{
	"id": "3a3cef0c-3760-4800-98a8-e7b25ad8d4cd",
	"created_at": "2026-04-06T00:18:19.145371Z",
	"updated_at": "2026-04-10T03:22:04.10952Z",
	"deleted_at": null,
	"sha1_hash": "3734e49582d0d336df04dd41230e524e63f10d51",
	"title": "Azure virtual network TAP overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 248723,
	"plain_text": "Azure virtual network TAP overview\r\nBy AvirupCha\r\nArchived: 2026-04-05 13:11:47 UTC\r\nAzure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine\r\nnetwork traffic to a network packet collector or analytics tool. The collector or analytics tool is provided by a\r\nnetwork virtual appliance partner. For a list of partner solutions that are validated to work with virtual network\r\nTAP, see partner solutions.\r\nImportant\r\nVirtual network TAP is now in public preview in select Azure regions. For more information, see the Supported\r\nRegion section in this article.\r\nThe following diagram shows how virtual network TAP works. You can add a TAP configuration on a network\r\ninterface that is attached to a virtual machine deployed in your virtual network. The destination is a virtual\r\nnetwork IP address in the same virtual network as the monitored network interface or a peered virtual network.\r\nThe collector solution for virtual network TAP can be deployed behind an Azure Internal Load balancer for high\r\navailability.\r\nhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview\r\nPage 1 of 4\n\nPrerequisites\r\nYou must have one or more virtual machines created with Azure Resource Manager, and a partner solution for\r\naggregating the TAP traffic in the same Azure region. If you don't have a partner solution in your virtual network,\r\nsee partner solutions to deploy one.\r\nYou can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the\r\nsame or different subscriptions. If the monitored network interfaces are in different subscriptions, the\r\nhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview\r\nPage 2 of 4\n\nsubscriptions must be associated to the same Microsoft Entra tenant. Additionally, the monitored network\r\ninterfaces, and the destination endpoint for aggregating the TAP traffic can be in peered virtual networks in the\r\nsame region. If you're using this deployment model, ensure that the virtual network peering is enabled before you\r\nconfigure virtual network TAP.\r\nPermissions\r\nThe accounts you use to apply TAP configuration on network interfaces must be assigned to the network\r\ncontributor role or a custom role that is assigned as the necessary actions from the following table:\r\nAction Name\r\nMicrosoft.Network/virtualNetworkTaps/*\r\nRequired to create, update, read, and delete a virtual network\r\nTAP resource\r\nMicrosoft.Network/networkInterfaces/read\r\nRequired to read the network interface resource on which the\r\nTAP is configured\r\nMicrosoft.Network/tapConfigurations/*\r\nRequired to create, update, read, and delete the TAP\r\nconfiguration on a network interface\r\nPublic preview limitations\r\nPlease note, limitations tagged with [Temporary] will be resolved at GA.\r\nAdding a source:\r\nVirtual network TAP only supports virtual machine's (VM) network interface as a mirroring source.\r\n[Temporary] v6 VM SKU aren't supported as a source.\r\n[Temporary] Before adding a VM as a source, you must first deploy a virtual network TAP resource and\r\nthen STOP (deallocate) and START the source VM. This is required only once for any VM that will be\r\nadded as a source. If not done, you will get an error stating the NIC is not on fastpath.\r\nOther Limitations\r\nVirtual network TAP supports Load Balancer or VM's network interface as a destination resource for\r\nmirrored traffic.\r\n[Temporary] Virtual network doesn't support Live Migration. Live Migration will be disabled for VMs set\r\nas a source.\r\n[Temporary] VMs behind a Standard Load Balancer with Floating IP enabled can't be set as a mirroring\r\nsource.\r\nVMs behind Basic Load Balancer can't be set as a mirroring source. Basic Load Balancer is being\r\ndeprecated.\r\nVirtual network doesn't support mirroring of inbound Private Link Service traffic.\r\nVMs in a virtual network with encryption enabled can't be set as mirroring source.\r\nhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview\r\nPage 3 of 4\n\nVirtual network TAP doesn't support IPv6.\r\n[Temporary] When a VM is added or removed as a source, the VM might experience network downtime\r\n(up to 60 seconds).\r\nSupported Regions\r\nAsia East\r\nUS West Central\r\nUK South\r\nUS East\r\nIndia Central\r\nGermany West Central\r\nUS Central\r\nComing soon\r\nAustralia East\r\nKorean Central\r\nCanada Central\r\nVirtual network TAP partner solutions\r\nNetwork packet brokers\r\nSecurity analytics, network/application performance management\r\nNext Steps\r\nLearn how to Create a virtual network TAP using CLI or the Azure portal.\r\nSource: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview\r\nhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview"
	],
	"report_names": [
		"virtual-network-tap-overview"
	],
	"threat_actors": [],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3734e49582d0d336df04dd41230e524e63f10d51.pdf",
		"text": "https://archive.orkl.eu/3734e49582d0d336df04dd41230e524e63f10d51.txt",
		"img": "https://archive.orkl.eu/3734e49582d0d336df04dd41230e524e63f10d51.jpg"
	}
}