Share via

How to send Vnet flow logs to azure centralized common Storage Account

Vikram G 0 Reputation points
2025-03-25T16:44:21.2766667+00:00

Hi Everyone,

I need to set up a centralized common storage account in an azure account (Eg: azureacc12).

To that common storage account need to send virtual network flow logs from different Azure accounts, azure account like Eg: azureacc1, azureacc2, azureacc3 from 3 different azure accounts\subscription need to set up virtual network flow logs to store in common or centralized azure storage account of different container

Note: Need to set up on irrespective of any azure account \ subscription

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,704 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 4,060 Reputation points
    2025-03-26T08:03:42.1166667+00:00

    Dear Vikram,

    Thank you for your question here at Q&A portal! I would be happy try to help you.

     

    1. Set Up the Central Storage Account

    Create or Identify a Storage Account (e.g., azureacc12) in your central Azure subscription.

    Enable Hierarchical Namespace (if using Azure Data Lake Storage Gen2) for better organization.

    Configure Network Settings to allow traffic from other subscriptions. Under Networking, choose Selected networks and add the relevant VNets or allow access from All networks (if security policies permit). Alternatively, use Private Endpoints for secure access.

     

    2.Configure Flow Logs in Each Subscription

    For each subscription (azureacc1, azureacc2, azureacc3):

    Navigate to the VNet > Flow Logs > + Add.

    Select the Target Storage Account: choose "Another Azure account" and provide the Storage Account ID (e.g., /subscriptions/[central-sub-id]/resourceGroups/[rg-name]/providers/Microsoft.Storage/storageAccounts/azureacc12).

    Ensure the Storage Account Contributor (or Storage Blob Data Contributor) role is assigned to the logging service principal or user account.

    Define Retention & Logging Settings: set retention (e.g., 30 days). Specify a container name (e.g., vnetflowlogs-azureacc1 for subscription-specific segregation).

     

    3.Cross-Subscription Access (RBAC)

    Grant Permissions: In the central storage account (azureacc12), assign Storage Blob Data Contributor to: Each subscription’s Network Contributor role (or a custom role) or, use a Managed Identity from each subscription for secure access.

     

    Automation (if u like)

    Use Azure Policy to enforce flow log settings across subscriptions. Deploy via Terraform/ARM/Bicep for consistency.

    And last one, data transfer across subscriptions may incur costs. Use Private Links or VNet peering for sensitive environments.

    Best regards,

    Alex

    P.S. If my answer help to you, please Accept my answer

    0 comments
  2. Luis Arias 8,356 Reputation points
    2025-03-26T09:50:07.5166667+00:00

    Hi Vikram G,

    Wellcome to Q&A, You're asking how to send VNet flow logs from multiple Azure accounts to a centralized storage account while considering constraints like regional storage requirements and organizational structure.- Since VNet flow logs must stay in the same region as the VNet, you first need to create storage accounts in each region where the VNets are located.

    User's image

    • Configure each VNet's flow logs to send data to these respective regional storage accounts. To centralize the logs, use tools like Azure Data Factory, Logic Apps, or Functions to periodically copy the logs from the regional accounts to your centralized storage account.
    • The logs are organized within the storage account in a container, with subfolders for each VNet based on their resource IDs. Grant access by assigning the Storage Blob Data Contributor role and use AAD or SAS for cross-subscription access.:
    <container_name>/
  resourceId=/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Network/virtualNetworks/vnet
    yyyy/mm/dd/<hour>.json
  resourceId=/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Network/virtualNetworks/vnet
    yyyy/mm/dd/<hour>.json

    References:

    If the information helped address your question, please Accept the answer.

    Luis

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.