Step-by-Step: Capturing Azure Resource Manager (ARM) VNET Gateway Diagnostic Logs

*** UPDATED for Azure PowerShell 2.x and 3.x ***

A while back, I published an article that stepped through capturing diagnostic logs for v1 “Classic” virtual network gateways (aka VNET Gateways or VPN Gateways) on Azure via the Azure Service Management (ASM) API and PowerShell.  Since then, the Azure team has released Azure Resource Manager (ARM) as our new management API along with new V2 virtual networks with an improved provisioning model.

In the article below, I’ve updated my original guidance to reflect the steps for capturing v2 VNET gateway diagnostic logs using Azure PowerShell 2.x and 3.x and Azure Resource Manager.  Note, since the gateway diagnostics API is still handled by Azure Service Management, you’ll see an interesting process outlined below that involves authenticating to both the ARM and ASM API’s from within the same PowerShell session.

You can also download these example PowerShell snippets on GitHub.

# STEP 1: Sign-in to Azure via Azure Resource Manager

Login-AzureRmAccount

# STEP 2: Select Azure Subscription

$subscriptionId =
( Get-AzureRmSubscription |
Out-GridView `
-Title "Select an Azure Subscription ..." `
-PassThru
).SubscriptionId

Select-AzureRmSubscription `
-SubscriptionId $subscriptionId

# STEP 3: If needed, register ARM core resource providers

Register-AzureRmResourceProvider `
-ProviderNamespace Microsoft.Compute

Register-AzureRmResourceProvider `
-ProviderNamespace Microsoft.Storage

Register-AzureRmResourceProvider `
-ProviderNamespace Microsoft.Network

Get-AzureRmResourceProvider |
Select-Object `
-Property ProviderNamespace `
-ExpandProperty ResourceTypes

# STEP 4: Select Azure Resource Group in which existing VNET is provisioned

$rgName =
( Get-AzureRmResourceGroup |
Out-GridView `
-Title "Select an Azure Resource Group ..." `
-PassThru
).ResourceGroupName

# STEP 5: Select Azure VNET gateway on which to start diagnostics logging

$vnetGwName =
( Get-AzureRmVirtualNetworkGateway `
-ResourceGroupName $rgName
).Name |
Out-GridView `
-Title "Select an Azure VNET Gateway ..." `
-PassThru

# STEP 6: Select Azure Storage Account in same Azure datacenter region as selected VNET gateway for which to send logs

$storageAccountName =
( Get-AzureRmStorageAccount `
-ResourceGroupName $rgName
).StorageAccountName |
Out-GridView `
-Title "Select an Azure Storage Account ..." `
-PassThru

# STEP 7: Get Key for Azure Storage Account

$storageAccountKey =
( Get-AzureRmStorageAccountKey `
-Name $storageAccountName `
-ResourceGroupName $rgName
)[0].Value

# STEP 8: Sign-in to Azure via Azure Service Management

Add-AzureAccount

# STEP 9: Select same Azure subscription via Azure Service Management

Select-AzureSubscription `
-SubscriptionId $subscriptionId

# STEP 10: Set Storage Context for storing logs

$storageContext =
New-AzureStorageContext `
-StorageAccountName $storageAccountName `
-StorageAccountKey $storageAccountKey

# STEP 11: Get Gateway ID for VNET Gateway

$vnetGws = Get-AzureVirtualNetworkGateway

$vnetGwId =
( $vnetGws |
? GatewayName -eq $vnetGwName
).GatewayId

# STEP 12: Start Azure VNET Gateway logging

$captureDuration = 60

$storageContainer = "vpnlogs"

Start-AzureVirtualNetworkGatewayDiagnostics  `
-GatewayId $vnetGwId `
-CaptureDurationInSeconds $captureDuration `
-StorageContext $storageContext `
-ContainerName $storageContainer

# STEP 13: Test VNET gateway connection to another server across the tunnel

Test-NetConnection `
-ComputerName 10.0.0.4 `
-CommonTCPPort RDP

# STEP 14: Wait for diagnostics capturing to complete

Sleep -Seconds $captureDuration

# STEP 15: Download VNET gateway diagnostics log

$logUrl =
( Get-AzureVirtualNetworkGatewayDiagnostics `
-GatewayId $vnetGwId
).DiagnosticsUrl

$logContent =
( Invoke-WebRequest `
-Uri $logUrl
).RawContent

$logContent |
Out-File `
-FilePath vpnlog.txt