Diagnostics Azure NSG Flow Logs in Azure Network Watcher:
Azure Network Security Group (Azure NSG) flow logs allow you to analyze ingress and egress IP traffic through Network Security Groups in Azure, and provide detailed information about the traffic flow. This helps in monitoring and securing your Azure network resources.
Does Azure NSG flow logs support Storage accounts (classic)?
Azure NSG flow logs do not support storage accounts (classic). NSG flow logs only support storage accounts that are based on Azure Resource Manager (ARM), also known as v2 storage accounts. Classic storage accounts are based on the Azure Service Management (ASM) model, which is being phased out in favor of the more recent ARM model. If you want to use NSG flow logs, you will need to migrate your classic storage accounts to ARM storage accounts.
Steps to Enable Azure NSG Flow Logs:
Network Watcher >> From Menu >> Under Logs >> Select NSG Flow Logs >> Click on Create Network Flow Log
Project Details >> Select Subscription >> Select Network Security Group >> Flow Log Name will be auto generated
Instance Details >> Location >> Select Subscription >> Select Storage Account >> Provide Retention Days
Version 1 logs ingress and egress IP traffic flows for both allowed and denied traffic. Version 2 provides additional throughput information (bytes and packets) per flow
Configuration Details -
Traffic Analytics - Traffic Analytics provides rich analytics and visualization derived from NSG flow logs and other Azure resources' data. Drill through geo-map, easily figure out traffic hotspots and get insights into optimization possibilities.
Check Enable Traffic Analytics >> Select Traffic Analytics processing interval >> Every 10 min or Every 1 hour
Select Log Analytics Work Space
Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.
Provide Required Tags
Click on Review + create for Validation.
Diagnostic Flow Logs - Diagnostic settings are used to configure streaming export of platform logs and metrics for a resource to the destination of your choice. You may create up to five different diagnostic settings to send different logs and metrics to independent destinations.
Select Subscription >> Select Resource Group >> Select Resource Type >> Select Resource
Select Resource >> Click 'Add Diagnostic setting' to configure the collection of the following data: AllMetrics
A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more destinations that you would stream them to. Normal usage charges for the destination will occur.
Add Diagnostic setting name >> Under Category details >> metrics >> Select Check Metrics
Under Destination details >> Select Send to Log Analytics workspace >> Select Subscription and Workspace.
Click on Save.
NSG Diagnostic Settings: are the list of Resource logging settings available to be configured on a Network Security Group (NSG). Resource logging is enabled separately for each NSG resource you want to collect diagnostic data for. When you enable diagnostic data on a NSG, you can collect the following types of resource log information:
1.) Event: Entries are logged for which NSG rules are applied to VMs, based on MAC address.
2.) Rule counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 60 seconds. Note: Resource logs are only available for NSGs deployed through the Azure Resource Manager deployment model. You cannot enable resource logging for NSGs deployed through the classic deployment model. Reference: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log NSG Flow logs: Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. NSG Flow Logs enable you to log 5-tuple flow information about all traffic through your NSGs (i.e. source IP, source port, destination IP, destination port, protocol). The raw flow logs are written to an Azure Storage account from where they can be further processed, analyzed, queried, or exported as needed. Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview