| title | titleSuffix | description | services | author | ms.service | ms.topic | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|
Manage NSG Flow logs - Azure CLI |
Azure Network Watcher |
This page explains how to manage Network Security Group Flow logs in Azure Network Watcher with Azure CLI |
network-watcher |
damendo |
network-watcher |
how-to |
infrastructure-services |
01/07/2021 |
damendo |
[!div class="op_single_selector"]
Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
To perform the steps in this article, you need to install the Azure CLI for Windows, Linux, or macOS. The detailed specification of all flow logs commands can be found here
In order for flow logging to work successfully, the Microsoft.Insights provider must be registered. If you are not sure if the Microsoft.Insights provider is registered, run the following script.
az provider register --namespace Microsoft.Insights
The command to enable flow logs is shown in the following example:
az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location
# Configure
az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2
The storage account that you specify cannot have network rules configured for it that restrict network access to only Microsoft services or specific virtual networks. The storage account can be in the same, or a different Azure subscription, than the NSG that you enable the flow log for. If you use different subscriptions, they must both be associated to the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
If the storage account is in a different resource group, or subscription, than the network security group, specify the full ID of the storage account, rather than its name. For example, if the storage account is in a resource group named RG-Storage, rather than specifying storageAccountName in the previous command, you'd specify /subscriptions/{SubscriptionID}/resourceGroups/RG-Storage/providers/Microsoft.Storage/storageAccounts/storageAccountName.
Use the following example to disable flow logs:
az network watcher flow-log configure --resource-group resourceGroupName --enabled false --nsg nsgName
The storage location of a flow log is defined at creation. A convenient tool to access these flow logs saved to a storage account is Microsoft Azure Storage Explorer, which can be downloaded here: https://storageexplorer.com/
If a storage account is specified, flow log files are saved to a storage account at the following location:
https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
Learn how to Visualize your NSG flow logs with PowerBI
Learn how to Visualize your NSG flow logs with open source tools