network traffic monitoring - inbound internet traffic source IP

%3CLINGO-SUB%20id%3D%22lingo-sub-1899263%22%20slang%3D%22en-US%22%3Enetwork%20traffic%20monitoring%20-%20inbound%20internet%20traffic%20source%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1899263%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EWonder%20if%20anyone%20aware%20any%20tool%20or%20method%20in%20Azure%20enable%20to%20track%20or%20monitor%20the%20source%20ip%20of%20inbound%20internet%20traffic%20access%20to%20azure%20virtual%20machine%20which%20hosting%20web%20application%20with%20IIS%3F%20Tried%20explore%20application%20insights%2C%20network%20watcher%2C%20traffic%20analytics%20but%20could%20not%20find%20a%20right%20tool.%20Any%20advice%20or%20comment%20is%20appreciated.%3C%2FP%3E%3CP%3EThank%20you%20very%20much!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3Eyilouiscylee8%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1900321%22%20slang%3D%22en-US%22%3ERe%3A%20network%20traffic%20monitoring%20-%20inbound%20internet%20traffic%20source%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1900321%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F873012%22%20target%3D%22_blank%22%3E%40yilouiscylee8%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EYou%20should%20definitely%20consider%20putting%20an%20Application%20Gateway%20with%20WAF%20in%20front%20of%20your%20VM.%20You%20will%20improve%20security%20a%20lot%2C%20and%20by%20enabling%20diagnostic%20logs%20on%20the%20AppGW%20to%20Log%20Analytics%20you%20will%20get%20what%20your%20looking%20for.%20Especially%20if%20you%20add%20the%26nbsp%3B%3CSPAN%3EWAF%20workbook%20to%20your%20Log%20Analytics%20workspace.%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fwaf-sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fwaf-sentinel%3C%2FA%3E%26nbsp%3B%20(you%20don't%20need%20to%20use%20Sentinel%2C%20the%20WAF%20Workbook%20can%20be%20enabled%20on%20Log%20Analytics%20without%20Sentinel).%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EA%20direct%20link%20to%20the%20WAF%20Workbook%20ARM%20Template%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520WAF%2FAzure%2520Monitor%2520Workbook%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Network-Security%2Ftree%2Fmaster%2FAzure%2520WAF%2FAzure%2520Monitor%2520Workbook%3C%2FA%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EIf%20you%20don't%20want%20to%20add%20any%20additional%20components%20to%20your%20solution%2C%20NSG%20Flow%20Logs%20and%20Traffic%20Analytics%20are%20the%20tools%20available%20to%20analyze%20traffic%20logs.%20NSG%20Flow%20Logs%20will%20log%20all%20the%20traffic%20and%20send%20it%20to%20a%20Storage%20Account%2C%20Traffic%20Analytics%20will%20aggregate%20the%20data%20and%20store%20it%20in%20the%20Log%20Analytics%20Workspace.%20Then%20you%20can%20just%20query%20the%20data%20and%20you%20will%20be%20able%20to%20find%20what%20you%20are%20looking%20for.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1904997%22%20slang%3D%22en-US%22%3ERe%3A%20network%20traffic%20monitoring%20-%20inbound%20internet%20traffic%20source%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1904997%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F300973%22%20target%3D%22_blank%22%3E%40StefanIvemo%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EThanks%20for%20your%20sharing%20%26amp%3B%20advices.%20I%20will%20look%20into%20NSG%20flow%20log%20and%20Traffic%20Analytics%20again.%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3Eyilouiscylee8%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Everyone,

Wonder if anyone aware any tool or method in Azure enable to track or monitor the source ip of inbound internet traffic access to azure virtual machine which hosting web application with IIS? Tried explore application insights, network watcher, traffic analytics but could not find a right tool. Any advice or comment is appreciated.

Thank you very much!

 

Best regards,

yilouiscylee8

2 Replies

@yilouiscylee8 

 

You should definitely consider putting an Application Gateway with WAF in front of your VM. You will improve security a lot, and by enabling diagnostic logs on the AppGW to Log Analytics you will get what your looking for. Especially if you add the WAF workbook to your Log Analytics workspace. https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel  (you don't need to use Sentinel, the WAF Workbook can be enabled on Log Analytics without Sentinel).

 

A direct link to the WAF Workbook ARM Template can be found here: https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Azure%20Monitor%20Workbook

 

If you don't want to add any additional components to your solution, NSG Flow Logs and Traffic Analytics are the tools available to analyze traffic logs. NSG Flow Logs will log all the traffic and send it to a Storage Account, Traffic Analytics will aggregate the data and store it in the Log Analytics Workspace. Then you can just query the data and you will be able to find what you are looking for.

 

 

Hi @StefanIvemo,

Thanks for your sharing & advices. I will look into NSG flow log and Traffic Analytics again.

Best regards,

yilouiscylee8