Network watcher NSG Flow logs

Amar-Azure-Practice 656

I have enabled NSG flow logs on Azure Network watcher service for 2 NSG services (NGS-1 and NSG-2).

I have 2 Subnets

              Subnet is associated to Outbound for an Azure function (Azure function with App Service plan) -- This Subnet is assigned to NSG-1  

               Subnet is assigned to Inbound for Azure function (Same Azure function as above)--This Subnet is assigned to NSG-2

does the NSG flow logs capture all the IP traffic flowing through an NSG?

Accepted answer

KapilAnanth-MSFT 35,581 Reputation points Microsoft Employee

2022-09-09T14:45:31.703+00:00

Hi @Amar-Azure-Practice ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to understand more about NSG flow logging for Azure Functions with ASP Plan.

Currently, ASP plan does not support NSG flow logging.

Refer : https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#nsg-flow-logging-considerations

Though these subnets are configured for outbound and inbound, as the document states, NSG flow logging will not be feasible.

Please do let us know if you require additional queries on this.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

1 additional answer

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-09-08T03:31:35.907+00:00

Hi @Amar-Azure-Practice ,

Yes, if the traffic goes through NSG-1 and NSG-2 only
Please sign in to rate this answer.
Amar-Azure-Practice 656 Reputation points

2022-09-08T15:01:14.38+00:00

Hi Maserg,

but we are not using ASE(App Service Environment), I read in the documentation that if we are not using the ASE then traffic going thru the NSG's wont be captured using NSG diagnostics logs but only Netwatcher NSG flow logs can capture, please correct me if i am wrong .

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-09-08T15:40:09.803+00:00

You didn't mention that you are using Azure Functions with Consumption Plan where you don't have a dedicated VNETs with dedicated NSGs.
NSG Flows Logs is a part of Network Watcher.

Amar-Azure-Practice 656 Reputation points

2022-09-08T21:45:30.79+00:00

I have Azure function with ASP plan and Inbound and Outbound is associated with Vnets and these vnets has the NSG configured for it
we want to capture the network events like from which Source IP request is coming and which destination response is going.
Can we capture using NSG flow logs or NSG diagnostics logs can capture?

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-09-08T21:58:16.673+00:00

@Amar-Azure-Practice ,

NSG flow logs capture and include Source IP and Destination IP

https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

Version - Version number of the Flow Log event schema
flows - A collection of flows. This property has multiple entries for different rules
rule - Rule for which the flows are listed
flows - a collection of flows
mac - The MAC address of the NIC for the VM where the flow was collected
flowTuples - A string that contains multiple properties for the flow tuple in comma-separated format
Time Stamp - This value is the time stamp of when the flow occurred in UNIX epoch format
Source IP - The source IP
Destination IP - The destination IP
Source Port - The source port
Destination Port - The destination Port
Protocol - The protocol of the flow. Valid values are T for TCP and U for UDP
Traffic Flow - The direction of the traffic flow. Valid values are I for inbound and O for outbound.
Traffic Decision - Whether traffic was allowed or denied. Valid values are A for allowed and D for denied.

Amar-Azure-Practice 656 Reputation points

2022-09-12T22:43:55.58+00:00

Can we use NSG diagnostic settings for logging all SIEM events data to EvnetHub?

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-09-12T23:01:11.853+00:00

Yes, you can do it

Amar-Azure-Practice 656 Reputation points

2022-09-13T22:18:14.06+00:00

Hi
I have VM and assigned with Vnet and Subnet (Subnet has NSG).
on this NSG enabled diagnostics settings to send all logs to Storage account.

But we are not seeing any event data coming to storage account.

Please suggest me on this.

KapilAnanth-MSFT 35,581 Reputation points Microsoft Employee

2022-09-14T10:32:08.043+00:00

Hi @Amar-Azure-Practice ,

Can you please make sure you have selected NSG Flow logs and not Diagnostic settings under NSG.

Refer: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment