Setting up an ExpressRoute connection is just the beginning. To ensure high availability, performance, and fast incident response, configuring comprehensive monitoring and alerting is critical.

Types of Alerts: Circuit-Level vs. Gateway-Level

Azure Monitor supports alerts at both the ExpressRoute circuit level and the gateway level.

Circuit-Level Alerts

These focus on peering and protocol availability:

• ARP Availability Down: Alerts when Address Resolution Protocol traffic drops below 100% for a peering type.

• BGP Availability Down: Triggers when BGP peering sessions go inactive.

Use dimensions like Peering Type and Peer when defining these metrics to get precise and actionable data.

Gateway-Level Alerts

Set up alerts for ExpressRoute gateway connections to monitor overall connection health. To create one:

1. Navigate to Azure Monitor > Alerts > + Create Alert Rule.

2. Select the ExpressRoute Gateway as the resource.

3. Choose the signal type (metrics, activity logs, or resource health).

4. Set conditions, thresholds, and actions.

5. Assign an action group (email, webhook, ITSM, etc.).

:::image type=”content” source=”./media/expressroute-monitoring-metrics-alerts/signal.png” alt-text=”Azure Monitor signal selection for ExpressRoute”:::

Alerts by Peering Dimension

Azure lets you create alert rules scoped by peering or individual peers, so you can zero in on specific routes or VNETs for diagnostics.

:::image type=”content” source=”./media/expressroute-monitoring-metrics-alerts/alerts-peering-dimensions.png” alt-text=”Alert scoped by peering dimension”:::

Monitoring with Logs

• Activity Logs: Capture control plane events like route changes and BGP resets.

• Resource Logs: Set diagnostic settings to collect route metrics and session status.

• NSG Flow Logs: Useful for diagnosing network-level anomalies.

• Route Diagnostic Logs: Inspect BGP route advertisements and withdrawals.

Troubleshooting Tips

If ICMP works (ping) but no app-level connectivity (SSH, RDP, SQL), check:

• GatewaySubnet settings: No NSG or NAT gateway should be attached.

• Route Table (UDR): Set to None for GatewaySubnet.

• Connection state: Look for aged-out TCP sessions vs. proper FIN/CLOSE events.

The post Azure ExpressRoute Troubleshooting and Alerts appeared first on Azure Security Architect.

The post Azure Monitor Baseline Alerts for AVDs appeared first on Azure Security Architect.

Enable Azure Insights to capture RTT for the AVD Spin Up as well as RTT for the networking

VM LEvel

At the NIC level, Enable VM Accelerated Networking if the VM Type (and OS) supports it

FW LEvel

Ensure that Deep Packet Filtering is not causing the latency

Ensure that  the outbound route to the internet is not causing the latency (if it is via a PA FW for example)

The post AVD Latency Issues Troubleshooting appeared first on Azure Security Architect.

1. The identities (for those devices) need to be in place already
2. The licensing for the devices needs to be in place.

The post InTune Migration PreExisting Identities appeared first on Azure Security Architect.

Types – Storage accounts are of three types – V2 (most general purpose), V1 (hardly used anymore) and Blob Storage (can only store blobs – no table storage etc).

Replication

1. LRS (Locally redundant – always triple redundant within a datacenter)
2. Geo Redundant
3. Read-Access GeoRedudant

Tiers – HOT or COOL (Archive can only be set LATER)

Additional Security Options

– Bind to a VNET

Secure Transfer only

Step 2  – Adding a BLOB

Once the  storage account is ready, add a new CONTAINER (BLOB).

Access type – Private (useful for BACKUPS being stored to BLOBS), Anonymous read for BLOBS only (is the second option).

The post Storage Accounts and Blob Storage appeared first on Azure Security Architect.

1. Enforce resource tagging
2. Limit allowed locations
3. Prohibit specific resources deployment (e.g. Public IP addresses)
4. Require Secure Transfer for Storage Accounts
5. Block Public Access to Storage Accounts
6. Block Anonymous access to storage accounts
7. Configure Cosmos DB accounts to disable public network access
8. Configure Azure SQL accounts to disable public network access

The post Azure Policy Recommended Policies appeared first on Azure Security Architect.

The exact error

The portal encountered an issue while attempting to retrieve access tokens. We suggest attempting to sign in again, or alternatively, continuing without access tokens, although this may result in a suboptimal user experience. Additional details: invalid_grant: AADSTS530004: AcceptCompliantDevice setting isn’t configured for this organization. The admin needs to configure this setting to allow external users access to protected resources. Trace ID: af449c59-5668-4e01-9c12-6148328d6500 Correlation ID: e0318484-7e18-4c0f-b7a9-a678a9bc8cfd Timestamp: 2024-11-27 17:58:53Z.

The post Device Restrictions using Conditional Access Policies in Azure Entra ID appeared first on Azure Security Architect.

Let in a set of Vendor Engineers into your Azure Subscription (typically with GLOBAL READER permissions)

Steps in Entra and in Azure

1. Set up SSO using the vendor’s email id as the UUID.
2. Grant them GUEST User licenses – into your Entra Tenant
3. Put all these VENDOR GUESTS into a single AAD User Group.
4. Now use RBAC to grant this user group Azure resource permissions.

The post Letting in vendors to your Entra Tenant appeared first on Azure Security Architect.

P2 licenses – Cloud Only Authentication (not federated)

The post P2 licenses – Use Case – SSO Authentication and MFA – no mailbox appeared first on Azure Security Architect.

Can be used to manage both devices as well as applications on the devices.

One can configure InTune for JUST application management (and have some other tool do the device management).

The post Devices versus Apps – Managed by Intune appeared first on Azure Security Architect.