Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Analyze security rules using Rule Impact Analyzer in Traffic Analytics
In this article, you learn how to use the rule impact analyzer feature with network groups in the traffic analytics blade of Network Watcher. You can use the Azure portal to create a security admin configuration, add a security admin rule, and simulate the impact of your rule changes before deploying them.
The rules impact analyzer enables you to preview the impact of security admin rules and network security group (NSG) rules before applying them to your environment. This feature helps you validate rule behavior, identify potential conflicts, and ensure that connectivity requirements are met without disrupting live traffic. By understanding the impact of your proposed rules changes, you can confidently plan changes, maintain compliance, and reduce the risk of misconfiguration across your virtual networks.
Prerequisites
An Azure account with an active subscription. Create an account for free.
Traffic analytics enabled for your virtual network flow logs or network security group flow logs. For more information, see Enable traffic analytics on virtual network flow logs or Enable traffic analytics on network security group flow logs.
Required role-based access control (RBAC) permissions. For more information, see Traffic analytics RBAC Permissions.
A network group. For more information, see Create a network group.
Analyze security rules in the Azure portal
Use rule impact analyzer in the Azure portal to analyze your security rules and simulate traffic flow patterns.
Configure simulation scope
In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.
Under Monitoring, select Traffic Analytics.
Select Open Rule Impact Analyzer.
Select Configure Simulation Scope to choose the security rules to simulate traffic flow patterns.
In Rule Configuration, select or enter the following information:
Setting Value Subscription Select your Azure subscription. Type Select Network Manager or Network Security Group. Network Manager Select a network manager. This option is available if you select Network Manager in Type. Security Admin Configuration Select the security admin configuration containing the rule collection that has the rules that you want to analyze. This option is available if you select Network Manager in Type. Rule Collection Select the rule collection containing the rules that you want to analyze. This option is available if you select Network Manager in Type. Rules Select one or more rules to analyze their impact on traffic flows. This option is available if you select Network Manager in Type. Security Admin Configuration Select the security admin configuration containing the rule collection to analyze. This option is available if you select Network Manager in Type. Network Security Group Select the Network Security Group (NSG) containing the rules to analyze. This option is available if you select Network Security Group in Type. NSG Rules Select one or more rules to analyze their impact on traffic flows. This option is available if you select Network Security Group in Type. Select Next.
👁 Screenshot that shows the Rule Configuration page of the Rule Impact Analyzer in the Azure portal.
Select virtual networks
After selecting the rules to analyze, define the scope of the evaluation by choosing the target virtual networks whose traffic data will be used. Only eligible virtual networks are included to ensure the analysis provides an accurate view of end-to-end traffic behavior:
On the virtual networks selection page of Rule Configuration, select one or more virtual networks (up to 500) that show Traffic Analytics Enabled. Use the search box or filters to narrow down the list.
Select Apply.
Select Run Simulation
👁 Screenshot that shows the simulation scope of the Rule Impact Analyzer in the Azure portal.
Important
Rule impact analysis is performed only on Virtual Networks with Traffic Analytics fully enabled. This ensures the simulation is based on complete and accurate traffic data. The following Virtual Networks are automatically excluded because they can result in incomplete or inaccurate simulation results:
- Virtual networks with subnet or NIC‑level flow logs.
- Virtual networks with flow log filtering enabled.
- AKS‑injected virtual networks.
Review results
After running the simulation, you'll see a detailed report that lists all traffic paths and how your rules impact them.
👁 Screenshot that shows the simulation results of the Rule Impact Analyzer in the Azure portal.
In the Impact column of the simulation results, you can find one of these states:
Impacted: Paths where at least one simulated rule changes traffic behavior.
Not Impacted: Paths unaffected by the simulated rules.
Indeterminate: Paths where the simulation couldn't compute a result (for example, log analytics workspace doesn't exist for traffic analytics, access to the workspace is denied, or required data or configuration is missing).
You can use Resource Impact tab to list all impacted virtual networks (when you have multiple virtual networks selected for the simulation).
For impacted virtual networks, the report identifies the impacting rule, its priority, and the number of flows breaking, to help you assess the severity of the change. Use View Query to inspect the underlying query and validate the result before deploying the rules.
Related content
Feedback
Was this page helpful?