Check connectivity

Establishing and maintaining connectivity status in your multi-cloud and hybrid cloud estate is critical for detecting configuration issues and effectively managing network security. This topic describes how check connectivity status of your onboarded resources in AppViz.

Check connectivity for the hybrid network

For Azure NSG Policies

Note: ASMS Integration, a one-time task, needs to be executed before connectivity can be checked for the hybrid network. See ASMS integration to SaaS services

The connectivity check runs a traffic simulation query on ASMS with the subject rule fields (source, destination and service). Cloud-specific elements (e.g. service tags, Virtual Network, ASG, etc.) are translated to the IP-equivalent content based on the target NSG configuration.

The connectivity check in AppViz allows you to observe how traffic is routed and whether it’s allowed across your entire hybrid network (that is, across NSGs, firewalls routers etc. deployed on cloud and/or on-prem).

If a subject NSG has a rule with “VirtualNetwork” or “Any” in its destination, AppViz will map the destination to the address space of the VNET containing the subject NSG and put that in the destination field when running a traffic simulation query against ASMS.

In AppViz, you can see the details of your Azure NSG policies which describe what is allowed by the NSG policy rules.

After establishing trust with your ASMS host, you can check connectivity within your hybrid network.

To run a connectivity check

Here are some points to remember when running Connectivity checks:

  • A connectivity check result link is available for 12 hours and visible to all users viewing the subject policy set.

  • If theConnectivity icon is disabled (grey), hovering over it will display the reason this connectivity check cannot currently be performed.

  • If the connectivity icon animation is active, the connectivity check is in progress, wait for results.

  • The connectivity check may take up to an hour, depending on how wide or narrow the rule fields are.

  • When a rule can be expanded using the downward arrow on the right side of the screen, you must expand it and run connectivity on each NSG separately.

Note:

  • An NSG rule containing a Service Tag that has no IPs- AzureLoadBalancer, GatewayManager

  • An NSG rule containing an ASG (Application Security Group) is not connected to any NICs (Network Interface Controllers)

  • An NSG rule containing a “VirtualNetwork” in the source or destination, while the VNET has an address space but no actual IPs within (e.g. no VMs).

  • An NSG that is not attached to any subnet or NIC.

Do the following:

  • In the policy set details, click the enabled (blue)Connectivity icon of the in the Risk column of rule you want to check.

Reviewing connectivity check results

On the AppViz Azure network policy page from where the connectivity check is initiated, results are color-coded according to this legend:

Partially Allowed - Some traffic is allowed and some is blocked by the devices in the query path.

Allowed - All traffic is allowed by all the devices in the query path.

Blocked - All traffic is blocked by all the devices in the query path.

Hover over the information icon next to any Results link for further details.

You should be able to login to the connected ASMS instance from your browser.

When you click on the connectivity check result, if you are not yet logged-in to ASMS, you will be directed to do so.

Connectivity checks display the matching ASMS traffic simulation query results in a separate browser tab where all standard ASMS traffic simulation query functionality is available.

Change detection from outside AppViz

When changes are detected in a security control managed by AppViz, AppViz merges the changes into any relevant policy set.

AppViz attempts to merge the changes even if the relevant policy set is currently in draft mode or being edited by another user. These changes are reflected in the network policies page when it is freshly accessed. If the network policies page is already open in a browser tab, you may need to refresh it.