March 12, 2026 / Blog ENG

Azure Virtual Network TAP (vTAP): packet visibility in Azure, without touching the workload

Blog ENG - MS Azure - Post 3 2026

There’s a familiar cloud troubleshooting moment: dashboards look fine, flow logs show nothing suspicious, but users still report “random” slowness or odd behavior. In a traditional datacenter you’d mirror traffic with a SPAN port or a physical TAP and look at the packets. In Azure, Virtual Network TAP (vTAP) brings that same idea into the platform: it streams a copy of a VM’s network traffic to a packet collector or analytics tool, continuously and out-of-band.

What vTAP does
vTAP mirrors all traffic to/from a VM NIC and sends it to a destination collector (often an NVA partner tool) for deep inspection and analytics.

Unlike VNet flow logs (metadata), vTAP can provide full packet copies (including payload), which is exactly what you need for real root-cause analysis and threat investigations.

Architecture at a glance

Here’s how to “read” it:

  • Source: you apply a TAP configuration to a VM network interface (NIC).
  • Destination: mirrored traffic is delivered to a destination IP in the same VNet or in a peered VNet (same region).
  • Scaling/HA: the collector can sit behind an Azure Internal Load Balancer so you can add/remove collectors without changing the TAP destination.
  • Destination types: vTAP supports a Load Balancer or a VM NIC as the destination resource.

Prerequisites you should plan for
To use vTAP, you need one or more ARM-based VMs and a collector/analytics solution in the same Azure region.
You can aggregate traffic from multiple NICs, even across different subscriptions, as long as those subscriptions are associated with the same Microsoft Entra tenant.
If source and destination are in different VNets, VNet peering must be enabled first (and everything remains in-region).

Permissions (so you don’t get blocked at the worst time)
The identity configuring vTAP needs at least Network Contributor (or a custom role) with permissions to manage virtualNetworkTaps, read networkInterfaces, and manage tapConfigurations.

Preview notes and practical constraints (read before production)
vTAP is in public preview in select regions, and some limitations are marked as temporary until GA.
Key constraints called out in the official overview include:

  • Only VM NICs can be used as mirroring sources.
  • You may need to STOP (deallocate) and START a source VM once before adding it as a source, otherwise you can hit a “fastpath” error (temporary preview requirement).
  • Live Migration isn’t supported for VMs set as a source (preview behavior).
  • Some Load Balancer scenarios prevent VMs from being sources (e.g., Basic LB; some Standard LB configurations).
  • vTAP doesn’t support IPv6, and it also doesn’t mirror certain inbound Private Link Service traffic; encrypted VNets can also block source eligibility.
  • Adding/removing a source VM can cause up to 60 seconds of network downtime.

Where vTAP shines

  • Threat hunting and NDR tooling: packet payload visibility helps detect and investigate network-based attacks and suspicious patterns.
  • Hard troubleshooting: when metrics aren’t enough, packets show retransmissions, handshake issues, and application behavior.
  • Out-of-band monitoring: vTAP is designed to be agentless and out-of-band, so production traffic doesn’t need to be re-routed just to be observed.

Final thoughts
If you’ve ever missed the simplicity of a datacenter SPAN/TAP during a cloud incident, vTAP feels like getting that superpower back, this time as a native Azure capability. It won’t replace every telemetry signal, but when you need ground truth, nothing beats the packets.

CategoriesBlog ENG

TagsAzure Cloud Networking