流量分析中的架构和数据聚合Schema and data aggregation in Traffic Analytics

流量分析是一种基于云的解决方案,可用于洞察云网络中的用户和应用程序活动。Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. 流量分析可以分析网络观察程序网络安全组 (NSG) 流日志,帮助洞察 Azure 云中的流量流。Traffic Analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. 使用流量分析可以:With traffic analytics, you can:

  • 直观查看各个 Azure 订阅中的网络活动,以及识别热点。Visualize network activity across your Azure subscriptions and identify hot spots.
  • 参考有关开放的端口、尝试访问 Internet 的应用程序以及连接到恶意网络的虚拟机 (VM) 的信息,来识别网络安全威胁和保护网络。Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
  • 了解 Azure 区域与 Internet 之间的流量流模式,优化网络部署以提高性能和容量。Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
  • 查明导致网络连接失败的不当网络配置。Pinpoint network misconfigurations leading to failed connections in your network.
  • 了解网络用量(字节、数据包或流)。Know network usage in bytes, packets, or flows.

数据聚合Data aggregation

  1. 位于“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间的 NSG 中的所有流日志将按一分钟间隔捕获为存储帐户中的 Blob,然后由流量分析处理。All flow logs at an NSG between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t" are captured at one-minute intervals in the storage account as blobs before being processed by Traffic Analytics.
  2. 流量分析的默认处理间隔为 60 分钟。Default processing interval of Traffic Analytics is 60 minutes. 即,流量分析每隔 60 分钟从存储中选取要聚合的 Blob。This means that every 60 mins Traffic Analytics picks blobs from storage for aggregation. 如果所选的处理间隔为 10 分钟,则流量分析将每隔 10 分钟从存储帐户中选取 Blob。If processing interval chosen is 10 mins, Traffic Analytics will pick blobs from storage account after every 10 mins.
  3. 具有相同源 IP、目标 IP、目标端口、NSG 名称、NSG 规则、流方向和传输层协议(TCP 或 UDP)的流(注意:将排除源端口的聚合)将由流量分析聚集成单个流。Flows that have the same Source IP, Destination IP, Destination port, NSG name, NSG rule, Flow Direction, and Transport layer protocol (TCP or UDP) (Note: Source port is excluded for aggregation) are clubbed into a single flow by Traffic Analytics
  4. 此单条记录在经过修饰后(以下部分将提供详细信息)由流量分析引入到 Log Analytics 中。此过程最长可能需要花费 1 小时。This single record is decorated (Details in the section below) and ingested in Log Analytics by Traffic Analytics.This process can take upto 1 hour max.
  5. FlowStartTime_t 字段指示流日志处理间隔中出现在“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间的第一个此类聚合流(相同的四元组)。FlowStartTime_t field indicates the first occurrence of such an aggregated flow (same four-tuple) in the flow log processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t".
  6. 对于 TA 中的任何资源,UI 中指示的流是 NSG 看到的总流数,但在 Log Analytics 中,用户只会看到一条简化的记录。For any resource in TA, the flows indicated in the UI are total flows seen by the NSG, but in Log Analytics user will see only the single, reduced record. 若要查看所有流,请使用可从存储引用的 blob_id 字段。To see all the flows, use the blob_id field, which can be referenced from Storage. 该记录的总流数将与 Blob 中出现的各个流相匹配。The total flow count for that record will match the individual flows seen in the blob.

下面的查询有助于查看过去 30 天内与非 Azure 公共 IP 交互的所有子网。The below query helps you look at all subnets interacting with non-Azure public IPs in the last 30 days.

AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowStartTime_t >= ago(30d) and FlowType_s == "ExternalPublic"
| project Subnet1_s, Subnet2_s  

若要查看上述查询中的流的 Blob 路径,请使用以下查询:To view the blob path for the flows in the above mentioned query, use the query below:

let TableWithBlobId =
(AzureNetworkAnalytics_CL
   | where SubType_s == "Topology" and ResourceType == "NetworkSecurityGroup" and DiscoveryRegion_s == Region_s and IsFlowEnabled_b
   | extend binTime = bin(TimeProcessed_t, 6h),
            nsgId = strcat(Subscription_g, "/", Name_s),
            saNameSplit = split(FlowLogStorageAccount_s, "/")
   | extend saName = iif(arraylength(saNameSplit) == 3, saNameSplit[2], '')
   | distinct nsgId, saName, binTime)
| join kind = rightouter (
   AzureNetworkAnalytics_CL
   | where SubType_s == "FlowLog"  
   | extend binTime = bin(FlowEndTime_t, 6h)
) on binTime, $left.nsgId == $right.NSGList_s  
| extend blobTime = format_datetime(todatetime(FlowIntervalStartTime_t), "yyyy MM dd hh")
| extend nsgComponents = split(toupper(NSGList_s), "/"), dateTimeComponents = split(blobTime, " ")
| extend BlobPath = strcat("https://", saName,
                        "@insights-logs-networksecuritygroupflowevent/resoureId=/SUBSCRIPTIONS/", nsgComponents[0],
                        "/RESOURCEGROUPS/", nsgComponents[1],
                        "/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/", nsgComponents[2],
                        "/y=", dateTimeComponents[0], "/m=", dateTimeComponents[1], "/d=", dateTimeComponents[2], "/h=", dateTimeComponents[3],
                        "/m=00/macAddress=", replace(@"-", "", MACAddress_s),
                        "/PT1H.json")
| project-away nsgId, saName, binTime, blobTime, nsgComponents, dateTimeComponents;

TableWithBlobId
| where SubType_s == "FlowLog" and FlowStartTime_t >= ago(30d) and FlowType_s == "ExternalPublic"
| project Subnet_s , BlobPath

以上查询构造一个用于直接访问 Blob 的 URL。The above query constructs a URL to access the blob directly. 下面是包含占位符的 URL:The URL with place-holders is below:

https://{saName}@insights-logs-networksecuritygroupflowevent/resoureId=/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroup}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

在流量分析架构中使用的字段Fields used in Traffic Analytics schema

重要

流量分析架构已在 2019 年 8 月 22 日更新。The Traffic Analytics Schema has been updated on 22nd August, 2019. 新架构单独提供源和目标 IP,无需用户分析 FlowDirection 字段,因此可以简化查询。The new schema provides source and destination IPs separately removing need to parse FlowDirection field making queries simpler.
FASchemaVersion_s 已从 1 更新为 2。FASchemaVersion_s updated from 1 to 2.
已弃用的字段:VMIP_s、Subscription_s、Region_s、NSGRules_s、Subnet_s、VM_s、NIC_s、PublicIPs_s、FlowCount_dDeprecated fields: VMIP_s, Subscription_s, Region_s, NSGRules_s, Subnet_s, VM_s, NIC_s, PublicIPs_s, FlowCount_d
新字段:SrcPublicIPs_s、DestPublicIPs_s、NSGRule_sNew fields: SrcPublicIPs_s, DestPublicIPs_s, NSGRule_s
已弃用的字段在 2019 年 11 月 22 日之前仍然可用。Deprecated fields will be available until 22nd November, 2019.

流量分析构建在 Log Analytics 的基础之上,因此你可以针对流量分析修饰的数据运行自定义查询,并针对这些数据设置警报。Traffic Analytics is built on top of Log Analytics, so you can run custom queries on data decorated by Traffic Analytics and set alerts on the same.

