-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathDiagnose_virtual_machine_network_traffic_ip_flow.ps1
78 lines (63 loc) · 2.24 KB
/
Diagnose_virtual_machine_network_traffic_ip_flow.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Set-Location c:\
Clear-Host
Install-Module -Name Az -Force -AllowClobber -Verbose
#Log into Azure
Connect-AzAccount
#Select the correct subscription
Get-AzSubscription -SubscriptionName "MSDN Platforms" | Select-AzSubscription
Get-AzContext
#Create a resource group
New-AzResourceGroup -Name myResourceGroup -Location WestEurope
#Create the VM
$vM = New-AzVm `
-ResourceGroupName "myResourceGroup" `
-Name "myVm" `
-Location "WestEurope"
#If you don't already have a network watcher enabled in the West Europe region
$networkWatcher = New-AzNetworkWatcher `
-Name "NetworkWatcher_westeurope" `
-ResourceGroupName "NetworkWatcherRG" `
-Location "WestEurope"
#Network watcher
$networkWatcher = Get-AzNetworkWatcher `
-Name NetworkWatcher_westeurope `
-ResourceGroupName NetworkWatcherRG
#Use IP flow verify
Test-AzNetworkWatcherIPFlow `
-NetworkWatcher $networkWatcher `
-TargetVirtualMachineId $vM.Id `
-Direction Outbound `
-Protocol TCP `
-LocalIPAddress 192.168.1.4 `
-LocalPort 60000 `
-RemoteIPAddress 13.107.21.200 `
-RemotePort 80
#After several seconds, the result returned informs you that access is allowed by a security rule named AllowInternetOutbound.
#Test outbound communication from the VM to 172.31.0.100
Test-AzNetworkWatcherIPFlow `
-NetworkWatcher $networkWatcher `
-TargetVirtualMachineId $vM.Id `
-Direction Outbound `
-Protocol TCP `
-LocalIPAddress 192.168.1.4 `
-LocalPort 60000 `
-RemoteIPAddress 172.31.0.100 `
-RemotePort 80
#The result returned informs you that access is denied by a security rule named DefaultOutboundDenyAll
#Test inbound communication to the VM from 172.31.0.100
Test-AzNetworkWatcherIPFlow `
-NetworkWatcher $networkWatcher `
-TargetVirtualMachineId $vM.Id `
-Direction Inbound `
-Protocol TCP `
-LocalIPAddress 192.168.1.4 `
-LocalPort 80 `
-RemoteIPAddress 172.31.0.100 `
-RemotePort 60000
#The result returned informs you that access is denied because of a security rule named DenyAllInBound
#View details of a security rule
Get-AzEffectiveNetworkSecurityGroup `
-NetworkInterfaceName myVm `
-ResourceGroupName myResourceGroup
#Clean up
Remove-AzResourceGroup -Name myResourceGroup -Force