Network Watchers - Verify IP Flow

Reference

Service:: Network Watcher

API Version:: 2023-09-01

Verify IP flow from the specified VM to a location given the currently configured NSG rules.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/ipFlowVerify?api-version=2023-09-01

URI Parameters

Name	In	Required	Type	Description
networkWatcherName	path	True	string	The name of the network watcher.
resourceGroupName	path	True	string	The name of the resource group.
subscriptionId	path	True	string	The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.
api-version	query	True	string	Client API version.

Request Body

Name	Required	Type	Description
direction	True	Direction	The direction of the packet represented as a 5-tuple.
localIPAddress	True	string	The local IP address. Acceptable values are valid IPv4 addresses.
localPort	True	string	The local port. Acceptable values are a single integer in the range (0-65535). Support for * for the source port, which depends on the direction.
protocol	True	IpFlowProtocol	Protocol to be verified on.
remoteIPAddress	True	string	The remote IP address. Acceptable values are valid IPv4 addresses.
remotePort	True	string	The remote port. Acceptable values are a single integer in the range (0-65535). Support for * for the source port, which depends on the direction.
targetResourceId	True	string	The ID of the target resource to perform next-hop on.
targetNicResourceId		string	The NIC ID. (If VM has multiple NICs and IP forwarding is enabled on any of them, then this parameter must be specified. Otherwise optional).

Responses

Name	Type	Description
200 OK	VerificationIPFlowResult	Request successful. The operation returns the result of IP flow verification.
202 Accepted	VerificationIPFlowResult	Accepted and the operation will complete asynchronously.
Other Status Codes	ErrorResponse	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Ip flow verify

Sample Request

POST https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/ipFlowVerify?api-version=2023-09-01

{
  "targetResourceId": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1",
  "direction": "Outbound",
  "protocol": "TCP",
  "localPort": "80",
  "remotePort": "80",
  "localIPAddress": "10.2.0.4",
  "remoteIPAddress": "121.10.1.1"
}


import com.azure.resourcemanager.network.models.Direction;
import com.azure.resourcemanager.network.models.IpFlowProtocol;
import com.azure.resourcemanager.network.models.VerificationIpFlowParameters;

/**
 * Samples for NetworkWatchers VerifyIpFlow.
 */
public final class Main {
    /*
     * x-ms-original-file:
     * specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkWatcherIpFlowVerify.
     * json
     */
    /**
     * Sample code: Ip flow verify.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void ipFlowVerify(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.networks().manager().serviceClient().getNetworkWatchers().verifyIpFlow("rg1", "nw1",
            new VerificationIpFlowParameters()
                .withTargetResourceId(
                    "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1")
                .withDirection(Direction.OUTBOUND).withProtocol(IpFlowProtocol.TCP).withLocalPort("80")
                .withRemotePort("80").withLocalIpAddress("10.2.0.4").withRemoteIpAddress("121.10.1.1"),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-network
# USAGE
    python network_watcher_ip_flow_verify.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = NetworkManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="subid",
    )

    response = client.network_watchers.begin_verify_ip_flow(
        resource_group_name="rg1",
        network_watcher_name="nw1",
        parameters={
            "direction": "Outbound",
            "localIPAddress": "10.2.0.4",
            "localPort": "80",
            "protocol": "TCP",
            "remoteIPAddress": "121.10.1.1",
            "remotePort": "80",
            "targetResourceId": "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1",
        },
    ).result()
    print(response)


