Share via

How to use tcpdump on a storage account network interface (private or public endpoints) or see active connected IP's

Chris Popescu 5 Reputation points
2025-01-22T17:58:09+00:00

Because of various upgrades and migrations I am trying to determine if certain storage accounts are still used or can be safely deleted.

Want to determine if they have any new or active sessions, by source IP's and their protocols. My assumption if that if they will be idle for 31 days I can isolate them safely and delete afterwards without causing any incidents.

As I see there is no tcpdump capability or something that I can used for storage account IP's.

Please let me know what would be a safe way to log/monitor those new and existing connections.

Thank you.

C.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,339 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 32,660 Reputation points MVP
    2025-01-22T18:27:27.3133333+00:00

    Yep - that's not an option. You can try the Azure Monitor diagnostic logs for storage accounts instead. Azure Storage supports logging diagnostic data, including read, write, and delete requests. You can use this data to track activity.

    • Steps:
      1. Navigate to the Azure portal.
      2. Select the Storage Account you want to monitor.
      3. Go to Diagnostic settings under Monitoring.
      4. Create a new diagnostic setting to capture logs for the required categories:
        • Blob, File, Queue, Table (based on the services in use).
        • Enable both Read, Write, and Delete operations.
      5. Send the logs to a Log Analytics workspace, Event Hub, or Storage Account for further analysis.
    • What to look for:
      • Source IPs: Use the callerIpAddress field in the logs to identify clients accessing the storage.
      • Protocols: Look for access methods (e.g., REST API calls, SMB for File shares, etc.).

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments
  2. Keshavulu Dasari 3,095 Reputation points Microsoft Vendor
    2025-01-22T22:52:47.7166667+00:00

    Hi Chris Popescu ,

    Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

    Adding more information to the above response!

    To monitor new and existing connections to your storage accounts and determine if they are still in use, you can use Azure's built-in monitoring and logging tools.

    1.Enable Diagnostic Logs, Azure Storage accounts can generate diagnostic logs that provide detailed information about requests to the storage account. You can configure these logs to be sent to a Log Analytics workspace, archived to a storage account, or streamed to an event hub.

    Steps:

    1. Navigate to your storage account in the Azure portal.
    2. Select Diagnostic settings under the Monitoring section.
    3. Add a diagnostic setting and choose the types of logs you want to collect (e.g., Blob, Table, Queue, File).
    4. Select the destination for the logs (Log Analytics, storage account, or event hub).

    2. Use Log Analytics to Query Logs , once you have enabled diagnostic logs and sent them to a Log Analytics workspace, you can use KQL to query the logs and identify active connections.

    Example KQL Query:

    AzureDiagnostics
| where ResourceType == "STORAGEACCOUNTS"
| where TimeGenerated > ago(31d)
| summarize count() by CallerIPAddress, OperationName
| order by count_ desc

    This query will show you the IP addresses and operations that have accessed the storage account in the last 31 days.

    3. Set Up Alerts, you can set up alerts based on the logs to notify you of any new or active connections.

    Steps:

    1. Navigate to your Log Analytics workspace in the Azure portal.
    2. Select Alerts under the Monitoring section.
    3. Create a new alert rule and define the conditions based on your KQL queries.
    4. Set up action groups to notify you via email, SMS, or other methods.

    4. Use Network Security Group Flow Logs, if your storage account is accessed via a virtual network, you can use NSG flow logs to monitor network traffic.

    Steps:

    1. Navigate to your Network Security Group in the Azure portal.
    2. Select NSG flow logs under the Monitoring section.
    3. Enable flow logs and send them to a storage account or Log Analytics workspace.

    By enabling diagnostic logs, using Log Analytics for querying, setting up alerts, and utilizing NSG flow logs, you can effectively monitor new and existing connections to your storage accounts. This will help you determine if they are still in use and can be safely deleted after a period of inactivity.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
    User's image

    If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.