Share via


Microsoft.Network networkWatchers/packetCaptures 2024-05-01

Bicep resource definition

The networkWatchers/packetCaptures resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/packetCaptures resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/networkWatchers/packetCaptures@2024-05-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    bytesToCapturePerPacket: int
    captureSettings: {
      fileCount: int
      fileSizeInBytes: int
      sessionTimeLimitInSeconds: int
    }
    continuousCapture: bool
    filters: [
      {
        localIPAddress: 'string'
        localPort: 'string'
        protocol: 'string'
        remoteIPAddress: 'string'
        remotePort: 'string'
      }
    ]
    scope: {
      exclude: [
        'string'
      ]
      include: [
        'string'
      ]
    }
    storageLocation: {
      filePath: 'string'
      localPath: 'string'
      storageId: 'string'
      storagePath: 'string'
    }
    target: 'string'
    targetType: 'string'
    timeLimitInSeconds: int
    totalBytesPerSession: int
  }
}

Property Values

Microsoft.Network/networkWatchers/packetCaptures

Name Description Value
name The resource name string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: networkWatchers
properties Properties of the packet capture. PacketCaptureParametersOrPacketCaptureResultProperties (required)

PacketCaptureFilter

Name Description Value
localIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5"? for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
localPort Local port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
protocol Protocol to be filtered on. 'Any'
'TCP'
'UDP'
remoteIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
remotePort Remote port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string

PacketCaptureMachineScope

Name Description Value
exclude List of AzureVMSS instances which has to be excluded from the AzureVMSS from running packet capture. string[]
include List of AzureVMSS instances to run packet capture on. string[]

PacketCaptureParametersOrPacketCaptureResultProperties

Name Description Value
bytesToCapturePerPacket Number of bytes captured per packet, the remaining bytes are truncated. int

Constraints:
Min value = 0
Max value = 4294967295
captureSettings The capture setting holds the 'FileCount', 'FileSizeInBytes', 'SessionTimeLimitInSeconds' values. PacketCaptureSettings
continuousCapture This continuous capture is a nullable boolean, which can hold 'null', 'true' or 'false' value. If we do not pass this parameter, it would be consider as 'null', default value is 'null'. bool
filters A list of packet capture filters. PacketCaptureFilter[]
scope A list of AzureVMSS instances which can be included or excluded to run packet capture. If both included and excluded are empty, then the packet capture will run on all instances of AzureVMSS. PacketCaptureMachineScope
storageLocation The storage ___location for a packet capture session. PacketCaptureStorageLocation (required)
target The ID of the targeted resource, only AzureVM and AzureVMSS as target type are currently supported. string (required)
targetType Target type of the resource provided. 'AzureVM'
'AzureVMSS'
timeLimitInSeconds Maximum duration of the capture session in seconds. int

Constraints:
Min value = 0
Max value = 18000
totalBytesPerSession Maximum size of the capture output. int

Constraints:
Min value = 0
Max value = 4294967295

PacketCaptureSettings

Name Description Value
fileCount Number of file count. Default value of count is 10 and maximum number is 10000. int

Constraints:
Min value = 0
Max value = 10000
fileSizeInBytes Number of bytes captured per packet. Default value in bytes 104857600 (100MB) and maximum in bytes 4294967295 (4GB). int

Constraints:
Min value = 0
Max value = 4294967295
sessionTimeLimitInSeconds Maximum duration of the capture session in seconds is 604800s (7 days) for a file. Default value in second 86400s (1 day). int

Constraints:
Min value = 0
Max value = 604800

PacketCaptureStorageLocation

Name Description Value
filePath This path is invalid if 'Continuous Capture' is provided with 'true' or 'false'. A valid local path on the targeting VM. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. Required if no storage ID is provided, otherwise optional. string
localPath This path is valid if 'Continuous Capture' is provided with 'true' or 'false' and required if no storage ID is provided, otherwise optional. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. string
storageId The ID of the storage account to save the packet capture session. Required if no localPath or filePath is provided. string
storagePath The URI of the storage path to save the packet capture. Must be a well-formed URI describing the ___location to save the packet capture. string

ARM template resource definition

The networkWatchers/packetCaptures resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/packetCaptures resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/networkWatchers/packetCaptures",
  "apiVersion": "2024-05-01",
  "name": "string",
  "properties": {
    "bytesToCapturePerPacket": "int",
    "captureSettings": {
      "fileCount": "int",
      "fileSizeInBytes": "int",
      "sessionTimeLimitInSeconds": "int"
    },
    "continuousCapture": "bool",
    "filters": [
      {
        "localIPAddress": "string",
        "localPort": "string",
        "protocol": "string",
        "remoteIPAddress": "string",
        "remotePort": "string"
      }
    ],
    "scope": {
      "exclude": [ "string" ],
      "include": [ "string" ]
    },
    "storageLocation": {
      "filePath": "string",
      "localPath": "string",
      "storageId": "string",
      "storagePath": "string"
    },
    "target": "string",
    "targetType": "string",
    "timeLimitInSeconds": "int",
    "totalBytesPerSession": "int"
  }
}

Property Values

Microsoft.Network/networkWatchers/packetCaptures

Name Description Value
apiVersion The api version '2024-05-01'
name The resource name string (required)
properties Properties of the packet capture. PacketCaptureParametersOrPacketCaptureResultProperties (required)
type The resource type 'Microsoft.Network/networkWatchers/packetCaptures'

PacketCaptureFilter

Name Description Value
localIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5"? for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
localPort Local port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
protocol Protocol to be filtered on. 'Any'
'TCP'
'UDP'
remoteIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
remotePort Remote port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string

PacketCaptureMachineScope

Name Description Value
exclude List of AzureVMSS instances which has to be excluded from the AzureVMSS from running packet capture. string[]
include List of AzureVMSS instances to run packet capture on. string[]

PacketCaptureParametersOrPacketCaptureResultProperties

Name Description Value
bytesToCapturePerPacket Number of bytes captured per packet, the remaining bytes are truncated. int

Constraints:
Min value = 0
Max value = 4294967295
captureSettings The capture setting holds the 'FileCount', 'FileSizeInBytes', 'SessionTimeLimitInSeconds' values. PacketCaptureSettings
continuousCapture This continuous capture is a nullable boolean, which can hold 'null', 'true' or 'false' value. If we do not pass this parameter, it would be consider as 'null', default value is 'null'. bool
filters A list of packet capture filters. PacketCaptureFilter[]
scope A list of AzureVMSS instances which can be included or excluded to run packet capture. If both included and excluded are empty, then the packet capture will run on all instances of AzureVMSS. PacketCaptureMachineScope
storageLocation The storage ___location for a packet capture session. PacketCaptureStorageLocation (required)
target The ID of the targeted resource, only AzureVM and AzureVMSS as target type are currently supported. string (required)
targetType Target type of the resource provided. 'AzureVM'
'AzureVMSS'
timeLimitInSeconds Maximum duration of the capture session in seconds. int

Constraints:
Min value = 0
Max value = 18000
totalBytesPerSession Maximum size of the capture output. int

Constraints:
Min value = 0
Max value = 4294967295

PacketCaptureSettings

Name Description Value
fileCount Number of file count. Default value of count is 10 and maximum number is 10000. int

Constraints:
Min value = 0
Max value = 10000
fileSizeInBytes Number of bytes captured per packet. Default value in bytes 104857600 (100MB) and maximum in bytes 4294967295 (4GB). int

Constraints:
Min value = 0
Max value = 4294967295
sessionTimeLimitInSeconds Maximum duration of the capture session in seconds is 604800s (7 days) for a file. Default value in second 86400s (1 day). int

Constraints:
Min value = 0
Max value = 604800

PacketCaptureStorageLocation

Name Description Value
filePath This path is invalid if 'Continuous Capture' is provided with 'true' or 'false'. A valid local path on the targeting VM. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. Required if no storage ID is provided, otherwise optional. string
localPath This path is valid if 'Continuous Capture' is provided with 'true' or 'false' and required if no storage ID is provided, otherwise optional. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. string
storageId The ID of the storage account to save the packet capture session. Required if no localPath or filePath is provided. string
storagePath The URI of the storage path to save the packet capture. Must be a well-formed URI describing the ___location to save the packet capture. string

Usage Examples

Terraform (AzAPI provider) resource definition

The networkWatchers/packetCaptures resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/packetCaptures resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/networkWatchers/packetCaptures@2024-05-01"
  name = "string"
  parent_id = "string"
  body = {
    properties = {
      bytesToCapturePerPacket = int
      captureSettings = {
        fileCount = int
        fileSizeInBytes = int
        sessionTimeLimitInSeconds = int
      }
      continuousCapture = bool
      filters = [
        {
          localIPAddress = "string"
          localPort = "string"
          protocol = "string"
          remoteIPAddress = "string"
          remotePort = "string"
        }
      ]
      scope = {
        exclude = [
          "string"
        ]
        include = [
          "string"
        ]
      }
      storageLocation = {
        filePath = "string"
        localPath = "string"
        storageId = "string"
        storagePath = "string"
      }
      target = "string"
      targetType = "string"
      timeLimitInSeconds = int
      totalBytesPerSession = int
    }
  }
}

Property Values

Microsoft.Network/networkWatchers/packetCaptures

Name Description Value
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: networkWatchers
properties Properties of the packet capture. PacketCaptureParametersOrPacketCaptureResultProperties (required)
type The resource type "Microsoft.Network/networkWatchers/packetCaptures@2024-05-01"

PacketCaptureFilter

Name Description Value
localIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5"? for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
localPort Local port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
protocol Protocol to be filtered on. 'Any'
'TCP'
'UDP'
remoteIPAddress Local IP Address to be filtered on. Notation: "127.0.0.1" for single address entry. "127.0.0.1-127.0.0.255" for range. "127.0.0.1;127.0.0.5;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string
remotePort Remote port to be filtered on. Notation: "80" for single port entry."80-85" for range. "80;443;" for multiple entries. Multiple ranges not currently supported. Mixing ranges with multiple entries not currently supported. Default = null. string

PacketCaptureMachineScope

Name Description Value
exclude List of AzureVMSS instances which has to be excluded from the AzureVMSS from running packet capture. string[]
include List of AzureVMSS instances to run packet capture on. string[]

PacketCaptureParametersOrPacketCaptureResultProperties

Name Description Value
bytesToCapturePerPacket Number of bytes captured per packet, the remaining bytes are truncated. int

Constraints:
Min value = 0
Max value = 4294967295
captureSettings The capture setting holds the 'FileCount', 'FileSizeInBytes', 'SessionTimeLimitInSeconds' values. PacketCaptureSettings
continuousCapture This continuous capture is a nullable boolean, which can hold 'null', 'true' or 'false' value. If we do not pass this parameter, it would be consider as 'null', default value is 'null'. bool
filters A list of packet capture filters. PacketCaptureFilter[]
scope A list of AzureVMSS instances which can be included or excluded to run packet capture. If both included and excluded are empty, then the packet capture will run on all instances of AzureVMSS. PacketCaptureMachineScope
storageLocation The storage ___location for a packet capture session. PacketCaptureStorageLocation (required)
target The ID of the targeted resource, only AzureVM and AzureVMSS as target type are currently supported. string (required)
targetType Target type of the resource provided. 'AzureVM'
'AzureVMSS'
timeLimitInSeconds Maximum duration of the capture session in seconds. int

Constraints:
Min value = 0
Max value = 18000
totalBytesPerSession Maximum size of the capture output. int

Constraints:
Min value = 0
Max value = 4294967295

PacketCaptureSettings

Name Description Value
fileCount Number of file count. Default value of count is 10 and maximum number is 10000. int

Constraints:
Min value = 0
Max value = 10000
fileSizeInBytes Number of bytes captured per packet. Default value in bytes 104857600 (100MB) and maximum in bytes 4294967295 (4GB). int

Constraints:
Min value = 0
Max value = 4294967295
sessionTimeLimitInSeconds Maximum duration of the capture session in seconds is 604800s (7 days) for a file. Default value in second 86400s (1 day). int

Constraints:
Min value = 0
Max value = 604800

PacketCaptureStorageLocation

Name Description Value
filePath This path is invalid if 'Continuous Capture' is provided with 'true' or 'false'. A valid local path on the targeting VM. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. Required if no storage ID is provided, otherwise optional. string
localPath This path is valid if 'Continuous Capture' is provided with 'true' or 'false' and required if no storage ID is provided, otherwise optional. Must include the name of the capture file (*.cap). For linux virtual machine it must start with /var/captures. string
storageId The ID of the storage account to save the packet capture session. Required if no localPath or filePath is provided. string
storagePath The URI of the storage path to save the packet capture. Must be a well-formed URI describing the ___location to save the packet capture. string

Usage Examples

Terraform Samples

A basic example of deploying Configures Packet Capturing against a Virtual Machine using a Network Watcher.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "___location" {
  type    = string
  default = "westus"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}

resource "azapi_resource" "networkWatcher" {
  type      = "Microsoft.Network/networkWatchers@2024-05-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = "${var.resource_name}-nw"
  ___location  = var.___location
}

resource "azapi_resource" "virtualNetwork" {
  type      = "Microsoft.Network/virtualNetworks@2024-05-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = "${var.resource_name}-vnet"
  ___location  = var.___location
  body = {
    properties = {
      addressSpace = {
        addressPrefixes = ["10.0.0.0/16"]
      }
      dhcpOptions = {
        dnsServers = []
      }
      privateEndpointVNetPolicies = "Disabled"
    }
  }
}

resource "azapi_resource" "subnet" {
  type      = "Microsoft.Network/virtualNetworks/subnets@2024-05-01"
  parent_id = azapi_resource.virtualNetwork.id
  name      = "internal"
  body = {
    properties = {
      addressPrefix                     = "10.0.2.0/24"
      defaultOutboundAccess             = true
      delegations                       = []
      privateEndpointNetworkPolicies    = "Disabled"
      privateLinkServiceNetworkPolicies = "Enabled"
      serviceEndpointPolicies           = []
      serviceEndpoints                  = []
    }
  }
}

resource "azapi_resource" "networkInterface" {
  type      = "Microsoft.Network/networkInterfaces@2024-05-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = "${var.resource_name}-nic"
  ___location  = var.___location
  body = {
    properties = {
      enableAcceleratedNetworking = false
      enableIPForwarding          = false
      ipConfigurations = [{
        name = "ipconfig1"
        properties = {
          primary                   = true
          privateIPAddressVersion   = "IPv4"
          privateIPAllocationMethod = "Dynamic"
          subnet = {
            id = azapi_resource.subnet.id
          }
        }
      }]
    }
  }
}

resource "azapi_resource" "virtualMachine" {
  type      = "Microsoft.Compute/virtualMachines@2024-03-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = "${var.resource_name}-vm"
  ___location  = var.___location
  body = {
    properties = {
      hardwareProfile = {
        vmSize = "Standard_B1s"
      }
      networkProfile = {
        networkInterfaces = [{
          id = azapi_resource.networkInterface.id
          properties = {
            primary = true
          }
        }]
      }
      osProfile = {
        adminPassword = "Password1234!"
        adminUsername = "testadmin"
        computerName  = "${var.resource_name}-vm"
        linuxConfiguration = {
          disablePasswordAuthentication = false
        }
      }
      storageProfile = {
        imageReference = {
          offer     = "0001-com-ubuntu-server-jammy"
          publisher = "Canonical"
          sku       = "22_04-lts"
          version   = "latest"
        }
        osDisk = {
          caching      = "ReadWrite"
          createOption = "FromImage"
          managedDisk = {
            storageAccountType = "Standard_LRS"
          }
          name                    = "${var.resource_name}-osdisk"
          writeAcceleratorEnabled = false
        }
      }
    }
  }
}

resource "azapi_resource" "extension" {
  type      = "Microsoft.Compute/virtualMachines/extensions@2024-03-01"
  parent_id = azapi_resource.virtualMachine.id
  name      = "network-watcher"
  ___location  = var.___location
  body = {
    properties = {
      autoUpgradeMinorVersion = true
      enableAutomaticUpgrade  = false
      publisher               = "Microsoft.Azure.NetworkWatcher"
      suppressFailures        = false
      type                    = "NetworkWatcherAgentLinux"
      typeHandlerVersion      = "1.4"
    }
  }
}

resource "azapi_resource" "packetCapture" {
  type      = "Microsoft.Network/networkWatchers/packetCaptures@2024-05-01"
  parent_id = azapi_resource.networkWatcher.id
  name      = "${var.resource_name}-pc"
  body = {
    properties = {
      bytesToCapturePerPacket = 0
      storageLocation = {
        filePath = "/var/captures/packet.cap"
      }
      target               = azapi_resource.virtualMachine.id
      targetType           = "AzureVM"
      timeLimitInSeconds   = 18000
      totalBytesPerSession = 1073741824
    }
  }
}