Virtual network TAP
Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a network virtual appliance partner. For a list of partner solutions that are validated to work with virtual network TAP, see partner solutions.
Virtual network TAP partner solutions
Network packet brokers
Security analytics, network/application performance management
- ExtraHop Reveal(x)
- Fidelis Cybersecurity
- Netscout vSTREAM
- Nubeva Prisms
- RSA NetWitness® Platform
- Vectra Cognito
The following picture shows how virtual network TAP works. You can add a TAP configuration on a network interface that is attached to a virtual machine deployed in your virtual network. The destination is a virtual network IP address in the same virtual network as the monitored network interface or a peered virtual network. The collector solution for virtual network TAP can be deployed behind an Azure Internal Load balancer for high availability. To evaluate deployment options for individual solution, see partner solutions.
Before you create a virtual network TAP, you must have received a confirmation mail that you are enrolled in the preview, and have one or more virtual machines created using Azure Resource Manager deployment model and a partner solution for aggregating the TAP traffic in WestCentralUS region. If you don't have a partner solution in your virtual network, see partner solutions to deploy one. You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions. If the monitored network interfaces are in different subscriptions, the subscriptions must be associated to the same Azure Active Directory tenant. Additionally, the monitored network interfaces and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the same region. If you are using this deployment model ensure that the virtual network peering is enabled before you configure virtual network TAP.
The accounts you use to apply TAP configuration on network interfaces must be assigned to the network contributor role or a custom role that is assigned the necessary actions from the following table:
|Microsoft.Network/virtualNetworkTaps/*||Required to create, update, read and delete a virtual network TAP resource|
|Microsoft.Network/networkInterfaces/read||Required to read the network interface resource on which the TAP will be configured|
|Microsoft.Network/tapConfigurations/*||Required to create, update, read and delete the TAP configuration on a network interface|
- Learn how to Create a virtual network TAP.