How to apply NSG FLOW LOGS to a particula storage account which has suffix of diag using powershell from a subscription.

Girish Prajwal 706

Hi Team,I would like to apply the NSG flow logs to an NSG where it is not associated with a NSG FLOW LOG to a particular storage account in a subscription. This has to be taken to multiple subscriptions. The storage account has a suffix of diag where we have 2 such storage accounts in 2 different regions. All NSGs hosted in East US must be enabled with flow logs in East US only on that storage account in East US only. For the ones in West US, it must add the NSG flow logs to West US only. This Requirement is on powershell.

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-15T04:46:48.6333333+00:00

@Girish Prajwal

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks, Kapil
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-16T08:48:46.14+00:00

@Girish Prajwal

Reaching out to check if there are any questions on this. Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Girish Prajwal 706 Reputation points

2024-01-17T17:54:39.04+00:00

Can I have the script instead of chatgpt statements
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-18T05:39:56.8+00:00
@Girish Prajwal

Can you please provide more information on what do you mean by "This has to be taken to multiple subscriptions. The storage account has a suffix of diag where we have 2 such storage accounts in 2 different regions."?

If you'd like to enable Flow logs for a NSG and store the logs in a Storage Account at a different subscription (provided it is in the same tenant as the NSG), please follow.

#Get NSG ID $nsg="/subscriptions/<SubscriptionIdOfNSG>/resourceGroups/<RGNameOfNSG>/providers/Microsoft.Network/networkSecurityGroups/<FlowLogName>" #Get Storage Account ID $sa="/subscriptions/<SubscriptionIdOfStorageAccount>/resourceGroups/<RGNameOfStorageAccount>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>" #Create Flow Logs v2 New-AzNetworkWatcherFlowLog -Name '<NameOfFlowLog>' -Location '<Location>' -TargetResourceId $nsg -StorageId $sa -Enabled $true -FormatVersion 2

You can do the same for the Storage Account in different regions.

NOTE:

A single Storage Account an store the NSG logs of different NSGs (in same Tenant and region)

However, you cannot store the NSG logs a single NSG across multiple Storage Accounts.

Kindly let us know if this helps or you need further assistance on this issue.

Cheers,

Kapil
Girish Prajwal 706 Reputation points

2024-01-18T19:04:14.48+00:00

Hi Kapil, we have a storage account with *diag in west & north Europe region. All of the nsgs in a particular region must have *diag as the storage account with the flow logs enabled.
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-19T14:45:34.0933333+00:00
@Girish Prajwal

Thanks for keeping us updated.

Wrt Storage Account,

I take it that your storage account ends with "diag"

As I stated, A single Storage Account can store the NSG logs of different NSGs (in same Tenant and region)

So, in the above command , set the "$storageaccountId" parameter to the resource ID of your StorageAccount.

Wrt NSGs,

It's not possible to get NSGs of a particular region.

Instead, you should get everything under your subscription and filter only the region you want.

And run the script.

#Get All NSGs in the subscription $nsgs=Get-AzNetworkSecurityGroup #Specify a Region - Change it for different regions $region="westeurope" #Specify the StorageAccount ID for the specific region which ends in diag #Change it for different regions $storageaccountId="<STORAGEACCOUNTID>" foreach ($nsg in $nsgs) { #Check if the NSG belongs to the particular region we mentioned above if($nsg.Location -eq $region) { Write-Host "Emabling NSG Flow Logs for NSG $($nsg.Name) in region $($nsg.Location)" #Set the Flow Log name as NSGName+flowLog $flowlogname="$($nsg.Name)flowlog" #Enable Flow Logs New-AzNetworkWatcherFlowLog -Name $flowlogname -Location $region -TargetResourceId $nsg.Id -StorageId $storageaccountId -Enabled $true -FormatVersion 2 } }

The above would enable NSG Flow logs for all NSGs in West Europe Region and store it in the Storage Account you provided.

Change the $region parameter to different location and run the script once again, so the NSG Flow logs are enabled. (also make sure you change the StorageAccount ID to the storage account in that region)

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks, Kapil
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-22T07:13:23.48+00:00

@Girish Prajwal

Reaching out to check if you got a chance to check the above script.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-24T08:49:53.2933333+00:00

@Girish Prajwal

Can you please update us if the script provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2024-01-29T09:33:59.4866667+00:00

@Girish Prajwal

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks, Kapil

1 answer

Priya Kumar 1,096 Reputation points Microsoft Employee

2024-01-12T09:19:02.6+00:00
Hello ,

Thanks for reaching Microsoft Q and A platform.

Your query is to create a NSG flow logs, where the Storage Account and NSG are in different subscription?

NSGs hosted in East US must be enabled with flow logs in East US only on that storage account in East US only. (So the NSG flow logs you would create for the NSG must be mapped to the respected Storage Account).

For the ones in West US, it must add the NSG flow logs to West US only. (For all the NSG present in the West US, must be mapped to the Storage Account which is in West US region.)

Now question arise on how would you map the NSG flow logs in different Subscription to the Storage Account.

If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.

The storage account can't have network rules that restrict network access to only Microsoft services or specific virtual networks.

For all the configuration via the Powershell, please follow this Document: https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-powershell

Regards,

Priya Kumar
Please sign in to rate this answer.

0 comments No comments
Sign in to comment