下面列出了架构中的字段及其含义Listed below are the fields in the schema and what they signify

字段Field 格式Format 注释Comments
TableNameTableName AzureNetworkAnalytics_CLAzureNetworkAnalytics_CL 流量分析数据表Table for Traffic Analytics data
SubType_sSubType_s FlowLogFlowLog 流日志的子类型。Subtype for the flow logs. 仅使用“FlowLog”,SubType_s 的其他值用于产品的内部工作Use only "FlowLog", other values of SubType_s are for internal workings of the product
FASchemaVersion_sFASchemaVersion_s 22 架构版本。Schema version. 不反映 NSG 流日志版本Does not reflect NSG Flow Log version
TimeProcessed_tTimeProcessed_t UTC 日期和时间Date and Time in UTC 流量分析处理存储帐户中的原始流日志的时间Time at which the Traffic Analytics processed the raw flow logs from the storage account
FlowIntervalStartTime_tFlowIntervalStartTime_t UTC 日期和时间Date and Time in UTC 流日志处理间隔的开始时间。Starting time of the flow log processing interval. 这是开始计量流间隔的时间This is time from which flow interval is measured
FlowIntervalEndTime_tFlowIntervalEndTime_t UTC 日期和时间Date and Time in UTC 流日志处理间隔的结束时间Ending time of the flow log processing interval
FlowStartTime_tFlowStartTime_t UTC 日期和时间Date and Time in UTC 流日志处理间隔中出现在“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间的第一个流(将会聚合)。First occurrence of the flow (which will get aggregated) in the flow log processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t". 此流将会基于聚合逻辑进行聚合This flow gets aggregated based on aggregation logic
FlowEndTime_tFlowEndTime_t UTC 日期和时间Date and Time in UTC 流日志处理间隔中出现在“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间的最后一个流(将会聚合)。Last occurrence of the flow (which will get aggregated) in the flow log processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t". 在流日志 v2 中,此字段包含启动具有相同四元组的最后一个流(在原始流记录中标记为“B”)的时间In terms of flow log v2, this field contains the time when the last flow with the same four-tuple started (marked as "B" in the raw flow record)
FlowType_sFlowType_s * IntraVNet* IntraVNet
* InterVNet* InterVNet
* S2S* S2S
* P2S* P2S
* AzurePublic* AzurePublic
* ExternalPublic* ExternalPublic
* MaliciousFlow* MaliciousFlow
* Unknown Private* Unknown Private
* Unknown* Unknown
表格下方的注释中提供了定义Definition in notes below the table
SrcIP_sSrcIP_s 源 IP 地址Source IP address 使用 AzurePublic 和 ExternalPublic 流时是空白的Will be blank in case of AzurePublic and ExternalPublic flows
DestIP_sDestIP_s 目标 IP 地址Destination IP address 使用 AzurePublic 和 ExternalPublic 流时是空白的Will be blank in case of AzurePublic and ExternalPublic flows
VMIP_sVMIP_s VM 的 IPIP of the VM 用于 AzurePublic 和 ExternalPublic 流Used for AzurePublic and ExternalPublic flows
PublicIP_sPublicIP_s 公共 IP 地址Public IP addresses 用于 AzurePublic 和 ExternalPublic 流Used for AzurePublic and ExternalPublic flows
DestPort_dDestPort_d Destination PortDestination Port 传入流量的端口Port at which traffic is incoming
L4Protocol_sL4Protocol_s * T* T
* U* U
传输协议。Transport Protocol. T = TCPT = TCP
U = UDPU = UDP
L7Protocol_sL7Protocol_s 协议名称Protocol Name 派生自目标端口Derived from destination port
