diff --git a/Workbooks/Traffic Analytics/VNet/ERGateway/ERGateway.workbook b/Workbooks/Traffic Analytics/VNet/ERGateway/ERGateway.workbook index c3f5910adb..9c8628a158 100644 --- a/Workbooks/Traffic Analytics/VNet/ERGateway/ERGateway.workbook +++ b/Workbooks/Traffic Analytics/VNet/ERGateway/ERGateway.workbook @@ -260,7 +260,7 @@ "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "(NTATopologyDetails\r\n| where SubType == 'Topology'\r\n and AzureResourceType == 'VirtualNetworkGatewayConnection'\r\n and ConnectionType == 'ExpressRoute' \r\n//project connname, gateway here onwards \r\n| extend ConnectionName = strcat(Subscription, '/', Name)\r\n//filters\r\n | where iff({timeInterval:seconds} < 86400, TimeGenerated between (datetime_add('day', -1, todatetime('{timeInterval:endISO}')) .. todatetime('{timeInterval:endISO}')), TimeGenerated between (todatetime('{timeInterval:startISO}') .. todatetime('{timeInterval:endISO}')))\r\n | where isnotempty(Subscription) and iff(\"{subscriptions}\" == \"'*'\", true, Subscription in~ ({subscriptions}))\r\n | extend rgToCheck = split(Name, '/')[0]\r\n | where iff(\"{resourceGroups}\" == \"'*'\", true, rgToCheck in~ ({resourceGroups}))\r\n | extend vnet1ToCheck = VirtualNetwork1, vnet2ToCheck = VirtualNetwork2\r\n | where iff(\"{vnets}\" == \"'*'\", true, vnet1ToCheck in ({vnets})) or iff(\"{vnets}\" == \"'*'\", true, vnet2ToCheck in ({vnets}))\r\n//\r\n| project ConnectionName, Gateway = VirtualNetworkGateway1\r\n| distinct Gateway, ConnectionName)\r\n| join kind = inner (NTANetAnalytics\r\n| where SubType == 'FlowLog' and TimeGenerated between (todatetime('{timeInterval:startISO}') .. datetime_add('day', 7, todatetime('{timeInterval:endISO}'))) and (FaSchemaVersion == '3') and FlowStartTime between (datetime('{timeInterval:startISO}') .. datetime('{timeInterval:endISO}'))\r\n | extend ConnectionNameSplit = split(ConnectionName, '/')\r\n | extend subscription1ToCheck = tostring(ConnectionNameSplit[0])\r\n | where iff(\"{subscriptions}\" == \"'*'\", true, SrcSubscription in~ ({subscriptions}))\r\n | extend rg1ToCheck = tostring(ConnectionNameSplit[1])\r\n | where iff(\"{resourceGroups}\" == \"'*'\", true, rg1ToCheck in~ ({resourceGroups})) \r\n | where iff(\"{erGatewayConnections}\" == \"'*'\", true, ConnectionName in~ ({erGatewayConnections}))\r\n| where FlowType == 'S2S' and ConnectionType == 'ExpressRoute')\r\non ConnectionName\r\n | extend \r\n AllowedInboundBytesAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(BytesDestToSrc), 0), \r\n BlockedInboundBytesAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(BytesDestToSrc), 0), \r\n AllowedOutboundBytesAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(BytesSrcToDest), 0), \r\n BlockedOutboundBytesAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(BytesSrcToDest), 0), \r\n AllowedInboundBytesAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(BytesDestToSrc), 0), \r\n BlockedInboundBytesAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(BytesDestToSrc), 0), \r\n AllowedOutboundBytesAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(BytesSrcToDest), 0), \r\n BlockedOutboundBytesAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(BytesSrcToDest), 0)\r\n | extend \r\n AllowedInboundPacketsAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(PacketsDestToSrc), 0), \r\n BlockedInboundPacketsAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(PacketsDestToSrc), 0), \r\n AllowedOutboundPacketsAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(PacketsSrcToDest), 0), \r\n BlockedOutboundPacketsAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(PacketsSrcToDest), 0), \r\n AllowedInboundPacketsAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(PacketsDestToSrc), 0), \r\n BlockedInboundPacketsAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(PacketsDestToSrc), 0), \r\n AllowedOutboundPacketsAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(PacketsSrcToDest), 0), \r\n BlockedOutboundPacketsAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(PacketsSrcToDest), 0)\r\n | extend AllowedOutbound_inferred = max_of(AllowedOutFlows, AllowedInFlows + DeniedInFlows)\r\n | extend Outbound = AllowedOutbound_inferred + DeniedOutFlows, Inbound = AllowedOutbound_inferred\r\n | extend FlowCount = max_of(Inbound, Outbound)\r\n | extend AllowedOutboundBytesAtSrc_inferred = max_of(AllowedOutboundBytesAtSrc, AllowedInboundBytesAtDest + BlockedInboundBytesAtDest)\r\n | extend AllowedOutboundBytesAtDest_inferred = max_of(AllowedOutboundBytesAtDest, AllowedInboundBytesAtSrc + BlockedInboundBytesAtSrc)\r\n | extend OutboundBytesAtSrc = AllowedOutboundBytesAtSrc_inferred + BlockedOutboundBytesAtSrc, InboundBytesAtSrc = AllowedOutboundBytesAtDest_inferred\r\n | extend OutboundBytesAtDest = AllowedOutboundBytesAtDest_inferred + BlockedOutboundBytesAtDest, InboundBytesAtDest = AllowedOutboundBytesAtSrc_inferred\r\n | extend BytesCount = max_of(OutboundBytesAtSrc, InboundBytesAtDest) + max_of(OutboundBytesAtDest, InboundBytesAtSrc)\r\n | extend AllowedOutboundPacketsAtSrc_inferred = max_of(AllowedOutboundPacketsAtSrc, AllowedInboundPacketsAtDest + BlockedInboundPacketsAtDest)\r\n | extend AllowedOutboundPacketsAtDest_inferred = max_of(AllowedOutboundPacketsAtDest, AllowedInboundPacketsAtSrc + BlockedInboundPacketsAtSrc)\r\n | extend OutboundPacketsAtSrc = AllowedOutboundPacketsAtSrc_inferred + BlockedOutboundPacketsAtSrc, InboundPacketsAtSrc = AllowedOutboundPacketsAtDest_inferred\r\n | extend OutboundPacketsAtDest = AllowedOutboundPacketsAtDest_inferred + BlockedOutboundPacketsAtDest, InboundPacketsAtDest = AllowedOutboundPacketsAtSrc_inferred\r\n | extend PacketsCount = max_of(OutboundPacketsAtSrc, InboundPacketsAtDest) + max_of(OutboundPacketsAtDest, InboundPacketsAtSrc)\r\n| summarize TotalTraffic = sum(iff('{displayUnit:value}' =~ 'bytes', BytesCount, iff('{displayUnit:value}' =~ 'packets', PacketsCount, tolong(FlowCount)))) by Gateway\r\n| where TotalTraffic > 0\r\n| top 5 by TotalTraffic", + "query": "(NTATopologyDetails\r\n| where SubType == 'Topology'\r\n and AzureResourceType == 'VirtualNetworkGatewayConnection'\r\n and ConnectionType == 'ExpressRoute' \r\n//project connname, gateway here onwards \r\n| extend ConnectionName = strcat(Subscription, '/', Name)\r\n//filters\r\n | where iff({timeInterval:seconds} < 86400, TimeGenerated between (datetime_add('day', -1, todatetime('{timeInterval:endISO}')) .. todatetime('{timeInterval:endISO}')), TimeGenerated between (todatetime('{timeInterval:startISO}') .. todatetime('{timeInterval:endISO}')))\r\n | where isnotempty(Subscription) and iff(\"{subscriptions}\" == \"'*'\", true, Subscription in~ ({subscriptions}))\r\n | extend rgToCheck = split(Name, '/')[0]\r\n | where iff(\"{resourceGroups}\" == \"'*'\", true, rgToCheck in~ ({resourceGroups}))\r\n | extend vnet1ToCheck = VirtualNetwork1, vnet2ToCheck = VirtualNetwork2\r\n | where iff(\"{vnets}\" == \"'*'\", true, vnet1ToCheck in ({vnets})) or iff(\"{vnets}\" == \"'*'\", true, vnet2ToCheck in ({vnets}))\r\n//\r\n| project ConnectionName, Gateway = VirtualNetworkGateway1\r\n| distinct Gateway, ConnectionName)\r\n| join kind = inner (NTANetAnalytics\r\n| where SubType == 'FlowLog' and TimeGenerated between (todatetime('{timeInterval:startISO}') .. datetime_add('day', 7, todatetime('{timeInterval:endISO}'))) and (FaSchemaVersion == '3') and FlowStartTime between (datetime('{timeInterval:startISO}') .. datetime('{timeInterval:endISO}'))\r\n | extend ConnectionNameSplit = split(ConnectionName, '/')\r\n | extend subscription1ToCheck = tostring(ConnectionNameSplit[0])\r\n | where iff(\"{subscriptions}\" == \"'*'\", true, SrcSubscription in~ ({subscriptions}))\r\n | extend rg1ToCheck = tostring(ConnectionNameSplit[1])\r\n | where iff(\"{resourceGroups}\" == \"'*'\", true, rg1ToCheck in~ ({resourceGroups})) \r\n | where iff(\"{erGatewayConnections}\" == \"'*'\", true, ConnectionName