# x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkWatcherIpFlowVerify.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armnetwork_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/d4205894880b989ede35d62d97c8e901ed14fb5a/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkWatcherIpFlowVerify.json
func ExampleWatchersClient_BeginVerifyIPFlow() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armnetwork.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewWatchersClient().BeginVerifyIPFlow(ctx, "rg1", "nw1", armnetwork.VerificationIPFlowParameters{
		Direction:        to.Ptr(armnetwork.DirectionOutbound),
		LocalIPAddress:   to.Ptr("10.2.0.4"),
		LocalPort:        to.Ptr("80"),
		RemoteIPAddress:  to.Ptr("121.10.1.1"),
		RemotePort:       to.Ptr("80"),
		TargetResourceID: to.Ptr("/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1"),
		Protocol:         to.Ptr(armnetwork.IPFlowProtocolTCP),
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	res, err := poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.VerificationIPFlowResult = armnetwork.VerificationIPFlowResult{
	// 	Access: to.Ptr(armnetwork.AccessAllow),
	// 	RuleName: to.Ptr("Rule1"),
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Verify IP flow from the specified VM to a location given the currently configured NSG rules.
 *
 * @summary Verify IP flow from the specified VM to a location given the currently configured NSG rules.
 * x-ms-original-file: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkWatcherIpFlowVerify.json
 */
async function ipFlowVerify() {
  const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
  const networkWatcherName = "nw1";
  const parameters = {
    direction: "Outbound",
    localIPAddress: "10.2.0.4",
    localPort: "80",
    remoteIPAddress: "121.10.1.1",
    remotePort: "80",
    targetResourceId:
      "/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1",
    protocol: "TCP",
  };
  const credential = new DefaultAzureCredential();
  const client = new NetworkManagementClient(credential, subscriptionId);
  const result = await client.networkWatchers.beginVerifyIPFlowAndWait(
    resourceGroupName,
    networkWatcherName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Network;
using Azure.ResourceManager.Network.Models;
using Azure.ResourceManager.Resources;

// Generated from example definition: specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/examples/NetworkWatcherIpFlowVerify.json
// this example is just showing the usage of "NetworkWatchers_VerifyIPFlow" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this NetworkWatcherResource created on azure
// for more information of creating NetworkWatcherResource, please refer to the document of NetworkWatcherResource
string subscriptionId = "subid";
string resourceGroupName = "rg1";
string networkWatcherName = "nw1";
ResourceIdentifier networkWatcherResourceId = NetworkWatcherResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, networkWatcherName);
NetworkWatcherResource networkWatcher = client.GetNetworkWatcherResource(networkWatcherResourceId);

// invoke the operation
VerificationIPFlowContent content = new VerificationIPFlowContent(new ResourceIdentifier("/subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/vm1"), NetworkTrafficDirection.Outbound, IPFlowProtocol.Tcp, "80", "80", "10.2.0.4", "121.10.1.1");
ArmOperation<VerificationIPFlowResult> lro = await networkWatcher.VerifyIPFlowAsync(WaitUntil.Completed, content);
VerificationIPFlowResult result = lro.Value;

Console.WriteLine($"Succeeded: {result}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 200

{
  "access": "Allow",
  "ruleName": "Rule1"
}

Status code:: 202

Location: https:/management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/ipFlowVerify?api-version=2023-09-01

Response Body

{
  "access": "Allow",
  "ruleName": "Rule1"
}

Definitions

Name	Description
Access	Access to be allowed or denied.
Direction	The direction of the traffic.
ErrorDetails	Common error details representation.
ErrorResponse	The error object.
IpFlowProtocol	Protocol to be verified on.
VerificationIPFlowParameters	Parameters that define the IP flow to be verified.
VerificationIPFlowResult	Results of IP flow verification on the target resource.

Access

Access to be allowed or denied.

Name	Type	Description
Allow	string
Deny	string

Direction

The direction of the traffic.

Name	Type	Description
Inbound	string
Outbound	string

ErrorDetails

Common error details representation.

Name	Type	Description
code	string	Error code.
message	string	Error message.
target	string	Error target.

ErrorResponse

The error object.

Name	Type	Description
error	ErrorDetails	Error The error details object.

IpFlowProtocol

Protocol to be verified on.

Name	Type	Description
TCP	string
UDP	string

VerificationIPFlowParameters

Parameters that define the IP flow to be verified.

Name	Type	Description
direction	Direction	The direction of the packet represented as a 5-tuple.
localIPAddress	string	The local IP address. Acceptable values are valid IPv4 addresses.
localPort	string	The local port. Acceptable values are a single integer in the range (0-65535). Support for * for the source port, which depends on the direction.
protocol	IpFlowProtocol	Protocol to be verified on.
remoteIPAddress	string	The remote IP address. Acceptable values are valid IPv4 addresses.
remotePort	string	The remote port. Acceptable values are a single integer in the range (0-65535). Support for * for the source port, which depends on the direction.
targetNicResourceId	string	The NIC ID. (If VM has multiple NICs and IP forwarding is enabled on any of them, then this parameter must be specified. Otherwise optional).
targetResourceId	string	The ID of the target resource to perform next-hop on.

VerificationIPFlowResult

Results of IP flow verification on the target resource.

Name	Type	Description
access	Access	Indicates whether the traffic is allowed or denied.
ruleName	string	Name of the rule. If input is not matched against any security rule, it is not displayed.