FlowDirection_sFlowDirection_s * I = 出站* I = Inbound
* O = 出站* O = Outbound
根据流日志流入/流出 NSG 的方向Direction of the flow in/out of NSG as per flow log
FlowStatus_sFlowStatus_s * A = 由 NSG 规则允许* A = Allowed by NSG Rule
* D = 由 NSG 规则拒绝* D = Denied by NSG Rule
根据流日志由 NSG 允许/阻止的流的状态Status of flow allowed/nblocked by NSG as per flow log
NSGList_sNSGList_s <SUBSCRIPTIONID>/<RESOURCEGROUP_NAME>/<NSG_NAME><SUBSCRIPTIONID>/<RESOURCEGROUP_NAME>/<NSG_NAME> 与流关联的网络安全组 (NSG)Network Security Group (NSG) associated with the flow
NSGRules_sNSGRules_s <Index value 0)>|<NSG_RULENAME>|<Flow Direction>|<Flow Status>|<FlowCount ProcessedByRule> 允许或拒绝此流的 NSG 规则NSG rule that allowed or denied this flow
NSGRule_sNSGRule_s NSG_RULENAMENSG_RULENAME 允许或拒绝此流的 NSG 规则NSG rule that allowed or denied this flow
NSGRuleType_sNSGRuleType_s * 用户定义 * 默认值* User Defined * Default 流使用的 NSG 规则类型The type of NSG Rule used by the flow
MACAddress_sMACAddress_s MAC 地址MAC Address 捕获流的 NIC 的 MAC 地址MAC address of the NIC at which the flow was captured
Subscription_sSubscription_s 此字段中填充了 Azure 虚拟网络/网络接口/虚拟机的订阅Subscription of the Azure virtual network/ network interface/ virtual machine is populated in this field 仅适用于 FlowType = S2S、P2S、AzurePublic、ExternalPublic、MaliciousFlow 和 UnknownPrivate 流类型(只有一端的流类型是 Azure)Applicable only for FlowType = S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, and UnknownPrivate flow types (flow types where only one side is azure)
Subscription1_sSubscription1_s 订阅 IDSubscription ID 流中的源 IP 所属的虚拟网络/网络接口/虚拟机的订阅 IDSubscription ID of virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to
Subscription2_sSubscription2_s 订阅 IDSubscription ID 流中的目标 IP 所属的虚拟网络/网络接口/虚拟机的订阅 IDSubscription ID of virtual network/ network interface/ virtual machine to which the destination IP in the flow belongs to
Region_sRegion_s 流中的 IP 所属的虚拟网络/网络接口/虚拟机的 Azure 区域Azure region of virtual network/ network interface/ virtual machine to which the IP in the flow belongs to 仅适用于 FlowType = S2S、P2S、AzurePublic、ExternalPublic、MaliciousFlow 和 UnknownPrivate 流类型(只有一端的流类型是 Azure)Applicable only for FlowType = S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, and UnknownPrivate flow types (flow types where only one side is azure)
Region1_sRegion1_s Azure 区域Azure Region 流中的源 IP 所属的虚拟网络/网络接口/虚拟机的 Azure 区域Azure region of virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to
Region2_sRegion2_s Azure 区域Azure Region 流中的目标 IP 所属的虚拟网络的 Azure 区域Azure region of virtual network to which the destination IP in the flow belongs to
NIC_sNIC_s <resourcegroup_Name>/<NetworkInterfaceName> 与发送或接收流量的 VM 关联的 NICNIC associated with the VM sending or receiving the traffic
NIC1_sNIC1_s <resourcegroup_Name>/<NetworkInterfaceName><resourcegroup_Name>/<NetworkInterfaceName> 与流中的源 IP 关联的 NICNIC associated with the source IP in the flow
NIC2_sNIC2_s <resourcegroup_Name>/<NetworkInterfaceName><resourcegroup_Name>/<NetworkInterfaceName> 与流中的目标 IP 关联的 NICNIC associated with the destination IP in the flow
