Azure NSG Flow Logs Setup

This document provides instructions for configuring the collection of Azure Network Security Group (NSG) Flow Logs.

The 3 methods covered are:

  • Micrsoft Azure Portal

  • Microsoft Azure Command Line Interface (CLI)

  • Microsoft Azure Resource Manager template

Requirements

Before you begin configuring NSG Flow Log collection, make sure the following environment prerequisites are met:

  • Your Storage Account must be of type General-purpose v2 or Blob storage.

  • Your Network Security Group and Storage Account should be in the same region.

  • NSG Flow Logs do not work with storage accounts that have hierarchical namespace enabled.

Azure Steps

  1. Register Insights provider

  2. Configure Network Security Group

  3. Configure Storage account

  4. Configure Network Watcher

  5. Enable NSG flow logs

Register Insights provider

NSG flow logging requires the Microsoft.Insights provider. To register the provider, complete the following steps:

  1. In the top, left corner of the portal, select All services. In the Filter box, type Subscriptions. When Subscriptions appear in the search results, select it.

  2. From the list of subscriptions, select the subscription you want to enable the provider for.

  3. Select Resource providers, under Settings.

  4. Confirm that the Status for the microsoft.insights provider is Registered, as shown in the picture that follows. If the status is Unregistered, then select Register, at the top of the table.

Create Network Security Group

  1. In the top, left corner of the portal, select All services. In the Filter box, type Network security groups. When Network security groups appear in the search results, select it.

  2. On the Network security groups window that appears, choose Create.

  3. Select the subscription in which to create the storage account.

  4. Under the Resource group field, select the resource group that you want to create the NSG on.

  5. Next, enter a name for your network security group. The name you choose must be unique across Azure.

  6. Select a region for your network security group to match the resource group

  7. Select Review + Create to review your network security group settings and create the nsg.

  8. Select Create.

Configure Azure storage account

To create a general-purpose v2 storage account in the Azure portal, follow these steps:

  1. On the Azure portal menu, select All services. In the list of resources, type Storage Accounts. As you begin typing, the list filters based on your input. Select Storage Accounts.

  2. On the Storage Accounts window that appears, choose Add.

  3. Select the subscription in which to create the storage account.

  4. Under the Resource group field, select the resource group that you want to create storage on.

  5. Next, enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and can include numbers and lowercase letters only.

  6. Select a location for your storage account.

  7. Leave these fields set to their default values:

Field
Value

Deployment mode

Resource Manager

Performance

Standard

Account kind

StorageV2 (general-purpose v2)

Redundancy

Read-access geo-redundant storage (RA-GRS)

Access tier

Hot

  1. Select Review + Create to review your storage account settings and create the account.

  2. Select Create.

Configure Network Watcher

  1. In the portal, select All services. In the Filter box, enter Network Watcher. When Network Watcher appears in the results, select it.

  2. Select Regions, to expand it, and then select ... to the right of your desired region.

  3. Select Enable Network Watcher.

Enable NSG flow logs

  1. In the top, left corner of the portal, select All services. In the Filter box, type Network Watcher. When Network Watcher appears in the search results, select it.

  2. Under Logs, select Flow logs

  3. From the list of NSGs, select the NSG you created in step 2.

  4. Under Flow logs settings, select On.

  5. Select the Flow Logs Version. Version 2 contains flow-session statistics (Bytes and Packets)

  6. Select the storage account that you created in step 3.

  7. Set Retention (days) to 1, and then select Save.

Netography Portal Steps

  1. Navigate to "Traffic Sources"

  2. Click "Add Traffic Source".

  3. Click the "Show Advanced" button at the top of the page.

  4. Click "Azure NSG".

Configuration

The following fields are specific to the Azure configuration.

Field
Required
Description

Region

yes

Location of the flow source

Container Name

yes

Storage Account's Container Name

Subscription ID

yes

Network Security Group's subscription ID

Resource Group

yes

Network Security Group's Resource Group

Network Security Group

yes

Network Security Group's Name

Authentication

The following fields are necessary for the integration to authenticate with Azure NSG.

Account Name

yes

The account name to use for this stream

Account Name

yes

The Storage Account's Access Name to use for this stream

Account Key

yes

Storage Account's Access Key for authenticating to this stream

PreviousIngest Flow LogsNextAzure NSG Setup (Resource Manager method)

Last updated