|
| 1 | +--- |
| 2 | +title: Analyze Security Rules in Traffic Analytics (Preview) |
| 3 | +titleSuffix: Azure Network Watcher |
| 4 | +description: Use Rule Impact Analyzer to simulate and assess security admin rule effects in Azure Virtual Network Manager. Ensure compliance and prevent misconfigurations. |
| 5 | +author: halkazwini |
| 6 | +ms.author: halkazwini |
| 7 | +ms.service: azure-network-watcher |
| 8 | +ms.date: 04/07/2026 |
| 9 | +ms.topic: how-to |
| 10 | +--- |
| 11 | + |
| 12 | +# Analyze security rules using Rule Impact Analyzer in Traffic Analytics (preview) |
| 13 | + |
| 14 | +In this article, you learn how to use the rule impact analyzer feature with network groups in Azure Virtual Network Manager. You can use the Azure portal to create a security admin configuration, add a security admin rule, and simulate the impact of your rule changes before deploying them. |
| 15 | + |
| 16 | +The rules impact analyzer enables you to preview the impact of security admin rules before applying them to your environment. This feature helps you validate rule behavior, identify potential conflicts, and ensure that connectivity requirements are met without disrupting live traffic. By understanding the impact of your proposed rules changes, you can confidently plan changes, maintain compliance, and reduce the risk of misconfiguration across your virtual networks. |
| 17 | + |
| 18 | +> [!IMPORTANT] |
| 19 | +> Rule Impact Analyzer is currently in PREVIEW. |
| 20 | +> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 21 | +
|
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn). |
| 25 | + |
| 26 | +- Traffic analytics enabled for your virtual network flow logs or network security group flow logs. For more information, see [Enable traffic analytics on virtual network flow logs](vnet-flow-logs-manage.md#enable-or-disable-traffic-analytics) or [Enable traffic analytics on network security group flow logs](nsg-flow-logs-manage.md#enable-or-disable-traffic-analytics). |
| 27 | + |
| 28 | +- Required role-based access control (RBAC) permissions. For more information, see [Traffic analytics RBAC Permissions](required-rbac-permissions.md#traffic-analytics). |
| 29 | + |
| 30 | +- A network group. For more information, see [Create a network group](../virtual-network-manager/create-virtual-network-manager-portal.md#create-a-network-group). |
| 31 | + |
| 32 | +## Analyze security rules in the Azure portal |
| 33 | + |
| 34 | +Use rule impact analyzer in the Azure portal to analyze your security rules and simulate traffic flow patterns. |
| 35 | + |
| 36 | +### Configure simulation scope |
| 37 | + |
| 38 | +1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** from the search results. |
| 39 | + |
| 40 | +1. Under **Monitoring**, select **Traffic Analytics**. |
| 41 | + |
| 42 | +1. Select **Open Rule Impact Analyzer**. |
| 43 | + |
| 44 | +1. Select **Configure Simulation Scope** to choose the security rules to simulate traffic flow patterns. |
| 45 | + |
| 46 | +1. In **Rule Configuration**, select or enter the following information: |
| 47 | + |
| 48 | + | Setting | Value | |
| 49 | + | --- | --- | |
| 50 | + | Subscription | Select your Azure subscription. | |
| 51 | + | Type | Select **Network Manager** or **Network Security Group**. | |
| 52 | + | Network Manager | Select a network manager. This option is available if you select *Network Manager* in **Type**.| |
| 53 | + | Security Admin Configuration | Select the security admin configuration containing the rule collection that has the rules that you want to analyze. This option is available if you select *Network Manager* in **Type**. | |
| 54 | + | Rule Collection | Select the rule collection containing the rules that you want to analyze. This option is available if you select *Network Manager* in **Type**. | |
| 55 | + | Rules | Select one or more rules to analyze their impact on traffic flows. This option is available if you select *Network Manager* in **Type**. | |
| 56 | + | Security Admin Configuration | Select the security admin configuration containing the rule collection to analyze. This option is available if you select *Network Manager* in **Type**. | |
