Hi team, I have two questions here on NSG: How can I create NSG behind private endpoints? Can I enable flow logs for NSG behind private endpoint? If yes, how can I do that?

@Rachana Pole , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I am afraid I did not understand your requirement. What exactly do you mean by "NSG behind private endpoints" ? Do you mean to say you are planning to associate an NSG to a subnet that contains Private EndPoint? If so, Q1. Yes, Private EndPoints honor NSGs that are attached to the subnet in which the PE is deployed into. Provided that Network policies for private endpoints is enabled at the subnet This will be enabled by default on recent deployments but feel free to verify it. The above link specifies how you can enable/disable it via Portal itself. Q2. Currently, with NSG Flow logs, Traffic can't be recorded at the private endpoint itself due to platform limitations. See : NSG Flow Logs - Traffic to a private endpoint Nevertheless, you should be able to enable NSG Flow logs on this NSG like a regular NSG See : Create a NSG flow logs using the Azure portal If my understanding of your requirement is incorrect, please elaborate and I shall try my best to address your queries. Thanks, Kapil Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

How to create NSG behind private endpoint and how can i enable flow logs for this NSG?

Rachana Pole 5

Hi team,

I have two questions here on NSG:

How can I create NSG behind private endpoints?
Can I enable flow logs for NSG behind private endpoint? If yes, how can I do that?

1 answer

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-07-25T05:54:54.82+00:00
@Rachana Pole ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I am afraid I did not understand your requirement.

What exactly do you mean by "NSG behind private endpoints" ?

Do you mean to say you are planning to associate an NSG to a subnet that contains Private EndPoint?

If so,

Q1.

Yes, Private EndPoints honor NSGs that are attached to the subnet in which the PE is deployed into.

Provided that Network policies for private endpoints is enabled at the subnet

This will be enabled by default on recent deployments but feel free to verify it.

The above link specifies how you can enable/disable it via Portal itself.

Q2.

Currently, with NSG Flow logs, Traffic can't be recorded at the private endpoint itself due to platform limitations.

See : NSG Flow Logs - Traffic to a private endpoint

Nevertheless, you should be able to enable NSG Flow logs on this NSG like a regular NSG

See : Create a NSG flow logs using the Azure portal

If my understanding of your requirement is incorrect, please elaborate and I shall try my best to address your queries.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.
Rachana Pole 5 Reputation points

2024-07-25T06:20:28.9533333+00:00

I think you got the query

I want to associate an NSG with the private endpoint -> To do this, I need to have a subnet for NSG with "privateLinkServiceNetworkPolicies": "Enabled" , right?

For the NSG associated with a private endpoint via subnet, can we still enable flow logs?? As per Azure doc, it has mentioned that we cannot enable flow logs for NSGs with private endpoint. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#network-security-groups:~:text=NSG%20flow%20logs,a%20private%20endpoint.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-07-25T06:39:36.63+00:00

@Rachana Pole ,

Wonderful.

1.I want to associate an NSG with the private endpoint -> To do this, I need to have a subnet for NSG with "privateLinkServiceNetworkPolicies": "Enabled" , right?

Yes, correct

2.For the NSG associated with a private endpoint via subnet, can we still enable flow logs??

Yes, you can enable NSG Flow logs on the NSG even if it is associated to a subnet that has PE.

The doc you shared mentions that "NSG flow logs unavailable for inbound traffic destined for a private endpoint."

This does not mean you cannot enable NSG flow logs altogether on the NSG

All other traffic (from/to VMs in this subnet) is still logged.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Rachana Pole 5 Reputation points

2024-07-26T05:48:00.79+00:00

Hi

As Microsoft link, we can not record flow logs from NSG which are associated to PE. Is this statement correct.?

Rachana Pole 5 Reputation points

2024-07-26T05:55:21.6233333+00:00

Another question is that by the statement NSG flow logs unavailable for inbound traffic destined for a private endpoint. on Azure doc https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#network-security-groups:%7E:text=NSG%20flow%20logs,a%20private%20endpoint.:~:text=NSG%20flow%20logs,a%20private%20endpoint. -> Does that mean only inbound traffic would not be available? Would outbound traffic also not be available on the logs ??

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-07-26T06:19:04.6233333+00:00

@Rachana Pole ,

Wrt "we can not record flow logs from NSG which are associated to PE"

Just to clear,

Any incoming traffic associated to PE is not logged

Other logs (both incoming and outgoing from VMs in that subnet ) will be logged.

Wrt, "Does that mean only inbound traffic would not be available? Would outbound traffic also not be available on the logs ??"

PEs don't have outbound traffic

PE cannot initiate traffic on their own and so, they will never make an outbound call

So essentially, no logs are generated from PE

Hope this helps.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Rachana Pole 5 Reputation points

2024-07-26T06:39:18.67+00:00

So would you say enabling flow logs for an NSG associated with a PE-enabled subnet is of no use?? If yes, why are we still allowing to enable flow logs on such NSGs?

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-07-26T06:54:52.37+00:00

It is not a straight forward answer @Rachana Pole ,

Wrt, "So would you say enabling flow logs for an NSG associated with a PE-enabled subnet is of no use??"

This statement is correct provided

The subnet only has PEs and not VMs

The NSG is associated to this subnet only or to subnets that have PEs only

Consider this,

Environment

Subnet1 which has two resources in it - VM1 and PE1

Subnet2 which has a VM called SourceVM

NSG called NSG1

Now

I attach NSG1 to both Subnet1 and Subnet2 and enable flow logs

From SourceVM, I access VM1

Outgoing traffic to VM1 will be logged - NSG flow log useful

Incoming traffic to VM1 will be logged - NSG Flow log useful

From SourceVM, I access PE1

Outgoing traffic to VM1 will be logged - NSG flow log useful

Incoming traffic to PE1 will not be logged - NSG flow log not useful

So, If I use the NSG in two or more subnets and those subnets have VMs - NSG flow logs is useful.

As I said,

NSGs can be associated to multiple subnets

So not allowing flow logs on these NSGs is incorrect

Cheers,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to create NSG behind private endpoint and how can i enable flow logs for this NSG?

1 answer

Your answer