Azure Network Packet Capture
This page shows how to write Terraform and Azure Resource Manager for Network Packet Capture and write them securely.
azurerm_network_packet_capture (Terraform)
The Packet Capture in Network can be configured in Terraform with the resource name azurerm_network_packet_capture
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_network_packet_capture" "this" {
maximum_bytes_per_packet = var.maximum_bytes_per_packet
maximum_bytes_per_session = var.maximum_bytes_per_session
maximum_capture_duration = var.maximum_capture_duration
name = var.name
network_watcher_name = var.network_watcher_name
Parameters
-
id
optional computed - string -
maximum_bytes_per_packet
optional - number -
maximum_bytes_per_session
optional - number -
maximum_capture_duration
optional - number -
name
required - string -
network_watcher_name
required - string -
resource_group_name
required - string -
target_resource_id
required - string -
filter
list block-
local_ip_address
optional - string -
local_port
optional - string -
protocol
required - string -
remote_ip_address
optional - string -
remote_port
optional - string
-
-
storage_location
list block-
file_path
optional - string -
storage_account_id
optional - string -
storage_path
optional computed - string
-
-
timeouts
single block
Explanation in Terraform Registry
Configures Network Packet Capturing against a Virtual Machine using a Network Watcher.
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/networkWatchers/packetCaptures (Azure Resource Manager)
The networkWatchers/packetCaptures in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/networkWatchers/packetCaptures
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
name
required - stringtype
required - stringapiVersion
required - stringproperties
requiredtarget
required - stringThe ID of the targeted resource, only VM is currently supported.
bytesToCapturePerPacket
optional - integerNumber of bytes captured per packet, the remaining bytes are truncated.
totalBytesPerSession
optional - integerMaximum size of the capture output.
timeLimitInSeconds
optional - integerMaximum duration of the capture session in seconds.
storageLocation
requiredstorageId
optional - stringThe ID of the storage account to save the packet capture session. Required if no local file path is provided.
storagePath
optional - stringThe URI of the storage path to save the packet capture. Must be a well-formed URI describing the location to save the packet capture.
filePath
optional - stringA valid local path on the targeting VM. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. Required if no storage ID is provided, otherwise optional.
filters
optional arrayprotocol
optional - stringProtocol to be filtered on.
localIPAddress
optional - stringLocal IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5"? for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.
remoteIPAddress
optional - stringLocal IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.
localPort
optional - stringLocal port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.
remotePort
optional - stringRemote port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.
Frequently asked questions
What is Azure Network Packet Capture?
Azure Network Packet Capture is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Packet Capture?
For Terraform, the kevinhead/azurerm source code example is useful. See the Terraform Example section for further details.