VM_sVM_s <resourcegroup_Name>/<NetworkInterfaceName><resourcegroup_Name>/<NetworkInterfaceName> 与网络接口 NIC_s 关联的虚拟机Virtual Machine associated with the Network interface NIC_s
VM1_sVM1_s <resourcegroup_Name>/<VirtualMachineName><resourcegroup_Name>/<VirtualMachineName> 与流中的源 IP 关联的虚拟机Virtual Machine associated with the source IP in the flow
VM2_sVM2_s <resourcegroup_Name>/<VirtualMachineName><resourcegroup_Name>/<VirtualMachineName> 与流中的目标 IP 关联的虚拟机Virtual Machine associated with the destination IP in the flow
Subnet_sSubnet_s <ResourceGroup_Name>/<VNET_Name>/<SubnetName><ResourceGroup_Name>/<VNET_Name>/<SubnetName> 与 NIC_s 关联的子网Subnet associated with the NIC_s
Subnet1_sSubnet1_s <ResourceGroup_Name>/<VNET_Name>/<SubnetName><ResourceGroup_Name>/<VNET_Name>/<SubnetName> 与流中的源 IP 关联的子网Subnet associated with the Source IP in the flow
Subnet2_sSubnet2_s <ResourceGroup_Name>/<VNET_Name>/<SubnetName><ResourceGroup_Name>/<VNET_Name>/<SubnetName> 与流中的目标 IP 关联的子网Subnet associated with the Destination IP in the flow
ApplicationGateway1_sApplicationGateway1_s <SubscriptionID>/<ResourceGroupName>/<ApplicationGatewayName> 与流中的源 IP 关联的应用程序网关Application gateway associated with the Source IP in the flow
ApplicationGateway2_sApplicationGateway2_s <SubscriptionID>/<ResourceGroupName>/<ApplicationGatewayName> 与流中的目标 IP 关联的应用程序网关Application gateway associated with the Destination IP in the flow
LoadBalancer1_sLoadBalancer1_s <SubscriptionID>/<ResourceGroupName>/<LoadBalancerName> 与流中的源 IP 关联的负载均衡器Load balancer associated with the Source IP in the flow
LoadBalancer2_sLoadBalancer2_s <SubscriptionID>/<ResourceGroupName>/<LoadBalancerName> 与流中的目标 IP 关联的负载均衡器Load balancer associated with the Destination IP in the flow
LocalNetworkGateway1_sLocalNetworkGateway1_s <SubscriptionID>/<ResourceGroupName>/<LocalNetworkGatewayName> 与流中的源 IP 关联的本地网络网关Local network gateway associated with the Source IP in the flow
LocalNetworkGateway2_sLocalNetworkGateway2_s <SubscriptionID>/<ResourceGroupName>/<LocalNetworkGatewayName> 与流中的目标 IP 关联的本地网络网关Local network gateway associated with the Destination IP in the flow
ConnectionType_sConnectionType_s 可能的值为 VNetPeering、VpnGateway 和 ExpressRoutePossible values are VNetPeering, VpnGateway, and ExpressRoute 连接类型Connection Type
ConnectionName_sConnectionName_s <SubscriptionID>/<ResourceGroupName>/<ConnectionName> 连接名称。Connection Name. 对于 flowtype P2S,此项的格式将设为 For flowtype P2S, this will be formatted as
ConnectingVNets_sConnectingVNets_s 虚拟网络名称的空格分隔列表Space separated list of virtual network names 对于中心辐射型拓扑,此处将会填充中心虚拟网络In case of hub and spoke topology, hub virtual networks will be populated here
Country_sCountry_s 双字母国家/地区代码 (ISO 3166-1 alpha-2)Two letter country code (ISO 3166-1 alpha-2) 为流类型 ExternalPublic 填充此字段。Populated for flow type ExternalPublic. PublicIPs_s 字段中的所有 IP 地址将共享同一个国家/地区代码All IP addresses in PublicIPs_s field will share the same country code
