Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
370 questions
Is it possible to enable diagnostic settings for express route gateway resource?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Ajit Ramachandra Sane
0
Reputation points
Is it possible to enable diagnostic settings for express route gateway resource? if yes, how can we create a deploy if not exist policy to achieve it?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde (Quadrant Resource LLC) 100 Reputation points Microsoft Vendor2024-09-10T08:34:07.5266667+00:00 Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.
You can use different methods to work with the diagnostic settings, such as the Azure portal, the Azure CLI, PowerShell, and Azure Resource Manager.
Create diagnostic settings in Azure Monitor:
- To create diagnostic settings in Azure Monitor, please refer to the document below for guidance:
Create diagnostic settings at scale using Azure Policies and Initiatives:
- To create diagnostic settings by using azure policies and initiatives, please refer to the document below for guidance:
https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy
Built-in policies for Azure Monitor:
- To enable automatically enable diagnostic settings, you can use Azure Policy. Azure Policy has the option to “deployIfNotExists” when a new resource is created that doesn’t have the flow logs enabled.
- To create diagnostic settings by using built-in policies, please refer to the document below for guidance:
https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostics-settings-policies-deployifnotexists?tabs=portal
Enable logging by category group for ExpressRoute circuits to Event Hub/log analytics/storage:
- Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to Event Hub/storage account/log analytics for ExpressRoute circuits.
For Reference:
For Additional reference:
https://video2.skills-academy.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists
Kindly let us know if the above helps or you need further assistance on this issue.
-
Ajit Ramachandra Sane 0 Reputation points
2024-09-10T09:38:33.5866667+00:00 I don't have any queries on express route circuits, i want to configure diagnostic settings for express route gateway and vpn gateway. Please help how can we achieve it with a DINE policy.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 100 Reputation points Microsoft Vendor
2024-09-11T12:50:57.6966667+00:00 Thanks for getting back.
- Create and assign a DINE policy:
- You will need to create a DINE policy that specifically targets both ExpressRoute and VPN Gateway resources:
- Open Azure Portal > Search for Azure Policy > Select Policy
- Create policy definition: Create policies that define the diagnostic settings needed. Use built-in policy definitions where available or create custom definitions for your specific requirements For your reference: https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#built-in-policy-definitions-for-azure-monitor
- Use category groups: You can utilize log category groups to streamline the process of creating and applying diagnostic settings. Group similar types of logs together for easier management. For your reference: https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#log-category-groups
- Enable Diagnostic settings for Express Route:
- Ensure you specify which categories of logs to collect. This can include metrics like availability, throughput, packet drops, and gateway metrics. The categories for Azure ExpressRoute are referenced in Azure ExpressRoute monitoring documentation. For your reference: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/expressroute/monitor-expressroute-reference.md#supported-metrics-for-microsoftnetworkexpressroutegateways
- In your policy, define where the logs will be sent options typically include Log Analytics workspaces, Azure Storage, or Event Hubs.
- Enable Diagnostic settings for VPN Gateway:
- In the same DINE policy, ensure you include the necessary categories for the VPN Gateway logs, such as Gateway Diagnostic Log and TunnelDiagnosticLog
- As you configure the settings, make sure to detail which specific logs you want to be collected and directed to your defined storage settings
- If you want to enable diagnostic setting for VPN Gateway through Azure Monitor. You can get the below resource logs once you enable VPN diagnostics:
For your reference: https://video2.skills-academy.com/en-us/azure/vpn-gateway/monitor-vpn-gateway-reference#resource-logs-details
- In your Azure portal, search for Monitor. Go to Diagnostics settings blade within Monitor and search for your VPN gateway in which you would like to enable diagnostics. To turn on diagnostics, double-click the gateway and then select Turn on diagnostics. Fill in the details and ensure that Send to Log Analytics and TunnelDiagnosticLog are selected. Choose the Log Analytics Workspace where you want to send the logs to. It may take a few hours for the data to show up initially.
- After creating diagnostic settings:
- Assign the created policy to your desired resource group or subscription, allowing diagnostic settings to be automatically applied as new resources (ExpressRoute or VPN Gateway) are created For your reference: https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#assignment
- Utilize the policy evaluation tools in Azure Policy to monitor compliance and ensure that diagnostic settings are in place. You can also create remediate actions if necessary For your reference: https://video2.skills-academy.com/en-us/azure/azure-monitor/essentials/diagnostic-settings-policy#remediation
Kindly let us know if the above helps or you need further assistance on this issue.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 100 Reputation points Microsoft Vendor
2024-09-12T16:26:04.5533333+00:00 Following up to see if the above suggestion was helpful. And, if you have any further queries do let us know. We are happy to assist you.
Thanks.
-
Sai Prasanna Sinde (Quadrant Resource LLC) 100 Reputation points Microsoft Vendor
2024-09-13T17:07:05.74+00:00 Following up to see if you had got a chance to see the above response to your query. And, if you have any further queries do let us know. We are happy to assist you.
Thanks.
Sign in to comment
Sign in to answer