Azure Networking Archives - Azure Security Architect https://azuresecurityarchitect.com/category/azure-networking/ For all your cloud security needs Thu, 01 May 2025 19:27:22 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 214478653 Azure ExpressRoute Troubleshooting and Alerts https://azuresecurityarchitect.com/azure-networking/azure-expressroute-troubleshooting-and-alerts/ https://azuresecurityarchitect.com/azure-networking/azure-expressroute-troubleshooting-and-alerts/#respond Thu, 01 May 2025 19:27:22 +0000 https://azuresecurityarchitect.com/?p=478 Azure ExpressRoute Troubleshooting and Alerts Setting up an ExpressRoute connection is just the beginning. To ensure high availability, performance, and fast incident response, configuring comprehensive monitoring and alerting is critical. […]

The post Azure ExpressRoute Troubleshooting and Alerts appeared first on Azure Security Architect.

]]> Azure ExpressRoute Troubleshooting and Alerts

Setting up an ExpressRoute connection is just the beginning. To ensure high availability, performance, and fast incident response, configuring comprehensive monitoring and alerting is critical.

๐Ÿ”” Types of Alerts: Circuit-Level vs. Gateway-Level

Azure Monitor supports alerts at both the ExpressRoute circuit level and the gateway level.

Circuit-Level Alerts

These focus on peering and protocol availability:

  • ARP Availability Down: Alerts when Address Resolution Protocol traffic drops below 100% for a peering type.

  • BGP Availability Down: Triggers when BGP peering sessions go inactive.

Use dimensions like Peering Type and Peer when defining these metrics to get precise and actionable data.

Gateway-Level Alerts

Set up alerts for ExpressRoute gateway connections to monitor overall connection health. To create one:

  1. Navigate to Azure Monitor > Alerts > + Create Alert Rule.

  2. Select the ExpressRoute Gateway as the resource.

  3. Choose the signal type (metrics, activity logs, or resource health).

  4. Set conditions, thresholds, and actions.

  5. Assign an action group (email, webhook, ITSM, etc.).

:::image type=”content” source=”./media/expressroute-monitoring-metrics-alerts/signal.png” alt-text=”Azure Monitor signal selection for ExpressRoute”:::

๐Ÿ“Š Alerts by Peering Dimension

Azure lets you create alert rules scoped by peering or individual peers, so you can zero in on specific routes or VNETs for diagnostics.

:::image type=”content” source=”./media/expressroute-monitoring-metrics-alerts/alerts-peering-dimensions.png” alt-text=”Alert scoped by peering dimension”:::

๐Ÿงพ Monitoring with Logs

  • Activity Logs: Capture control plane events like route changes and BGP resets.

  • Resource Logs: Set diagnostic settings to collect route metrics and session status.

  • NSG Flow Logs: Useful for diagnosing network-level anomalies.

  • Route Diagnostic Logs: Inspect BGP route advertisements and withdrawals.

๐Ÿ›  Troubleshooting Tips

If ICMP works (ping) but no app-level connectivity (SSH, RDP, SQL), check:

  • GatewaySubnet settings: No NSG or NAT gateway should be attached.

  • Route Table (UDR): Set to None for GatewaySubnet.

  • Connection state: Look for aged-out TCP sessions vs. proper FIN/CLOSE events.

The post Azure ExpressRoute Troubleshooting and Alerts appeared first on Azure Security Architect.

]]> https://azuresecurityarchitect.com/azure-networking/azure-expressroute-troubleshooting-and-alerts/feed/ 0 478