Create, change, enable, disable, or delete virtual network flow logs using Azure PowerShell
Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see Virtual network flow logs overview.
In this article, you learn how to create, change, enable, disable, or delete a virtual network flow log using Azure PowerShell. You can learn how to manage a virtual network flow log using the Azure portal or Azure CLI.
Prerequisites
An Azure account with an active subscription. Create an account for free.
Insights provider. For more information, see Register Insights provider.
A virtual network. If you need to create a virtual network, see Create a virtual network using PowerShell.
An Azure storage account. If you need to create a storage account, see Create a storage account using PowerShell.
PowerShell environment in Azure Cloud Shell or Azure PowerShell installed locally. To learn more about using PowerShell in Azure Cloud Shell, see Azure Cloud Shell Quickstart - PowerShell.
- If you choose to install and use PowerShell locally, this article requires the Azure PowerShell version 7.4.0 or later. Run
Get-InstalledModule -Name Az
to find the installed version. If you need to upgrade, see Install Azure PowerShell module. RunConnect-AzAccount
to sign in to Azure.
- If you choose to install and use PowerShell locally, this article requires the Azure PowerShell version 7.4.0 or later. Run
Register insights provider
Microsoft.Insights provider must be registered to successfully log traffic in a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, use Register-AzResourceProvider to register it.
# Register Microsoft.Insights provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Insights
Enable virtual network flow logs
Use New-AzNetworkWatcherFlowLog to create a virtual network flow log.
# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name myStorageAccount -ResourceGroupName myResourceGroup
# Create a VNet flow log.
New-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2
Enable virtual network flow logs and traffic analytics
Use New-AzOperationalInsightsWorkspace to create a traffic analytics workspace, and then use New-AzNetworkWatcherFlowLog to create a virtual network flow log that uses it.
# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name myStorageAccount -ResourceGroupName myResourceGroup
# Create a traffic analytics workspace and place its configuration into a variable.
$workspace = New-AzOperationalInsightsWorkspace -Name myWorkspace -ResourceGroupName myResourceGroup -Location EastUS
# Create a VNet flow log.
New-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2 -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId -TrafficAnalyticsInterval 10
List all flow logs in a region
Use Get-AzNetworkWatcherFlowLog to list all flow log resources in a particular region in your subscription.
# Get all flow logs in East US region.
Get-AzNetworkWatcherFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG | format-table Name
View virtual network flow log resource
Use Get-AzNetworkWatcherFlowLog to see details of a flow log resource.
# Get the flow log details.
Get-AzNetworkWatcherFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -Name myVNetFlowLog
Download a flow log
To download virtual network flow logs from your storage account, use Get-AzStorageBlobContent cmdlet.
Virtual network flow log files are saved to the storage account at the following path:
https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_{Region}/FLOWLOGS/{FlowlogResourceName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
Note
You can also access and download VNet flow logs files from the storage account container using the Azure Storage Explorer. Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see Get started with Storage Explorer.
Disable traffic analytics on flow log resource
To disable traffic analytics on the flow log resource and continue to generate and save virtual network flow logs to storage account, use Set-AzNetworkWatcherFlowLog.
# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name mynwstorageaccount -ResourceGroupName Storage
# Update the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id
Disable virtual network flow logging
To disable a virtual network flow log without deleting it so you can re-enable it later, use Set-AzNetworkWatcherFlowLog.
# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name mynwstorageaccount -ResourceGroupName Storage
# Disable the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $false -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id
Delete a virtual network flow log resource
To delete a virtual network flow log resource, use Remove-AzNetworkWatcherFlowLog.
# Delete the VNet flow log.
Remove-AzNetworkWatcherFlowLog -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG
Related content
- To learn about traffic analytics, see Traffic analytics.
- To learn how to use Azure built-in policies to audit or enable traffic analytics, see Manage traffic analytics using Azure Policy.