Virtual Network Flow Logs not saving to Storage Account

Question

Virtual Network Flow Logs not saving to Storage Account

Grant Crofton 20

Hi, I'm trying to get some network logs to help diagnose an issue I'm having but they don't seem to be saving.

I have a Power Automate Cloud Flow which calls various Azure resources over a Virtual Network (KV, Storage Account, Open AI, etc.). These resources all have network restrictions and Private Endpoints. Power Automate has Virtual Network support enabled via an Enterprise Policy. There are no NSGs. By and large this all works.

I've enabled Flow Logs on the Network Watcher in Portal following these instructions: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal

I've specified an existing Storage Account as the place to save them to. It appears to have worked, in that there were no error messages and I can see the configured flow logs. However no network logs have appeared in the Storage Account (where I understand they should be in a new container in blob storage).

I also have Traffic Analysis enabled, but as you would expect there's nothing to see there.

I've done some troubleshooting and checked various things, including:

SA has key access enabled

SA keys have not been changed

SA has no network restrictions

SA is Standard tier

The flow logs are enabled (I've tried disabling & enabling again)

Everything is in the same subscription & RG

The microsoft.insights provider is registered on the Subscription

Retention is set to 365 days

I read that Private Endpoint traffic itself doesn't get logged, but I believe traffic into & out of the vNet should be logged regardless.

Any ideas?

Chiugo Okpala 1,905 Reputation points

2025-01-31T15:33:12.49+00:00
@Grant Crofton

You can try the following below:

Check Storage Account Permissions: Ensure that the Network Watcher service has the necessary permissions to write logs to the storage account. You can verify this by checking the access policies on the storage account.

Verify Flow Log Configuration: Double-check the flow log configuration in the Network Watcher portal to ensure that everything is set up correctly. Sometimes, a small misconfiguration can cause issues.

Check for Network Isolation: If your storage account or any of the resources have network isolation enabled, it might prevent logs from being saved. Ensure that network isolation is disabled or properly configured to allow traffic.

Review Network Watcher Logs: Look at the Network Watcher logs for any errors or warnings that might give you more insight into why the logs aren't being saved.

Enable Diagnostic Settings: Make sure that diagnostic settings are enabled for the storage account and that they are configured to capture flow logs.

Consult Azure Support: If you've tried all the above steps and still can't resolve the issue, it might be helpful to reach out to Azure Support for further assistance.

See Microsoft Azure documentation: https://learn.microsoft.com/en-us/answers/questions/2150872/logs-are-not-sent-to-log-workspace-when-network-se
Grant Crofton 20 Reputation points

2025-02-03T10:38:18.2966667+00:00

Thanks for your help but I'm coming to the conclusion this just doesn't work in my scenario. As I understand it the logs are collected at the NICs of different resources, but in my example the traffic comes from Power Automate to a Private Endpoint, neither of which I think support gathering of flow logs - although I can't find anything in the documentation about what services are supported.

It's written that traffic isn't collected from Private Endpoints here: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#private-endpoint-traffic

It says there the traffic should be collected from the source VM, but I'm not using VMs.

It also says here that vNet Flow Logs are not supported for most SaaS services, only VMs: https://learn.microsoft.com/en-us/answers/questions/2119278/virtual-network-flow-logs-for-azure-sql-managed-in

I'm not sure how true that is as it's not clearly stated in the documentation, but the only examples I've seen online use VMs (e.g. https://www.youtube.com/watch?v=UQvV5CrG0N4), so maybe this is the case.
Grant Crofton 20 Reputation points

2025-02-04T09:11:12.1133333+00:00

OK thanks for confirming @Praveen Bandaru . I did see the NSG incompatible services but I wasn't sure if that applied to vNets - also in my case the traffic is coming from Power Automate which isn't listed as an incompatible service. I'll see if I can find another way to diagnose my issue.

Regards,

Grant
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-02-04T13:16:13.0233333+00:00

Hello Grant Crofton

Greetings!

Thank you for your response.The list of incompatible services previously mentioned for NSG flow logs also applies to VNet flow logs. Information regarding 'VNet flow logs' will be added to the public documentation soon.

Additionally, you mentioned using a private endpoint for Power Automate. Please note that private endpoints are not supported for flow logs, which is why you are not receiving the logs.
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-02-05T11:25:15.4133333+00:00

Hello Grant Crofton

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Grant Crofton 20 Reputation points

2025-02-05T13:31:14.1+00:00

Hi, yes that's answered the question thank you. I don't seem to have the option to mark it as the answer though, I think because it's a comment? My votes aren't working either.

