Skip to main content

Inspecting Traffic Between Azure Virtual Machines

·5 mins
Azure Windows VMs ICMP Firewall SSH DHCP
Table of Contents

In this lab, we’ll explore the network traffic exchanged between Azure Virtual Machines (VMs) using Wireshark, a powerful protocol analyzer. Through hands-on experimentation, we’ll observe how various network protocols such as ICMP, SSH, and DHCP operate in a cloud environment. Additionally, we’ll delve into configuring Azure Network Security Groups (NSGs) to control and secure traffic flow between VMs. This lab offers a practical way to understand network communication and security measures in Azure

Before We Get Started #

Environments and Technologies Used #

  • Microsoft Azure (Virtual Machines/Compute)
  • Remote Desktop
  • Various Command-Line Tools
  • Various Network Protocols (SSH, RDH, DNS, HTTP/S, ICMP)
  • Wireshark (Protocol Analyzer)

Operating Systems Used #

  • Windows 10 (22H2)
  • Ubuntu Server 24.04

Setup #

Creating the VMs #

I created a resource group to place these virtual machines in. I named mine RG-Network-Activities.

Resource Group Image
Resource Group

Ensure the VMs are in the same:

  • resource group
  • region
  • virtual network

Windows VM #

I placed this VM in the resource group I just created and within the same region. Make sure to select the Windows 10 Pro image.

  • I selected a standard VM size with 2 vCPUs and 16 GiB of memory.

WindowsVM Image
Windows VM creation

The final step is to create a virtual network. For this project, I created a new network and named it lab-vnet.

Virtual Network Image
Virtual Network

Linux VM #

I followed the same steps as for the Windows VM, but selected the appropriate image. In my case, I chose the latest Ubuntu Server LTS version. The VM size doesn’t matter here.

Linux VM Image
Linux VM creation

However, under the Administrator Account, make sure to change the setting from SSH public key to Password. Although SSH public key is a good security practice, this is just a demo and will be deleted soon after.

Linux Authentication Type Image
Linux Authentication Type

Connect to Windows VM #

To connect to the Windows VM, we need a way to access it using the RDP protocol. This allows us to interact with the VM as if we were directly using the computer screen.

  • For Windows use: Remote Desktop Client
  • For Mac use: Microsoft Remote Desktop
  • For Linux use: FreeRDP

For more info on how to use FreeRDP, read this post

Observations #

ICMP Traffic #

Within Wireshark, I filtered for ICMP (Internet Control Message Protocol) traffic and opened PowerShell to execute a command called ping. Ping utilizes ICMP, which is used by devices in a network to communicate problems within data transmission. I used ping to see if I can communicate with the Ubuntu VM using its private IP address. The private IP of the Linux VM in my case is 10.0.0.5. When we run the ping command, the following output will be displayed.

ICMP Image
Observe ICMP Traffic

You’ll notice that 10.0.0.4 (Windows VM) sends a request to 10.0.0.5 (Linux VM), which then causes the Linux VM to reply!

Configure Network Security Groups (Firewall) #

Within the Azure portal, I opened the networking settings for the Ubuntu VM and added an inbound security rule to block ICMP traffic. I make sure to have the priority higher than SSH (300) to ensure the rule applies first.

Deny ICMP Traffic Image
Deny ICMP Traffic

Upon returning to the Windows VM, I notice that the ICMP traffic is blocked now that the inbound security rule is in place.

ICMP Image
Request Timeout

If you delete this rule, the ping resolves without timing out!

SSH Traffic #

Next, let’s observe the SSH traffic. From the Windows VM, we can SSH into the Linux VM using its private IP address.

We can open up powershell and type the following

ssh <username>@<private_ip_of_linux_vm>

Then, simply enter the password for the user. You’ll notice the SSH traffic in Wireshark whenever you start typing in the command line, as shown below.

SSH Image
SSH

SSH is similar to the RDP protocol (3389) in that it allows remote access to a machine. However, SSH is a text-based protocol designed for command-line interactions, whereas RDP provides a graphical user interface. Both achieve remote access, but they are optimized for different use cases.

DHCP Traffic #

Now, let’s observe some DHCP traffic. This protocol is used when a device or node is not assigned a static IP and needs to request an IP from the DHCP server. To see this in action, we’ll need to create a small batch file.

ipconfig /release
ipconfig /renew

I created this file inside my Downloads directory and named it dhcp.bat. Then, I executed the file from the command line.

Now, this may disconnect you from the RDP client tool you’re using. This is fine, as we’ll still be able to observe the traffic when logging back into the Windows VM.

DHCP Image
DHCP Traffic

Although the IP address appears the same as before, we actually release the IP the VM was initially assigned and receive a new IP from the DHCP server.

What I Learned #

In this lab, I learned how to observe and analyze network traffic between Azure Virtual Machines (VMs) using Wireshark. I explored how various protocols like ICMP, SSH, and DHCP function in a cloud environment. By configuring Azure Network Security Groups (NSGs), I discovered how to control traffic flow between VMs, including blocking ICMP traffic to enhance security. I also gained a deeper understanding of how DHCP dynamically assigns IP addresses and how these can change when renewing leases. Additionally, I learned the differences between RDP and SSH for remote access and saw how these protocols impact network communication. This lab reinforced the importance of network traffic analysis and security configurations in cloud environments.