN.

Pretty much I have an issue where its been noticed that there's high egress going through our Azure to on-prem VPN, I believe it's due to backups but I want to find the specific resources that are causing it.

Is there a KQL or way of logging that would be able to pull the individual resource names or resource IDs based on their egress going through a Virtual Network Gateway?

kidd_ip · Answer

You may require:
&nbsp;

NSG Flow Logs enabled on subnets or NICs
Traffic Analytics turned on in your Log Analytics workspace
Your VPN Gateway must be in a subnet with NSG attached

&nbsp;
Sample on KQL Query:
NTANetAnalytics
| where Direction == "Outbound"
| where RemoteIP !startswith "10."  // Adjust to match your on-prem IP range
| where RemoteIP in ("your_onprem_ip_range")  // Optional: filter to VPN target range
| summarize TotalBytes = sum(TotalBytes) by ResourceId, Subnet, VMName, RemoteIP
| top 10 by TotalBytes desc
&nbsp;

Forum Discussion

KQL Query for finding out resource's egress going through a specific Virtual Network Gateway

1 Reply

Resources