Azure Network Packet Capture

This page shows how to write Terraform and Azure Resource Manager for Network Packet Capture and write them securely.

azurerm_network_packet_capture (Terraform)

The Packet Capture in Network can be configured in Terraform with the resource name azurerm_network_packet_capture. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L7
resource "azurerm_network_packet_capture" "this" {
  maximum_bytes_per_packet  = var.maximum_bytes_per_packet
  maximum_bytes_per_session = var.maximum_bytes_per_session
  maximum_capture_duration  = var.maximum_capture_duration
  name                      = var.name
  network_watcher_name      = var.network_watcher_name

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Configures Network Packet Capturing against a Virtual Machine using a Network Watcher.

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/networkWatchers/packetCaptures (Azure Resource Manager)

The networkWatchers/packetCaptures in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/networkWatchers/packetCaptures. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • properties required
      • target required - string

        The ID of the targeted resource, only VM is currently supported.

      • bytesToCapturePerPacket optional - integer

        Number of bytes captured per packet, the remaining bytes are truncated.

      • totalBytesPerSession optional - integer

        Maximum size of the capture output.

      • timeLimitInSeconds optional - integer

        Maximum duration of the capture session in seconds.

      • storageLocation required
          • storageId optional - string

            The ID of the storage account to save the packet capture session. Required if no local file path is provided.

          • storagePath optional - string

            The URI of the storage path to save the packet capture. Must be a well-formed URI describing the location to save the packet capture.

          • filePath optional - string

            A valid local path on the targeting VM. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. Required if no storage ID is provided, otherwise optional.

      • filters optional array
          • protocol optional - string

            Protocol to be filtered on.

          • localIPAddress optional - string

            Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5"? for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.

          • remoteIPAddress optional - string

            Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.

          • localPort optional - string

            Local port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.

          • remotePort optional - string

            Remote port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null.

Frequently asked questions

What is Azure Network Packet Capture?

Azure Network Packet Capture is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Packet Capture?

For Terraform, the kevinhead/azurerm source code example is useful. See the Terraform Example section for further details.