Azure Virtual network (VNet) Flow Log Setup

Suggest Edits

Netography Fusion ingests Virtual network (VNet) flow logs from Azure via an Azure Storage account. The steps to integrate with Azure are:

  1. Register Microsoft Insights provider (in each Azure subscription containing virtual networks you are onboarding).
  2. Create a storage account in Azure (for each region you are onboarding virtual networks).
  3. Create a flow log for the virtual network in Azure (for each virtual network you are onboarding).
  4. In Fusion, Add Azure VNet as a new flow source (for each virtual network you are onboarding).

In addition to ingesting VNet flow logs, you may want to enrich them with context from Azure resources by adding the Microsoft Azure context integration.

🤖

Using Terraform to automate onboarding

The instructions linked from this page are suitable for onboarding one or a small number of cloud accounts manually or using as a reference for building automation for larger scale deployment. In addition to these instructions, Netography provides a Terraform project, NetoOnboard, that provides Netography Fusion Cloud Onboarding Automation for AWS Organizations, Azure Tenants, and GCP Organizations.

This automation provides the following:

  • Enables and configure AWS VPC flow logs, Azure VNet flow logs, and GCP VPC flow logs based on a simple policy and tags that defines which VPC/VNet are in scope.
  • Deploy all the infrastructure required to integrate to Fusion across multiple accounts (AWS), subscriptions (Azure), and projects (GCP) in a single deployment
  • Adds VPCs/VNets configured for flow logging to Netography Fusion as traffic sources.
  • Deploys a single AWS Lambda function, Azure Function, or Google Function that provides context enrichment across all the accounts/subscriptions/projects as an outbound push from your cloud to the Fusion API, eliminating the need to add context integrations from the Fusion portal, to grant Netography permissions to directly enumerate resource properties, or to add individual context integrations in Fusion for each cloud account.
  • Monitor for VPC/VNet changes and trigger enabling and configuring flow logs, and onboarding to Fusion new VPCs/VNets that are in scope, and offboarding VPCs/VNets that are removed or no longer in scope.

For early access to Netography's terraform onboarding automation contact Netography Support.

Prerequisites

  • Access to the Azure subscription(s) to onboard with an Owner or Contributor role, or a custom role with the specific permissions required for each step.
    • To register Microsoft Insights provider requires /register/action operation permissions for the Insights provider. The permission is included in the Owner and Contributorroles.
    • To create flow logs for a virtual network requiresMicrosoft.Network/networkWatchers/configureFlowLog/actionpermission. The permission is included in the Owner, Contributor, and Network contributor roles.
    • To create a storage account requires Microsoft.Storage/storageAccounts/* permission. The permission is included in the Owner, Contributor, and Storage account contributor role.
  • Azure Network Watcher must be enabled in the subscription and region for which the virtual network flow logs are enabled. This is enabled by default in Azure, but if you previously chose to opt out of Network Watcher automatic enablement, you must manuallly enable Network Watcher in each subscription and region containing virtual networks you are onboarding to Fusion. See Enable or Disable Azure Network Watcher.
  • If Azure Policy is in use, you may be restricted from performing these steps, even if you have the Azure Global Administrator role. If this is the case, you will receive an Azure RequestDisallowedByPolicy error. See Resolve errors for request disallowed by policy.

Microsoft Azure Instructions

1. Register Microsoft Insights Provider

You can skip this step if VNet flow logs are already enabled or if the Microsoft.Insights provider is already registered in the Azure subscription.

Microsoft.Insights provider must be registered in the virtual network's Azure subscription. You only need to perform this action once for each subscription containing virtual networks being monitored.

Follow these steps to register the Microsoft.Insights provider: Microsoft Register Insights provider page.

Azure Console Steps

  1. Enter subscriptions in the search box at the top of Azure Console and select Subscriptions from the results.
  2. In the Subscriptions list, select the Azure subscription that you wish to enable the provider for.
  3. Under Settings, select Resource providers.
  4. Enter insight in the filter box.
  5. Confirm the status of the Microsoft.Insights provider displayed is Registered. If the status is NotRegistered, select the Microsoft.Insights provider then select Register.

2. Create a Storage Account for each region

If you are using the Azure Console to perform these steps, you can create a new storage account while creating the flow logs in the next step and skip this step.

Azure writes flow logs to an Azure storage account, and Fusion reads flow logs from the Azure storage account. Create a storage account for each region that contains virtual networks you are onboarding.

