Set up the Azure Traffic Sensor

Note: This feature is currently in Early Availability mode.

This topic provides step-by-step instructions for setting up the Azure Traffic Sensor within your Application Discovery environment. The Azure Traffic Sensor is designed to collect and analyze network traffic data from Azure Traffic Analytics, supporting the discovery and monitoring of application flows. The Azure traffic sensor: is installed wherever the Application Discovery Server is running on your system.

Prerequisites

Before setting up the Azure Traffic Sensor, ensure the following prerequisites are met:

  1. Open Port TCP/9745 for communication between the Application Discovery server hosting the Azure Traffic Sensor and the Central Manager.

  2. Enterprise Application Permissions: The Enterprise Application as defined in the Azure Portal must have at least the "Reader" role to access the resource group containing the Log Analytics workspace ID.

  3. NSG Flow Log Support: Only NSG flow log version 2 is supported.

  4. Recommended Flow Log: It is recommended to use VNET flow logs.

  5. Subnet Configuration: If necessary, update the subnet in the AAD configuration to include the flows for discovery.

Configuration Steps

Do the following:

  1. Configure an Azure subscription in AFA: Ensure that you have an Azure subscription onboarded to AFA. For instructions, see Add Microsoft Azure subscriptions in AFA.

    Note: Subscription Onboarding: Ensure that the Enterprise Application that is onboarded to AFA with the same subscription ID where the Log Analytics workspace is located.

  2. Set Workspace ID(s) per subscription: For each Azure subscription, configure the Workspace ID for the Azure Traffic Sensor, by editing the properties file located at /data/algosec-ms/config/ms-aad-azure-sensor-prod.properties.

    For each Azure subscription, add the Azure Device Name (from AFA) and list of Workspace IDs to the properties file as follows:

    azure.device.nameToWorkspaceIdMap.<DEVICE_NAME>=<WORKSPACE_ID1>,<WORKSPACE_ID2>

    for example:

    azure.device.nameToWorkspaceIdMap.azuresensor=3eb65d27-cda4-4d04-8bd6-04029be03d59

  3. Set Data Fetching Interval: Set the Azure sensor to retrieve data from the analytics workspace at either 10-minute or 60-minute intervals.

    Add the following line to the properties file located at /data/algosec-ms/config/ms-aad-azure-sensor-prod.properties:

    azure.log.collector.query.time.interval.minutes=60

  4. Set Fetch past data: When the Azure sensor is restarted or used for first time, add the following to the to the properties file to fetch the past data:

    azure.log.collector.query.initial.time.interval.hours=1

  5. Analytic Workspace Configuration: In the Azure Portal, configure a single analytic workspace to ingest either NSG or VNET flow logs, but not both.

  6. Restart the Azure Sensor service by running the following command:

    service ms-aad-azure-sensor restart

  7. Configure an Application Discovery subnet: for instructions see Configure an Application Discovery subnet.