Hey, While exploring our VNET flow logs I noticed a recurring entry that's associated with aclID "00000000-0000-0000-0000-000000000000" and rule "PlatformRule". The traffic seems to be originating from Microsoft-owned IPs. The rule and aclID are not part of the rules I created in any of my NSGs nor are they part of the default NSG rules. Unfortunately, I couldn't find any information elaborating on the rule and its purpose.I'm looking for additional info regarding this rule, what traffic does it allow\block, should I expect to see malicious traffic blocked or is it simply traffic from Microsoft's infra? best regards, Yoav

Hi @ Yoav , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. We have received the following updates from the product team: Q: The rule and aclID are not part of the rules I created in any of my NSGs nor are they part of the default NSG rules. This is the placeholder value for the Acls which are not customer configured Acls and corresponding rules as platform rules. These are some internal rules configured by various networking components and their functionality. Flows under this acl represent internal flows. Q: I couldn't find any information elaborating on the rule and its purpose. I'm looking for additional info regarding this rule. The product team is actively reviewing the Platform rules behavior in various scenarios and will provide an update in the public document soon. Q: What traffic does it allow\block, should I expect to see malicious traffic blocked or is it simply traffic from Microsoft's infra? This is Microsoft infrastructure traffic only. If above is unclear and/or you are unsure about something add a comment below. Please click ' Accept Answer' and ' upvote' if the above was helpful as this can be beneficial to other community members facing the same issues. Thanks, Sai Prasanna.

Virtual Network Flow Logs: What is the "PlatformRule"

Accepted answer

Sai Prasanna Sinde 2,695 Reputation points Microsoft Vendor

2024-12-02T01:49:19.6966667+00:00

Hi @Yoav,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

We have received the following updates from the product team:

Q: The rule and aclID are not part of the rules I created in any of my NSGs nor are they part of the default NSG rules.

This is the placeholder value for the Acls which are not customer configured Acls and corresponding rules as platform rules.

These are some internal rules configured by various networking components and their functionality. Flows under this acl represent internal flows.

Q: I couldn't find any information elaborating on the rule and its purpose. I'm looking for additional info regarding this rule.

The product team is actively reviewing the Platform rules behavior in various scenarios and will provide an update in the public document soon.

Q: What traffic does it allow\block, should I expect to see malicious traffic blocked or is it simply traffic from Microsoft's infra?

This is Microsoft infrastructure traffic only.

If above is unclear and/or you are unsure about something add a comment below.

Please click 'Accept Answer' and 'upvote' if the above was helpful as this can be beneficial to other community members facing the same issues.

Thanks,

Sai Prasanna.
Please sign in to rate this answer.
Yoav 20 Reputation points

2024-12-02T09:20:52.5033333+00:00

hey @Sai Prasanna Sinde

thank you very much, this is helpful

I'm mainly interested in this for security investigation purposes so it'd be helpful to understand the logic behind this, i.e. what infra is communicating with my env and for what purposes (health checks\updates\other), should I expect to see specific traffic patterns (ports, IPs, certain time in the day), etc.
for example, I believe I only observed communication originating from port 23456, should I expect to see traffic originating from other ports as well?

best regards,

Yoav

Sai Prasanna Sinde 2,695 Reputation points Microsoft Vendor

2024-12-03T09:40:13.87+00:00

Hi @Yoav,

Glad we could be of help.

The above requested information regarding the 'flow logs' will be updated soon in the documentation.

The product team is also reviewing the Platform rules behavior in various scenarios.

Every other malicious flow IDs will be logged, and you can use them for further investigation. However, you can ignore the flows with aclID 00000000-0000-0000-0000-000000000000. Also, the traffic doesn't depend upon the ports.

NOTE: We will request the product team to update the documents as early as possible.

If above is unclear and/or you are unsure about something add a comment below.

Thanks,

Sai.

Yoav 20 Reputation points

2024-12-03T11:28:28.9933333+00:00

thanks @Sai Prasanna Sinde

the document will be very helpful

I appreciate the help

Yoav 20 Reputation points

2025-01-05T12:24:27.52+00:00

hi @Sai Prasanna Sinde

any update on the documentation?

thank,

Yoav

Sai Prasanna Sinde 2,695 Reputation points Microsoft Vendor

2025-01-06T17:07:53.7533333+00:00

Hi @Yoav,

We have updated the product team, and they are working on it.

Azure updates can be found on the Azure updates

Meanwhile please add a filter as shown in below diagram, once this document is released, it will be updated here, and you will be able to notify.
Thanks, Sai.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Virtual Network Flow Logs: What is the "PlatformRule"

0 additional answers

Your answer