If you are onboarding multiple subscriptions in a single Azure tenant, you can have 1 set of storage accounts per region in a single centralized logging subscription and direct the flow logs from any subscription in the tenant to the corresponding storage account for that region.

Storage Account Configuration

FieldValue
SubscriptionThe same subscription as the virtual network, or a subscription in the same Azure tenant
Resource GroupAny existing resource group, or create a new one (e.g. rg_neto_logging)
Storage Account NameAny unique name (e.g. st_neto_vnetlogs_westus)
RegionThe same region as the virtual network(s)
Performance TierStandard
RedundancyLocally-redundant Storage (LRS)

All other settings can use Azure's default configuration. The Advanced > Security > Enable storage account key access setting must remain in its default setting,True, for Azure Network Watcher to write flow logs to the storage account and Fusion to read flow logs from the storage account.

📘

Restricting Azure Storage Account access to Netography's allowed IPs

The Advanced > Networking > Network Access setting for a storage account in Azure has a default value of Enable public access from all networks. This setting allows any IP to attempt to authenticate with an access key to the storage account. It does not allow unauthenticated access to the storage account.

To further secure the storage account, restrict access to only the Netography Fusion Poller IPs required to read the flow logs. The IPs to allow are listed in the Netography Fusion Portal in Settings > Account Overview.> System Allow Lists > Pollers.

Create virtual network rules to restrict IP access to these IPs and grant access to the trusted Azure service Microsoft.Networkto allow Azure Network Watcher to write the flow logs to the account. See: Configure Azure Storage firewalls and virtual networks > Grant access from a virtual network and Configure Azure Storage firewalls and virtual networks > Grant access to trusted Azure services.

3. Create a Flow Log for each Virtual network

You can skip this step if VNet flow logs are already enabled.

Follow these steps using the configuration settings below: Create a flow log section of the Manage VNET flow page. ​

Flow Log Configuration

FieldValue
Project details
SubscriptionSelect the Azure subscription of your virtual network that you want to log
Flow Log TypeSelect Virtual Network then select the virtual networks
Flow Log NameYou can use the default name of{ResourceName}-{ResourceGroupName}-flowlog or enter your own
Instance details
SubscriptionSelect the Azure subscription of the storage account to write flow logs to
Storage AccountsSelect the storage account that you want to write flow logs to.. If you skipped step 2 above, select Create a new storage account.
Retention (days)1

You can adjust the retention period to retain logs within the Azure storage account based on your organization's requirements.

Azure Console Steps

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.
  2. Under Logs, select Flow logs.
  3. In Network Watcher | Flow logs, select + Create or Create flow log blue button.
  4. On the Basics tab of Create a flow log.
  5. Select Review + create.
  6. Review the settings, and then select Create.

For more information related to managing VNet Flow Logs in Azure, refer to Microsoft's Create, change, enable, disable, or delete virtual network flow logs using the Azure portal article.

Netography Fusion Instructions

4. Add a new Azure VNet flow source to Fusion

In the Fusion portal, click the gear icon to go to Settings, navigate to Flow Sources, click Add Flow Source, select Azure VNet, and fill out the form using the configuration below.

Azure VNet Flow Source Configuration

The following fields are specific to the Azure VNet configuration.

All of these field values can be located in the Azure Portal by going to Network Watcher, expanding the Logs section, selecting Flow Logs, and finding the row in the table for the flow log you are adding. The value to use is either directly visible in the table, or can be found by following the links noted in the table below.

FieldDescriptionAzure Network Watcher Flow Logs Table Field To Use
RegionAzure region the Vnet and storage account are located in (they are always the same)Location
Container NameStorage account container name. Use the value insights-logs-flowlogfloweventfor all standard configurations.Storage account > Data Storage > Containers
Subscription IDVirtual network subscription IDSubscription name > Overview
Resource GroupVirtual network Resource Group nameResource group
Network WatcherNetwork Watcher Name (e.g. NetworkWatcher_eastus/FlogLog_vnet2)Name - The network watcher name is in parentheses
Flow LogFlow Log Name (eg FlowLog_vnet2)Name - The flow log name is the value excluding what is in parentheses
Account NameStorage Account's Access NameStorage account
Account KeyStorage Account's Access Key to authenticateStorage Account > Security + Networking > Access keys > Key

Updated 3 days ago