Skip to main content

Technical Lab: Interpret virtual network flow logs

Questions​

Question 1 β€” Multiple Choice​

VNet flow logs record information about IP traffic passing through a virtual network. When analyzing a flow record, an engineer needs to determine whether a TCP connection was actually established or only attempted. Which record field allows this distinction?

A) The bytes sent field, as established connections always transfer more than zero bytes in both directions.

B) The flow state field (flowState), which indicates whether the flow was initiated, established, or terminated.

C) The action field (action), which records whether traffic was allowed or denied by the NSG or network policy.

D) The protocol field, as the TCP value combined with the destination port confirms that the connection was accepted by the destination.

Question 2 β€” Technical Scenario​

A network engineer is investigating why a VM cannot communicate with an external service. He enables VNet flow logs and, after a few minutes, queries the records in Log Analytics. The query returns records with the following summarized structure:

flowTupleCount : 12
action         : D
flowState      : B
srcIP          : 10.0.2.4
dstIP          : 52.168.10.5
dstPort        : 443
protocol       : T

Based on this data, what is the correct interpretation of the observed behavior?

A) Traffic is being allowed, but the destination is refusing the connection on port 443.

B) Outbound traffic is being blocked before reaching the destination, as the recorded action indicates denial.

C) The flow was successfully established but terminated by the destination after data transfer.

D) The record indicates that traffic was blocked by a routing policy, not by an NSG.

Question 3 β€” Multiple Choice​

An organization uses Traffic Analytics over VNet flow logs to gain visibility into network traffic. When comparing direct use of flow logs with Traffic Analytics, which operational difference is most relevant for near real-time decision making?

A) Flow logs store data for a maximum of 30 days, while Traffic Analytics retains data indefinitely in Log Analytics.

B) Traffic Analytics aggregates and processes flow logs at configurable intervals, introducing analysis latency that raw logs do not have.

C) Flow logs record only denied traffic, while Traffic Analytics also includes allowed traffic in the analysis.

D) Traffic Analytics replaces flow logs as the data source, disabling storage of raw records in the storage account.

Question 4 β€” Technical Scenario​

A security team needs to identify which external IP addresses are generating the highest volume of inbound traffic to a specific VNet during a seven-day period. VNet flow logs are enabled and data is being sent to Log Analytics via Traffic Analytics.

Which approach solves this requirement most directly?

A) Query the JSON blobs in the storage account associated with flow logs, manually filtering by srcIP and summing bytes by source.

B) Use the Traffic Analytics dashboard in the Azure portal, which offers aggregated visualizations of external IPs by traffic volume without requiring manual queries.

C) Create an Azure Monitor alert based on VNet inbound byte metrics, grouped by source IP address.

D) Enable Network Watcher Connection Monitor to track inbound connections and generate volume reports by source IP.

Question 5 β€” True or False​

VNet flow logs record traffic at the virtual network level and therefore automatically capture traffic between VNets connected via VNet peering, without the need to enable flow logs separately in each VNet involved in the communication.

Answer Key and Explanations​

Answer Key β€” Question 1​

Answer: B

Explanation:

  • The flowState field in VNet flow logs indicates the TCP flow state over time. Possible values include B (Begin), C (Continue), and E (End), allowing identification of whether a connection was only initiated, actively maintained, or terminated. This enables distinguishing connection attempts without response from actually established connections.
  • Option A is misleading because zero bytes in one direction can occur in legitimate connections (such as HTTP requests without response body) and is not a reliable indicator of establishment.
  • Option C confuses the security dimension (allowed/denied) with the connection state dimension; both fields exist but answer different questions.
  • Option D represents a layer misunderstanding: protocol and port describe traffic intent, they don't confirm acceptance by the destination.

Answer Key β€” Question 2​

Answer: B

Explanation:

  • In VNet flow logs format, the action field with value D means Deny, and the flowState field with value B means Begin, indicating that the flow was initiated but never established. The combination of these two values confirms that outbound traffic to 52.168.10.5:443 is being blocked at the source, probably by an NSG rule or network policy.
  • Option A is incorrect because action: D means traffic was blocked locally, not that it reached the destination and was refused.
  • Option C contradicts the action: D field; a flow terminated by the destination after transfer would appear with action: A and flowState: E.
  • Option D is incorrect because VNet flow logs record NSG and virtual network policy decisions, they don't distinguish routing blocks from policy blocks.

Answer Key β€” Question 3​

Answer: B

Explanation:

  • Traffic Analytics processes flow logs at configurable intervals (default 60 minutes, can be reduced to 10 minutes). This processing introduces inherent latency between when traffic occurs and when it appears in Traffic Analytics visualizations. For scenarios requiring near real-time reactivity, querying raw logs in Log Analytics may be more appropriate.
  • Option A is incorrect regarding retention: Traffic Analytics sends data to Log Analytics, where retention is configurable, but raw flow logs can also have configured retention; neither is unlimited by default.
  • Option C represents a fundamental misconception: flow logs record both allowed and denied traffic; Traffic Analytics doesn't change the data scope.
  • Option D is incorrect because Traffic Analytics consumes flow logs without replacing them; blobs continue to be written to the configured storage account.

Answer Key β€” Question 4​

Answer: B

Explanation:

  • Traffic Analytics processes and aggregates flow logs, generating ready-made visualizations such as traffic map, top external IPs, known malicious flows, and port distribution. For the described requirement (volume by external IP over 7 days), the Traffic Analytics dashboard offers this view directly, without needing to build complex KQL queries or manually process JSON files.
  • Option A is technically feasible but operationally inefficient for a seven-day period with potentially large data volume; it's not the most direct approach.
  • Option C is incorrect because Azure Monitor metrics for VNets are not disaggregated by source IP; metrics are aggregated data, not per-flow records.
  • Option D describes a tool for monitoring outbound connectivity and latency between specific points, not for aggregating traffic volume by external source IP.

Answer Key β€” Question 5​

Answer: False

Explanation:

  • VNet flow logs are enabled per VNet individually. Traffic crossing a peering is recorded from the perspective of each VNet separately. If only one VNet has flow logs enabled, only traffic processed by that VNet will be captured; traffic in the remote VNet will not be automatically recorded.
  • This distinction is important in hub-and-spoke architectures: enabling flow logs only on the hub doesn't capture internal spoke flows, even if traffic passes through the hub.
  • The common misconception is treating VNet peering as a transparent extension of the local VNet, when in practice each VNet maintains its own independent observability plane.