High CPU Usage in NVA

Handy, Frederick 80

Network Watcher and Traffic flow logs will only show packets coming in and out. Is there a way to see the culprit of the high CPU usage in NVA from Azure internet ----> Azure Hub -----> Azure Spoke? I would like to see which source IP is actually generating the most traffic from Azure to Azure instead of Azure to On Prem.

Handy, Frederick 80 Reputation points

2025-01-07T17:31:56.71+00:00

I would also like to capture packets in the past and present, bytes in and bytes out to analyze the traffic.
Handy, Frederick 80 Reputation points

2025-01-07T22:17:37.95+00:00

@Sai Prasanna Sinde If the traffic is Azure's traffic, is there a way Microsoft can check to see if it's Azure's?
Handy, Frederick 80 Reputation points

2025-01-07T22:19:34.84+00:00

@Sai Prasanna Sinde If the traffic is Azure's traffic, is there a way Microsoft can check to see if it's Azure's?
Sai Prasanna Sinde 3,410 Reputation points Microsoft Vendor

2025-01-08T22:43:18.8433333+00:00
Hi @Handy, Frederick

Good day!

Please go through the below points for the Azure traffic analysis:

The traffic analytics processes data from NSG flow logs, which means it primarily analyzes traffic flowing through your Azure Network Security Groups. It sees traffic entering and leaving your Azure resources like VMs, subnets, VNets. For your reference: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-schema?tabs=nsg#:~:text=Traffic%20analytics%20is,packets%2C%20or%20flows. https://docs.azure.cn/en-us/network-watcher/nsg-flow-logs-overview#:~:text=NSG%20flow%20logs%20are%20written%20to%20storage%20accounts.%20You%20can%20export%2C%20process%2C%20analyze%2C%20and%20visualize%20NSG%20flow%20logs%20by%20using%20tools%20like%20Network%20Watcher%20traffic%20analytics%2C%20Splunk%2C%20Grafana%2C%20and%20Stealthwatch.

The traffic analytics can identify traffic to/from the internet and within your Azure environment and the tool distinguishes between traffic coming from or going to the public internet versus traffic flowing between your Azure resources. It can also identify traffic to Azure services. For your reference: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas#:~:text=Traffic%20analytics%20is%20a%20cloud%2Dbased%20solution%20that%20provides%20visibility%20into%20user%20and%20application%20activity%20in%20your%20cloud%20networks.%20Specifically%2C%20traffic%20analytics%20analyzes%20Azure%20Network%20Watcher%20flow%20logs%20to%20provide%20insights%20into%20traffic%20flow%20in%20your%20Azure%20cloud.

By analyzing IP addresses and performing reverse DNS lookups, it can pinpoint the geographical location of traffic sources and destinations, including Azure regions

Traffic Analytics can help identify if an IP address involved in the traffic belongs to a known Azure IP address range. Microsoft publishes lists of Azure IP ranges for each region and service. For your reference: https://learn.microsoft.com/en-us/azure/devops/organizations/security/allow-list-ip-url?view=azure-devops&tabs=IP-V4

By identifying the source or destination Azure region associated with traffic, you can infer if the traffic is related to an Azure service or resource hosted in that region.

Traffic Analytics uses service tags to identify traffic associated with specific Azure services.

If traffic is associated with a service tag like Azure cloud or a more specific service tag, it indicates that the traffic is likely related to that Azure service.

Traffic Analytics flags traffic from known malicious IPs. If an IP is identified as malicious, it's less likely to be legitimate Azure traffic. For your reference: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-usage-scenarios#:~:text=Traffic%20distribution%20per%20Application,block%20the%20rogue%20networks.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.
Sai Prasanna Sinde 3,410 Reputation points Microsoft Vendor

2025-01-10T18:47:36.7633333+00:00

Hi @Handy, Frederick

Good day!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.
Sai Prasanna Sinde 3,410 Reputation points Microsoft Vendor

2025-01-13T18:58:12.0566667+00:00

Hi @Handy, Frederick

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Thanks,

Sai.

1 answer

Sai Prasanna Sinde 3,410 Reputation points Microsoft Vendor

2025-01-07T20:00:40.1033333+00:00
Hi @Handy, Frederick

Welcome to the Microsoft Q&A Platform. Thank you for posting your query here.

Please go through the below points:

Azure Monitor for VM provides detailed performance metrics, including CPU utilization, memory, and network traffic at the VM level. Since your NVA is likely an Azure VM, enable VM Insights. For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/tutorial-monitor-vm-enable-insights#:~:text=You%20can%20view,to%20your%20requirements.

VM Insights can show you which processes running on your NVA VM are consuming the most CPU.

This can help you confirm if the high CPU is related to network processing or another process. For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-overview#:~:text=It%20also%20monitors%20the%20performance%20of%20your%20virtual%20machines%20and%20virtual%20machine%20scale%20sets%20by%20collecting%20data%20on%20their%20running%20processes%20and%20dependencies%20on%20other%20resources.

While it won't explicitly show Azure-to-Azure internal IPs, VM Insights might reveal the top active network connections in terms of bytes sent/received.

If you see a large amount of traffic associated with an Azure internal IP range, it's a strong indicator of heavy Azure-to-Azure communication.

Combine VM Insights data with Network Watcher Flow Logs and perform more granular analysis in Log Analytics

In your flow logs, look for destination IPs within your Azure VNet ranges. This won't pinpoint the exact source, but it'll confirm if the traffic is internal to Azure.

Enable NSG flow logs (specifically version 2) on the NSGs associated with your Hub and Spoke VNets, particularly the ones connected to your NVA's subnets.

Use Log Analytics to query the flow logs, focusing on traffic within your Azure IP ranges. This can give you a better idea of which subnets are generating the most internal traffic.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

High CPU Usage in NVA

1 answer

Your answer