Accepted answer

0 additional answers

Your answer

Chiugo Okpala 1,905 Reputation points

2025-01-31T15:33:12.49+00:00

@Grant Crofton

You can try the following below:

Check Storage Account Permissions: Ensure that the Network Watcher service has the necessary permissions to write logs to the storage account. You can verify this by checking the access policies on the storage account.

Verify Flow Log Configuration: Double-check the flow log configuration in the Network Watcher portal to ensure that everything is set up correctly. Sometimes, a small misconfiguration can cause issues.

Check for Network Isolation: If your storage account or any of the resources have network isolation enabled, it might prevent logs from being saved. Ensure that network isolation is disabled or properly configured to allow traffic.

Review Network Watcher Logs: Look at the Network Watcher logs for any errors or warnings that might give you more insight into why the logs aren't being saved.

Enable Diagnostic Settings: Make sure that diagnostic settings are enabled for the storage account and that they are configured to capture flow logs.

Consult Azure Support: If you've tried all the above steps and still can't resolve the issue, it might be helpful to reach out to Azure Support for further assistance.

See Microsoft Azure documentation: https://learn.microsoft.com/en-us/answers/questions/2150872/logs-are-not-sent-to-log-workspace-when-network-se
Grant Crofton 20 Reputation points

2025-02-03T10:38:18.2966667+00:00

Thanks for your help but I'm coming to the conclusion this just doesn't work in my scenario. As I understand it the logs are collected at the NICs of different resources, but in my example the traffic comes from Power Automate to a Private Endpoint, neither of which I think support gathering of flow logs - although I can't find anything in the documentation about what services are supported.

It's written that traffic isn't collected from Private Endpoints here: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#private-endpoint-traffic

It says there the traffic should be collected from the source VM, but I'm not using VMs.

It also says here that vNet Flow Logs are not supported for most SaaS services, only VMs: https://learn.microsoft.com/en-us/answers/questions/2119278/virtual-network-flow-logs-for-azure-sql-managed-in

I'm not sure how true that is as it's not clearly stated in the documentation, but the only examples I've seen online use VMs (e.g. https://www.youtube.com/watch?v=UQvV5CrG0N4), so maybe this is the case.
Grant Crofton 20 Reputation points

2025-02-04T09:11:12.1133333+00:00

OK thanks for confirming @Praveen Bandaru . I did see the NSG incompatible services but I wasn't sure if that applied to vNets - also in my case the traffic is coming from Power Automate which isn't listed as an incompatible service. I'll see if I can find another way to diagnose my issue.

Regards,

Grant
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-02-04T13:16:13.0233333+00:00

Hello Grant Crofton

Greetings!

Thank you for your response.The list of incompatible services previously mentioned for NSG flow logs also applies to VNet flow logs. Information regarding 'VNet flow logs' will be added to the public documentation soon.

Additionally, you mentioned using a private endpoint for Power Automate. Please note that private endpoints are not supported for flow logs, which is why you are not receiving the logs.
Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-02-05T11:25:15.4133333+00:00

Hello Grant Crofton

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Grant Crofton 20 Reputation points

2025-02-05T13:31:14.1+00:00

Hi, yes that's answered the question thank you. I don't seem to have the option to mark it as the answer though, I think because it's a comment? My votes aren't working either.

Answer 1

Hello Grant Crofton

Greetings!

Thank you for your response.

Regrettably, private endpoints are not supported for Flow logs. We are only able to capture flow logs at VMs/VMSS instances.Check the link for more understanding: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#private-endpoint-traffic

For NSG and VNET flow logs, the only Incompatible services are mentioned below:

Currently, these Azure services don't support VNET and NSG flow logs.

Azure Container Instances
Azure Logic Apps
Azure Functions
Azure DNS Private Resolver
App Service
Azure Database for MariaDB
Azure Database for MySQL
Azure Database for PostgreSQL
NSG's associated to Application gateway v2
App services deployed under an Azure App Service plan

Reference link: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview#incompatible-services

Note: Additionally, the list of incompatible services mentioned for NSG flow logs currently applies to VNet flow logs as well.

These details regarding 'Vnet flow logs' will soon be included in the public documentation.

Additionally, you mentioned using a private endpoint for Power Automate. Please note that private endpoints are not supported for flow logs, which is why you are not receiving the logs.

I hope this has been helpful!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator

2025-02-05T15:34:13.7233333+00:00

Hello Grant Crofton

Greetings!

I have converted my comment into an answer. Please accept the answer if it is correct. Original posters help the community find solutions faster by identifying the correct answer. Here is how.

Thanks

Share via

Virtual Network Flow Logs not saving to Storage Account

0 additional answers

Your answer