AzureRegion_sAzureRegion_s Azure 区域位置Azure region locations 为流类型 AzurePublic 填充此字段。Populated for flow type AzurePublic. PublicIPs_s 字段中的所有 IP 地址将共享该 Azure 区域All IP addresses in PublicIPs_s field will share the Azure region
AllowedInFlows_dAllowedInFlows_d 允许的入站流数。Count of inbound flows that were allowed. 这表示共享入站到捕获流的网络接口的同一个四元组的流数This represents the number of flows that shared the same four-tuple inbound to the network interface at which the flow was captured
DeniedInFlows_dDeniedInFlows_d 拒绝的入站流数。Count of inbound flows that were denied. (入站到捕获流的网络接口)(Inbound to the network interface at which the flow was captured)
AllowedOutFlows_dAllowedOutFlows_d 允许的出站流数(出站到捕获流的网络接口)Count of outbound flows that were allowed (Outbound to the network interface at which the flow was captured)
DeniedOutFlows_dDeniedOutFlows_d 拒绝的出站流数(出站到捕获流的网络接口)Count of outbound flows that were denied (Outbound to the network interface at which the flow was captured)
FlowCount_dFlowCount_d 已弃用。Deprecated. 匹配同一个四元组的总流数。Total flows that matched the same four-tuple. 如果流类型为 ExternalPublic 和 AzurePublic,则计数还包括来自各个 PublicIP 地址的流。In case of flow types ExternalPublic and AzurePublic, count will include the flows from various PublicIP addresses as well.
InboundPackets_dInboundPackets_d 在应用 NSG 规则的网络接口上捕获的已接收数据包数Packets received as captured at the network interface where NSG rule was applied 仅为 NSG 流日志架构版本 2 填充此字段This is populated only for the Version 2 of NSG flow log schema
OutboundPackets_dOutboundPackets_d 在应用 NSG 规则的网络接口上捕获的已发送数据包数Packets sent as captured at the network interface where NSG rule was applied 仅为 NSG 流日志架构版本 2 填充此字段This is populated only for the Version 2 of NSG flow log schema
InboundBytes_dInboundBytes_d 在应用 NSG 规则的网络接口上捕获的已接收字节数Bytes received as captured at the network interface where NSG rule was applied 仅为 NSG 流日志架构版本 2 填充此字段This is populated only for the Version 2 of NSG flow log schema
OutboundBytes_dOutboundBytes_d 在应用 NSG 规则的网络接口上捕获的已发送字节数Bytes sent as captured at the network interface where NSG rule was applied 仅为 NSG 流日志架构版本 2 填充此字段This is populated only for the Version 2 of NSG flow log schema
CompletedFlows_dCompletedFlows_d 仅为 NSG 流日志架构版本 2 在此字段中填充非零值This is populated with non-zero value only for the Version 2 of NSG flow log schema
PublicIPs_sPublicIPs_s <PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES><PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES> 条形分隔的条目Entries separated by bars
SrcPublicIPs_sSrcPublicIPs_s <SOURCE_PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES><SOURCE_PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES> 条形分隔的条目Entries separated by bars
DestPublicIPs_sDestPublicIPs_s <DESTINATION_PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES><DESTINATION_PUBLIC_IP>|<FLOW_STARTED_COUNT>|<FLOW_ENDED_COUNT>|<OUTBOUND_PACKETS>|<INBOUND_PACKETS>|<OUTBOUND_BYTES>|<INBOUND_BYTES> 条形分隔的条目Entries separated by bars

