Vnet flow logs from NSG and Azure applications

Question

I am interested in the ingest of flow logs from physical hardware as well as NSG flow logs from Azure. I have a tool which ingests Azure flow logs generated by the NSG.

I would like to know if the NSG for an Express Route provides flow logs. AND / OR an Azure Application Service. Alternately, I would like to know if the Azure Application Service has an internal / external IP address which generate flow logs for an NSG or other Azure resource.

We are looking for describe API to help us understand Express Route, networking, routing, and non-public resources inside Azure, so we can build a map between network tier resources, as well as application tiers.

We want to match the describe API capabilities with flow logs from express route, network security gateways and applications.

Is this possible?

Answer 1

@Ted Turner

Apologize if my answer was not clear. To summarize my answer, there is one option only available currently that is the first option.

1 - implement an App Service Environment (which incurs additional charges)

• The single tenant App Service Environment(ASE) hosts Isolated SKU App Service plans directly in your Azure Virtual Network (VNet). As given in the document.

If you use the ASE single tenant, your App Service sits in a virtual network which then can be connected to other vnets and on-premise (using a hub and spoke setup if needed) and also be used to generate flow logs from its NSG.

Regarding flow logs, the NSGs would provide you with flow logs for any traffic leaving/entering the ASE VNET to any other VNET or private resource. The link that you shared is a restriction only when using Azure Private Endpoint. Please refer to this document for ASE which has more details regarding the network setup for the same.

I hope this helps. Please let me know if you have further questions. Thank you!

Answer 2

@Ted Turner

You can definitely get flow logs from Express route or App services. Any subnet with an NSG can obtain you Flow logs for the entire subnet when setup.

If you wish to setup a transit network, you can do so and the NSG at the Transit network subnet will be used to setup flow logs. This will provide us with the incoming/outgoing metadata into the App service within the Hub VNET.

With regards to design document for MS Apps and flow logs, I am looking into it further (researching and talking to internal teams) to see if there is anything available. In the meanwhile, if you have any further questions/concerns, please let us know. Thank you!

Answer 3

@SaiKishor-MSFT , per guidance from a support case last week, MS Azure will not display flows for MS Apps or databases. If I wanted to submit a feature request, they suggested I go here to these forums.

Per your suggestion, if we built a transit hub, we will see IP addresses appear in the transit hub, as they pass through. We may not know specific application or database context, but will have the simple IP addresses in the flows.

follow up
---
@SaiKishor-MSFT you have also indicated you are looking for a MS design document describing a method of collecting flows.

question
---
Should I submit a feature request to support NSG/Vnet flow support for MS Apps and databases hosted by Azure?

Previous conversation during an online chat session:

MS suggested forum articles:

https://social.msdn.microsoft.com/Forums/en-US/10182c4e-e1f3-49bf-8b55-8c5aef069567/monitor-network-traffic-in-vnet?forum=WAVirtualMachinesVirtualNetwork

Monitor Network Traffic in VNET or in NSG is not available as of now.

If you would like to place a feature request for the product team to consider, refer the following link:
http://feedback.azure.com/forums/217313-azure-networking

you may also like to refer this link
http://azure.microsoft.com/blog/2014/11/04/network-security-groups/
Best Regards
Prasandhi Kumar

Answer 4

@Ted Turner

Thanks for your patience while I was looking into this issue. I was able to collaborate with the Apps team to further discuss a way to get flow logs for App services and here is some helpful information on that-

App Service has a feature called App Service Environment which lets your App Services run in your VNET. Using this feature, you can have more control and flexibility to your App services, however, this also comes with more costs. Here is a pricing page that you can refer to determine the same. So this feature can be used so that you can implement NSG to the subnet and capture the incoming/outgoing IP addresses to your App service.

As you mentioned, you will not know right away if it is database traffic or application traffic, however, flow logs will include the IP addresses, port numbers, protocols etc.,(here is a document that explains the format of flow logs) so you can differentiate the traffic. This solution can be implemented in a hub vnet and you can then connect all the spokes to it as shown in the above diagram.

You may request a feature if you are still looking for NSG/Vnet flow support directly for MS Apps and databases hosted by Azure and if the above solution does not work for you as currently it is not available.

I hope this clarifies your questions. If you have any further questions/concerns, please feel free to let us know and we will be glad to assist further. Thank you!

Sai Kishor

Remember:

• Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
• Want a reminder to come back and check responses? Here is how to subscribe to a notification.