Top / Microsoft Azure / Azure Network / Connection Monitor

Azure Network Connection Monitor

This page shows how to write Terraform and Azure Resource Manager for Network Connection Monitor and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_network_connection_monitor (Terraform)

The Connection Monitor in Network can be configured in Terraform with the resource name azurerm_network_connection_monitor. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "azurerm_network_connection_monitor" "this" {
  auto_start           = var.auto_start
  interval_in_seconds  = var.interval_in_seconds
  location             = var.location
  name                 = var.name
  network_watcher_name = var.network_watcher_name
main.tf#L7
resource "azurerm_network_connection_monitor" "this" {
  auto_start           = var.auto_start
  interval_in_seconds  = var.interval_in_seconds
  location             = var.location
  name                 = var.name
  network_watcher_name = var.network_watcher_name

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Network Connection Monitor.

NOTE: Any Network Connection Monitor resource created with API versions 2019-06-01 or earlier (v1) are now incompatible with Terraform, which now only supports v2.

>> from Terraform Registry

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/networkWatchers/connectionMonitors (Azure Resource Manager)

The networkWatchers/connectionMonitors in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/networkWatchers/connectionMonitors. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • location optional - string

    Connection monitor location.

  • tags optional - string

    Connection monitor tags.

  • properties required
      • source optional
          • resourceId required - string

            The ID of the resource used as the source by connection monitor.

          • port optional - integer

            The source port used by connection monitor.

      • destination optional
          • resourceId optional - string

            The ID of the resource used as the destination by connection monitor.

          • address optional - string

            Address of the connection monitor destination (IP or domain name).

          • port optional - integer

            The destination port used by connection monitor.

      • autoStart optional - boolean

        Determines if the connection monitor will start automatically once created.

      • monitoringIntervalInSeconds optional - integer

        Monitoring interval in seconds.

      • endpoints optional array
          • name required - string

            The name of the connection monitor endpoint.

          • type optional - string

            The endpoint type.

          • resourceId optional - string

            Resource ID of the connection monitor endpoint.

          • address optional - string

            Address of the connection monitor endpoint (IP or domain name).

          • filter optional
              • type optional - string

                The behavior of the endpoint filter. Currently only 'Include' is supported.

              • items optional array
                  • type optional - string

                    The type of item included in the filter. Currently only 'AgentAddress' is supported.

                  • address optional - string

                    The address of the filter item.

          • scope optional
              • include optional array
                  • address optional - string

                    The address of the endpoint item. Supported types are IPv4/IPv6 subnet mask or IPv4/IPv6 IP address.

              • exclude optional array
                  • address optional - string

                    The address of the endpoint item. Supported types are IPv4/IPv6 subnet mask or IPv4/IPv6 IP address.

          • coverageLevel optional - string

            Test coverage for the endpoint.

      • testConfigurations optional array
          • name required - string

            The name of the connection monitor test configuration.

          • testFrequencySec optional - integer

            The frequency of test evaluation, in seconds.

          • protocol required - string

            The protocol to use in test evaluation.

          • preferredIPVersion optional - string

            The preferred IP version to use in test evaluation. The connection monitor may choose to use a different version depending on other parameters.

          • httpConfiguration optional
              • port optional - integer

                The port to connect to.

              • method optional - string

                The HTTP method to use.

              • path optional - string

                The path component of the URI. For instance, "/dir1/dir2".

              • requestHeaders optional array
                  • name optional - string

                    The name in HTTP header.

                  • value optional - string

                    The value in HTTP header.

              • validStatusCodeRanges optional - array

                HTTP status codes to consider successful. For instance, "2xx,301-304,418".

              • preferHTTPS optional - boolean

                Value indicating whether HTTPS is preferred over HTTP in cases where the choice is not explicit.

          • tcpConfiguration optional
              • port optional - integer

                The port to connect to.

              • disableTraceRoute optional - boolean

                Value indicating whether path evaluation with trace route should be disabled.

              • destinationPortBehavior optional - string

                Destination port behavior.

          • icmpConfiguration optional
              • disableTraceRoute optional - boolean

                Value indicating whether path evaluation with trace route should be disabled.

          • successThreshold optional
              • checksFailedPercent optional - integer

                The maximum percentage of failed checks permitted for a test to evaluate as successful.

              • roundTripTimeMs optional - number

                The maximum round-trip time in milliseconds permitted for a test to evaluate as successful.

      • testGroups optional array
          • name required - string

            The name of the connection monitor test group.

          • disable optional - boolean

            Value indicating whether test group is disabled.

          • testConfigurations required - array

            List of test configuration names.

          • sources required - array

            List of source endpoint names.

          • destinations required - array

            List of destination endpoint names.

      • outputs optional array
          • type optional - string

            Connection monitor output destination type. Currently, only "Workspace" is supported.

          • workspaceSettings optional
              • workspaceResourceId optional - string

                Log analytics workspace resource ID.

      • notes optional - string

        Optional notes to be associated with the connection monitor.

>> from Azure Resource Manager Documentation

The Other Related Azure Network Resources

Frequently asked questions

What is Azure Network Connection Monitor?

Azure Network Connection Monitor is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Connection Monitor?

For Terraform, the kevinhead/azurerm and niveklabs/azurerm source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents