Microsoft Azure Virtual Machines Traffic Inspection
In this tutorial I analyze and observe various network traffic protocols between Azure Virtual Machines with Wireshark. This is a great excercise for anyone who seeks to learn about and observe network traffic in a controlled environment.
Environments and Technologies Used
Microsoft Azure (Virtual Machines) abbreviated VM. VMs are used to install the software that is used to analyze the traffic being sent.
Remote Desktop Protocol (RDP) is used to connect to the virtual machines and it is one type of traffic observed in wireshark.
Various Command-Line Tools are used such as Command Prompt for ping commands and Powershell to ssh into the second virtual machine.
Network Protocols (SSH, RDH, DNS, ICMP, DHCP) are observed in wireshark as both VMs communicate with each other under various commands.
Wireshark is the network traffic analyzer used to observe the different types of traffic being sent between both VMs.
Operating Systems Used
Windows 10 (21H2)
Ubuntu Server 20.04
Pre-Requisites
Creating the virtual machines
Step 1.a – After signing in to your Azure account, go into Resource Groups and create a Resource Group.
1.b Give the resource group a name (click review and create).
1.c Then click create and wait a few moments….
1.d The Resource Group is Created
Step 2.a – Create two Virtual Machines. One Windows and one Linux (as displayed below).
2b. Choose the resource group, name, region and operating system for the VM. Then click review and create.
2c. Choose the size, create a username and password, click the confirm box then click review and create.
2d. Also create a VM using Ubuntu as the operating system
2e. The virtual machine has been created
Step 3 – Log in to VM1 using it’s ip address
Step 4 – After logging in to the VM, navigate to Microsoft Edge and install Wireshark
Now that you have logged in you can continue on to the traffic observation steps detailed below.
Actions and Observations
These observations are made by inputting commands that corresond to the type of traffic one wishes to observe and then filtering Wireshark by the corresponding traffic type.
Below is RDP (Remote Desktop Protocol) traffic observation after filtering for RDP traffic in Wireshark
Below is DHCP (Dynamic Host Control Protocol) traffic observation using Wireshark
Below is DNS (Domain Name System) traffic observation using Wireshark
Below is SSH (Secure Shell) traffic observation using Wireshark
Below are the steps for ICMP (nternet Control Message Protocol) traffic observation from a perpetual ping and ICMP traffic stop after the inbound firewall rule is set
1. Set the perpetual ping comand to ping VM2 and observe the ICMP traffic
2. Change the Inbound firewall rule to deny ICMP traffic
3. Observe the ping request times out after the firewall rule was put in place (*note – The ping request timed out due to the ICMP traffic being denied as the firewall rule blocked the traffic)