in~ ({erGatewayConnections}))\r\n| where FlowType == 'S2S' and ConnectionType == 'ExpressRoute')\r\non ConnectionName\r\n | extend \r\n AllowedInboundBytesAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(BytesDestToSrc), 0), \r\n BlockedInboundBytesAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(BytesDestToSrc), 0), \r\n AllowedOutboundBytesAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(BytesSrcToDest), 0), \r\n BlockedOutboundBytesAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(BytesSrcToDest), 0), \r\n AllowedInboundBytesAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(BytesDestToSrc), 0), \r\n BlockedInboundBytesAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(BytesDestToSrc), 0), \r\n AllowedOutboundBytesAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(BytesSrcToDest), 0), \r\n BlockedOutboundBytesAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(BytesSrcToDest), 0)\r\n | extend \r\n AllowedInboundPacketsAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(PacketsDestToSrc), 0), \r\n BlockedInboundPacketsAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(PacketsDestToSrc), 0), \r\n AllowedOutboundPacketsAtSrc = iff(FlowStatus == 'Allowed' and FlowDirection == 'Outbound', tolong(PacketsSrcToDest), 0), \r\n BlockedOutboundPacketsAtSrc = iff(FlowStatus == 'Denied' and FlowDirection == 'Outbound', tolong(PacketsSrcToDest), 0), \r\n AllowedInboundPacketsAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(PacketsDestToSrc), 0), \r\n BlockedInboundPacketsAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(PacketsDestToSrc), 0), \r\n AllowedOutboundPacketsAtDest = iff(FlowStatus == 'Allowed' and FlowDirection == 'Inbound', tolong(PacketsSrcToDest), 0), \r\n BlockedOutboundPacketsAtDest = iff(FlowStatus == 'Denied' and FlowDirection == 'Inbound', tolong(PacketsSrcToDest), 0)\r\n | extend AllowedOutbound_inferred = max_of(AllowedOutFlows, AllowedInFlows + DeniedInFlows)\r\n | extend Outbound = AllowedOutbound_inferred + DeniedOutFlows, Inbound = AllowedOutbound_inferred\r\n | extend FlowCount = max_of(Inbound, Outbound)\r\n | extend AllowedOutboundBytesAtSrc_inferred = max_of(AllowedOutboundBytesAtSrc, AllowedInboundBytesAtDest + BlockedInboundBytesAtDest)\r\n | extend AllowedOutboundBytesAtDest_inferred = max_of(AllowedOutboundBytesAtDest, AllowedInboundBytesAtSrc + BlockedInboundBytesAtSrc)\r\n | extend OutboundBytesAtSrc = AllowedOutboundBytesAtSrc_inferred + BlockedOutboundBytesAtSrc, InboundBytesAtSrc = AllowedOutboundBytesAtDest_inferred\r\n | extend OutboundBytesAtDest = AllowedOutboundBytesAtDest_inferred + BlockedOutboundBytesAtDest, InboundBytesAtDest = AllowedOutboundBytesAtSrc_inferred\r\n | extend BytesCount = max_of(OutboundBytesAtSrc, InboundBytesAtDest) + max_of(OutboundBytesAtDest, InboundBytesAtSrc)\r\n | extend AllowedOutboundPacketsAtSrc_inferred = max_of(AllowedOutboundPacketsAtSrc, AllowedInboundPacketsAtDest + BlockedInboundPacketsAtDest)\r\n | extend AllowedOutboundPacketsAtDest_inferred = max_of(AllowedOutboundPacketsAtDest, AllowedInboundPacketsAtSrc + BlockedInboundPacketsAtSrc)\r\n | extend OutboundPacketsAtSrc = AllowedOutboundPacketsAtSrc_inferred + BlockedOutboundPacketsAtSrc, InboundPacketsAtSrc = AllowedOutboundPacketsAtDest_inferred\r\n | extend OutboundPacketsAtDest = AllowedOutboundPacketsAtDest_inferred + BlockedOutboundPacketsAtDest, InboundPacketsAtDest = AllowedOutboundPacketsAtSrc_inferred\r\n | extend PacketsCount = max_of(OutboundPacketsAtSrc, InboundPacketsAtDest) + max_of(OutboundPacketsAtDest, InboundPacketsAtSrc)\r\n| summarize TotalTraffic = sum(iff('{graphUnit:value}' =~ 'bytes', BytesCount, iff('{graphUnit:value}' =~ 'packets', PacketsCount, tolong(FlowCount)))) by Gateway\r\n| where TotalTraffic > 0\r\n| top 5 by TotalTraffic", "crossComponentResources": [ "{workspace}" ], @@ -396,4 +396,4 @@ "Azure Monitor" ], "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file +}