注释Notes

  1. 对于 AzurePublic 和 ExternalPublic 流,客户拥有的 Azure VM IP 将填充在 VMIP_s 字段中,而公共 IP 地址将填充在 PublicIPs_s 字段中。In case of AzurePublic and ExternalPublic flows, the customer owned Azure VM IP is populated in VMIP_s field, while the Public IP addresses are being populated in the PublicIPs_s field. 对于这两种流类型,我们应使用 VMIP_s 和 PublicIPs_s 字段,而不是 SrcIP_s 和 DestIP_s 字段。For these two flow types, we should use VMIP_s and PublicIPs_s instead of SrcIP_s and DestIP_s fields. 对于 AzurePublic 和 ExternalPublicIP 地址,我们将进一步聚合,以尽量减少引入到客户 Log Analytics 工作区的记录数。(此字段即将弃用,我们应该根据 Azure VM 是流中的源还是目标,使用 SrcIP_ 或 DestIP_s)For AzurePublic and ExternalPublicIP addresses, we aggregate further, so that the number of records ingested to customer log analytics workspace is minimal.(This field will be deprecated soon and we should be using SrcIP_ and DestIP_s depending on whether azure VM was the source or the destination in the flow)
  2. 流类型的详细信息:根据流中涉及的 IP 地址,我们将流分类为以下流类型:Details for flow types: Based on the IP addresses involved in the flow, we categorize the flows in to the following flow types:
  3. IntraVNet - 流中的两个 IP 地址位于同一个 Azure 虚拟网络中。IntraVNet - Both the IP addresses in the flow reside in the same Azure Virtual Network.
  4. InterVNet - 流中的 IP 地址位于两个不同的 Azure 虚拟网络中。InterVNet - IP addresses in the flow reside in the two different Azure Virtual Networks.
  5. S2S(站点到站点)- 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址属于通过 VPN 网关或 Express Route 连接到 Azure 虚拟网络的客户网络(站点)。S2S - (Site To Site) One of the IP addresses belongs to Azure Virtual Network while the other IP address belongs to customer network (Site) connected to the Azure Virtual Network through VPN gateway or Express Route.
  6. P2S(点到站点)- 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址属于通过 VPN 网关连接到 Azure 虚拟网络的客户网络(站点)。P2S - (Point To Site) One of the IP addresses belongs to Azure Virtual Network while the other IP address belongs to customer network (Site) connected to the Azure Virtual Network through VPN gateway.
  7. AzurePublic - 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址属于 Microsoft 拥有的 Azure 内部公共 IP 地址。AzurePublic - One of the IP addresses belongs to Azure Virtual Network while the other IP address belongs to Azure Internal Public IP addresses owned by Microsoft. 客户拥有的公共 IP 地址不属于此流类型。Customer owned Public IP addresses won't be part of this flow type. 例如,客户拥有的、将流量发送到 Azure 服务(存储终结点)的任何 VM 将划分到此流类型。For instance, any customer owned VM sending traffic to an Azure Service (Storage endpoint) would be categorized under this flow type.
  8. ExternalPublic - 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址是不在 Azure 中的公共 IP 地址,流量分析在处理间隔期间在“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间使用的 ASC 源中不会将此地址报告为恶意地址。ExternalPublic - One of the IP addresses belongs to Azure Virtual Network while the other IP address is a public IP that is not in Azure, is not reported as malicious in the ASC feeds that Traffic Analytics consumes for the processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t".
  9. MaliciousFlow - 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址是不在 Azure 中的公共 IP 地址,流量分析在处理间隔期间在“FlowIntervalStartTime_t”与“FlowIntervalEndTime_t”之间使用的 ASC 源中会将此地址报告为恶意地址。MaliciousFlow - One of the IP addresses belong to azure virtual network while the other IP address is a public IP that is not in Azure and is reported as malicious in the ASC feeds that Traffic Analytics consumes for the processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t".
  10. UnknownPrivate - 一个 IP 地址属于 Azure 虚拟网络,而另一个 IP 地址属于 RFC 1918 中定义的专用 IP 范围,无法由流量分析映射到客户拥有的站点或 Azure 虚拟网络。UnknownPrivate - One of the IP addresses belong to Azure Virtual Network while the other IP address belongs to private IP range as defined in RFC 1918 and could not be mapped by Traffic Analytics to a customer owned site or Azure Virtual Network.
  11. Unknown - 无法将流中的任一 IP 地址映射到 Azure 中的客户拓扑以及本地(站点)。Unknown - Unable to map the either of the IP addresses in the flows with the customer topology in Azure as well as on-premises (site).
  12. 某些字段名称的后面追加了 _s 或 _d。Some field names are appended with _s or _d. 这些后缀并不表示源 (source) 和目标 (destination),而是表示数据类型字符串 (string) 和十进制 (decimal)。These do NOT signify source and destination but indicate the data types string and decimal respectively.

后续步骤Next Steps

若要获取常见问题的解答,请参阅流量分析常见问题解答。若要查看有关功能的详细信息,请参阅流量分析文档To get answers to frequently asked questions, see Traffic analytics FAQ To see details about functionality, see Traffic analytics documentation