Is it possible to enable diagnostic settings for express route gateway resource?

Question

Is it possible to enable diagnostic settings for express route gateway resource? if yes, how can we create a deploy if not exist policy to achieve it?

Answer 1

Hi @Ajit Ramachandra Sane,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Thanks for getting back.

1. Create and assign a DINE policy:

• You will need to create a DINE policy that specifically targets both ExpressRoute and VPN Gateway resources:
• Open Azure Portal > Search for Azure Policy > Select Policy
• Create policy definition: Create policies that define the diagnostic settings needed. Use built-in policy definitions where available or create custom definitions for your specific requirements For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#built-in-policy-definitions-for-azure-monitor
• Use category groups: You can utilize log category groups to streamline the process of creating and applying diagnostic settings. Group similar types of logs together for easier management. For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#log-category-groups

2. Enable Diagnostic settings for Express Route:

• Ensure you specify which categories of logs to collect. This can include metrics like availability, throughput, packet drops, and gateway metrics. The categories for Azure ExpressRoute are referenced in Azure ExpressRoute monitoring documentation. For your reference: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/expressroute/monitor-expressroute-reference.md#supported-metrics-for-microsoftnetworkexpressroutegateways
• In your policy, define where the logs will be sent options typically include Log Analytics workspaces, Azure Storage, or Event Hubs.

3. Enable Diagnostic settings for VPN Gateway:

• In the same DINE policy, ensure you include the necessary categories for the VPN Gateway logs, such as Gateway Diagnostic Log and TunnelDiagnosticLog
• As you configure the settings, make sure to detail which specific logs you want to be collected and directed to your defined storage settings
• If you want to enable diagnostic setting for VPN Gateway through Azure Monitor. You can get the below resource logs once you enable VPN diagnostics: For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway-reference#resource-logs-details
• In your Azure portal, search for Monitor. Go to Diagnostics settings blade within Monitor and search for your VPN gateway in which you would like to enable diagnostics. To turn on diagnostics, double-click the gateway and then select Turn on diagnostics. Fill in the details and ensure that Send to Log Analytics and TunnelDiagnosticLog are selected. Choose the Log Analytics Workspace where you want to send the logs to. It may take a few hours for the data to show up initially.

4. After creating diagnostic settings:

• Assign the created policy to your desired resource group or subscription, allowing diagnostic settings to be automatically applied as new resources (ExpressRoute or VPN Gateway) are created For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#assignment
• Utilize the policy evaluation tools in Azure Policy to monitor compliance and ensure that diagnostic settings are in place. You can also create remediate actions if necessary For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#remediation

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please click "Accept Answer" and "Upvote it" so that other community members can find the right answers.

Thanks,

Sai Prasanna.