| 57 | + | Network Security Group | Select the Network Security Group (NSG) containing the rules to analyze. This option is available if you select *Network Security Group* in **Type**. | |
| 58 | + | NSG Rules | Select one or more rules to analyze their impact on traffic flows. This option is available if you select *Network Security Group* in **Type**. | |
| 59 | + |
| 60 | +1. Select **Next**. |
| 61 | + |
| 62 | + :::image type="content" source="media/traffic-analytics-rule-impact-analyzer/rule-configuration.png" alt-text="Screenshot that shows the Rule Configuration page of the Rule Impact Analyzer in the Azure portal."::: |
| 63 | + |
| 64 | +### Select virtual networks |
| 65 | + |
| 66 | +After selecting the rules to analyze, define the scope of the evaluation by choosing the target virtual networks whose traffic data will be used. Only eligible virtual networks are included to ensure the analysis provides an accurate view of end-to-end traffic behavior: |
| 67 | + |
| 68 | +1. On the virtual networks selection page of **Rule Configuration**, select one or more virtual networks (up to 500) that show Traffic Analytics **Enabled**. Use the search box or filters to narrow down the list. |
| 69 | + |
| 70 | +1. Select **Apply**. |
| 71 | + |
| 72 | +1. Select **Run Simulation** |
| 73 | + |
| 74 | + :::image type="content" source="media/traffic-analytics-rule-impact-analyzer/run-simulation.png" alt-text="Screenshot that shows the simulation scope of the Rule Impact Analyzer in the Azure portal."::: |
| 75 | + |
| 76 | +> [!IMPORTANT] |
| 77 | +> Rule impact analysis is performed only on Virtual Networks with Traffic Analytics fully enabled. This ensures the simulation is based on complete and accurate traffic data. The following Virtual Networks are automatically excluded because they can result in incomplete or inaccurate simulation results: |
| 78 | +> - Virtual networks with subnet or NIC‑level flow logs. |
| 79 | +> - Virtual networks with flow log filtering enabled. |
| 80 | +> - AKS‑injected virtual networks. |
| 81 | +
|
| 82 | +### Review results |
| 83 | + |
| 84 | +After running the simulation, you'll see a detailed report that lists all traffic paths and how your rules impact them. |
| 85 | + |
| 86 | +:::image type="content" source="media/traffic-analytics-rule-impact-analyzer/simulation-results.png" alt-text="Screenshot that shows the simulation results of the Rule Impact Analyzer in the Azure portal." lightbox="media/traffic-analytics-rule-impact-analyzer/simulation-results.png"::: |
| 87 | + |
| 88 | +In the **Impact** column of the simulation results, you can find one of these states: |
| 89 | + |
| 90 | +- **Impacted:** Paths where at least one simulated rule changes traffic behavior. |
| 91 | + |
| 92 | +- **Not Impacted:** Paths unaffected by the simulated rules. |
| 93 | + |
| 94 | +- **Indeterminate:** Paths where the simulation couldn't compute a result (for example, log analytics workspace doesn't exist for traffic analytics, access to the workspace is denied, or required data or configuration is missing). |
| 95 | + |
| 96 | +You can use **Resource Impact** tab to list all impacted virtual networks (when you have multiple virtual networks selected for the simulation). |
| 97 | + |
| 98 | +For impacted virtual networks, the report identifies the **impacting rule**, its **priority**, and the **number of flows breaking**, to help you assess the severity of the change. Use **View Query** to inspect the underlying query and validate the result before deploying the rules. |
| 99 | + |
| 100 | +## Related content |
| 101 | + |
| 102 | +- [Traffic Analytics overview](traffic-analytics.md) |
| 103 | + |
| 104 | +- [Create a security admin rule using network groups](../virtual-network-manager/how-to-create-security-admin-rule-network-group.md) |
| 105 | + |
| 106 | +- [View configurations applied by Azure Virtual Network Manager](../virtual-network-manager/how-to-view-applied-configurations.md) |
0 commit comments