Azure Virtual Network TAP – Overview

Last Updated on May 5, 2025 by Arnav Sharma

Cloud adoption continues to increase, but with it comes a familiar challenge i.e network visibility. Unlike traditional datacenters where tapping into traffic was as simple as connecting to a SPAN port or deploying a physical TAP device, the cloud abstracts this visibility. That’s where Azure Virtual Network TAP (Terminal Access Point) steps in.

Currently in Public Preview, Azure’s TAP service offers a powerful, agentless solution to mirror traffic from VM NICs and stream it in real time to security or performance analytics tools. Whether you’re a security architect, operations engineer, or compliance lead, TAP gives you that long-missing full-packet insight, natively within Azure.

What is Azure Virtual Network TAP?

Azure Virtual Network TAP (or vTAP) is essentially a cloud-native traffic mirroring service. It lets you mirror all network traffic (both inbound and outbound) from a VM’s network interface (NIC) and send it to a packet collector or network appliance for deeper analysis.

It works similar to a SPAN port in a traditional switch but designed for the cloud.

Key Highlights:

• Agentless: No need to install any monitoring agents on your VMs.
• Zero Performance Impact: Mirrored traffic doesn’t count against the source VM’s network bandwidth.
• Supports All VM SKUs: From small test boxes to beefy production workloads.

Why Should You Care?

Imagine this scenario:

You’re running a multi-tier web app in Azure. Users report intermittent slowdowns, but your standard metrics like CPU, memory, NSG flow logs show nothing unusual. You suspect a network-level issue: maybe packet loss, delayed TCP handshakes, or malformed requests.

With TAP, you can mirror the exact traffic from the web and app tier VMs, stream it to a tool like ExtraHop, Gigamon, or Fortinet, and finally see what’s happening, down to the packet payload.

Security teams benefit even more. By feeding full-fidelity traffic into a Network Detection and Response (NDR)platform like Corelight or Darktrace, you can detect things like:

• Command-and-control (C2) beacons
• Lateral movement attempts
• Suspicious scanning
• EDR bypass attempts

How Does It Work?

At a high level, here’s the flow:

1. You configure TAP on a VM’s NIC—this becomes the “source.”
2. Azure duplicates all inbound and outbound traffic.
3. Traffic is encapsulated using VXLAN (typically on UDP port 4789).
4. This VXLAN stream is sent to a collector, such as:
   • A VM running an NDR or packet capture tool
   • An Internal Load Balancer (ILB) fronting multiple collector appliances for high availability

💡 Note: The source VM and the destination collector must be in the same Azure region, either in the same VNet or across peered VNets.

Example Use Case: Security Monitoring

Let’s say you’re securing a healthcare app in Azure that handles patient records (think HIPAA compliance). You deploy Fortinet FortiNDR as your monitoring tool behind an Internal Load Balancer. You configure TAP on the web tier VM NICs, sending mirrored traffic to the ILB.

FortiNDR listens on UDP 4789, decapsulates the VXLAN packets, and inspects the full stream. Now, if malware tries to exfiltrate data over HTTPS, you’ll know—even if the endpoint agent misses it.

Example Use Case: Performance Troubleshooting

You’re running a microservices-based architecture. One of your services has a high error rate, but logs are inconclusive. Using TAP, you mirror traffic from the backend API VM to Netscout’s vStream appliance.

The appliance analyzes TCP-level metrics and flags frequent retransmissions and connection resets—pointing to a flaky NIC driver. Problem found. Time to patch.

Deployment Options

Azure TAP can be set up using:

• Azure Portal: Great for small-scale or testing.
• Azure CLI: Ideal for scripting and automation.
• Azure PowerShell: For folks deep in the PowerShell world.
• ARM templates / REST API: For complete control and Infrastructure-as-Code.

TAP supports cross-subscription monitoring, as long as the subscriptions are under the same Entra ID tenant. It also supports hub-and-spoke topologies, letting you centralize your collectors.

Limitations (It’s Still in Preview)

As of May 2025, TAP is in Public Preview, and with that come some gotchas:

• Region Support: Limited to East Asia, US West Central (with more coming).
• No IPv6 traffic support
• Live Migration Disabled: VMs with TAP can’t be live migrated.
• Not compatible with:
  • VMs behind a Basic Load Balancer
  • VMs using Floating IP (DSR)
  • VNets with encryption enabled
• Brief downtime (~60 sec) may occur when enabling/disabling TAP on a NIC.

These limitations are likely to change as Microsoft moves toward General Availability (GA).

Comparison: Azure TAP vs AWS vs GCP

While AWS and GCP currently offer more mature and flexible filtering, Azure stands out with its guaranteed no-performance-impact design—ideal for high-throughput apps.

Partner Integration: Choose Your Tool

TAP doesn’t analyze packets itself. That’s where Azure’s growing ecosystem of validated partner tools comes in. Some highlights:

• Gigamon GigaVUE: Full packet broker with slicing, masking, and NetFlow export
• Fortinet: FortiNDR and FortiGate VM
• Trend Micro Vision One
• ExtraHop Reveal(x)
• Corelight NDR
• Darktrace /Network
• Bitdefender, Netscout, Arista, eSentire, and more

You can deploy these from the Azure Marketplace and integrate seamlessly.

Final Thoughts: Should You Use TAP?

If you’ve ever wished you could “just Wireshark it” in Azure—TAP is your answer.

Whether you’re:

• Diagnosing mysterious performance issues
• Meeting PCI or HIPAA compliance
• Hunting threats your EDR missed
• Migrating apps and validating traffic

Azure Virtual Network TAP gives you the power to see every packet, every time. It’s not just another checkbox feature—it’s the missing piece for deep observability in the cloud.

As the service matures and enters GA, we expect IPv6, filtering, and wider regional support to follow. But even now, TAP offers tremendous value, especially when paired with the right tools.