Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,503 questions
Why can't I enable traffic analytics on my NSG?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 20%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA7%3C/text%3E%3C/svg%3E)
AdamDawes-7561
0
Reputation points
When I click the checkbox to enable traffic analytics - it does not tick.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor2024-08-30T07:33:11.4433333+00:00 Hi @AdamDawes-7561,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
It is understood that you are not able to enable Traffic Analytics in NSG.
Traffic analytics is only supported in certain regions, so if your NSG is in a region that doesn't support traffic analytics, you won't be able to enable it.
Traffic analytics requires the following prerequisites:
- A Network Watcher enabled subscription
- Network security group flow logs enabled for the network security groups
- An Azure Log Analytics workspace with read and write access.
- An Azure storage account to store raw flow logs.
Enabling Flow Logs and Traffic Analytics via Azure Portal:
- Open the Azure Portal and go to Network security groups.
- Select the NSG you wish to edit.
- Under Monitoring, select NSG flow logs.
- Select Create, follow the prompts to configure.
To enable Traffic analytics, you should have all the pre-requisites and permissions available provided as per Microsoft Document:
*For reference: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites
https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions#traffic-analytics
NOTE: Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, Network contributor or Monitoring contributor.
Now, as a prerequisite,
You must have few additional permissions with respect to linked resources.
And by linked resources, I mean
- The NSG for which the flow logs are enabled - Contributor
- or Network Contributor at Subscription level
- The Storage Account in which the flow logs are stored - Contributor
- or Storage Account Contributor at Subscription level
- The Log Analytics Workspace - Contributor
- or Log Analytics Workspace Contributor at Subscription level
To learn how to check roles assigned to a user for a subscription, see List Azure role assignments using the Azure portal.
If none of the preceding built-in roles are assigned to your account, assign a custom role to your account. The custom role should support the following actions at the subscription level as listed in the below document:
https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites
For Additional reference, please refer to this document which contains frequently asked questions related to Traffic analytics.
https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq
Kindly let us know if the above helps or you need further assistance on this issue.
If you have any further queries, do let us know. If the answer is helpful, please click "Accept Answer" and "Upvote it."
-
AdamDawes-7561 0 Reputation points
2024-08-30T12:45:07.11+00:00 We are in the WestUS region and I have ownership permissions to my entire tenant. I'm still unable to enable traffic analytics.
-
AdamDawes-7561 0 Reputation points
2024-08-30T12:47:57.98+00:00 We are in the WestUS region and I have ownership permissions to my entire tenant. I'm still unable to enable traffic analytics.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-02T08:16:28.2433333+00:00 Hi @AdamDawes-7561,
Thanks for the reply. Although you possess ownership permissions on the tenant, you should have all the pre-requisites mentioned above in order to enable the traffic analytics. Could you please check on this and confirm so that we can assist you better. Kindly reach us out if you have any more queries.
For reference: https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics#prerequisites
Thanks,
Sai Prasanna Sinde.
-
AdamDawes-7561 0 Reputation points
2024-09-03T18:44:39.7666667+00:00 I have ownership level rights to all of the listed resources and components.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-06T03:44:48.87+00:00 Hi @AdamDawes-7561,
Sorry for the delay. Could you please share us what is the exact error?
If you're having trouble enabling Traffic Analytics, you can troubleshoot using CLI or PowerShell, here are some commands and steps you can take to identify the issue:
Azure CLI
- Verify Traffic Analytics Status To check the status of Traffic Analytics on a specific NSG or virtual network, you can use:
This command will show you whether flow logs are enabled and any associated issues.az network watcher flow-log show --resource-group <ResourceGroupName> --nsg <NetworkSecurityGroupName> --workspace <LogAnalyticsWorkspaceName> - Verify Log Analytics Workspace Make sure the Log Analytics workspace is properly configured:
This command verifies if the workspace exists and is properly set up.az monitor log-analytics workspace show --resource-group <ResourceGroupName> --workspace-name <WorkspaceName> - Check Traffic Analytics Settings You can list the Traffic Analytics settings to check if there are any misconfigurations:
az network watcher traffic-analytics show --resource-group <ResourceGroupName> --name <TrafficAnalyticsName>
PowerShell
- Verify Traffic Analytics Status To view Traffic Analytics settings in PowerShell:
Get-AzNetworkWatcherFlowLog -ResourceGroupName <ResourceGroupName> -NetworkSecurityGroupName <NetworkSecurityGroupName> -WorkspaceId <LogAnalyticsWorkspaceId> - Check Log Analytics Workspace Make sure that the Log Analytics workspace is correctly configured and operational:
Get-AzOperationalInsightsWorkspace -ResourceGroupName <ResourceGroupName> -Name <WorkspaceName> - Check Network Watcher Availability Make sure that Network Watcher is enabled in the region where you are trying to enable Traffic Analytics:
If Network Watcher is not enabled, you can enable it with:Get-AzNetworkWatcher -ResourceGroupName <ResourceGroupName>
Kindly let us know if the above helps or you need further assistance on this issue.Enable-AzNetworkWatcher -ResourceGroupName <ResourceGroupName> -Location <Region>
- Verify Traffic Analytics Status To check the status of Traffic Analytics on a specific NSG or virtual network, you can use:
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-09T01:34:18.5233333+00:00 Hi @AdamDawes-7561,
Just checking in to see if you had a chance to see above response to your question. Please tell us if it was helpful and feel free to reach out to us if you have any queries.
-
Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
2024-09-10T06:17:12.96+00:00 Hi @AdamDawes-7561,
Following up to see if the above suggestion was helpful. And, if you have any further query do not hesitate to reach out. We are happy to assist you.
Sign in to comment
Sign in to answer