Manage NSG flow logs using Azure Policy

Azure Policy helps you enforce organizational standards and assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. To learn more about Azure policy, see What is Azure Policy? and Quickstart: Create a policy assignment to identify non-compliant resources.

In this article, you learn how to use two built-in policies to manage your setup of network security group (NSG) flow logs. The first policy flags any network security group that doesn't have flow logs enabled. The second policy automatically deploys NSG flow logs that don't have flow logs enabled.

Audit network security groups using a built-in policy

The Flow logs should be configured for every network security group policy audits all existing network security groups in a scope by checking all Azure Resource Manager objects of type Microsoft.Network/networkSecurityGroups. This policy then checks for linked flow logs via the flow logs property of the network security group, and it flags any network security group that doesn't have flow logs enabled.

To audit your flow logs using the built-in policy:

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter policy. Select Policy in the search results.

   

3. Select Assignments, and then select Assign policy.

   

4. Select the ellipsis (...) next to Scope to choose your Azure subscription that has the network security groups that you want the policy to audit. You can also choose the resource group that has the network security groups. After you make your selections, choose the Select button.

   

5. Select the ellipsis (...) next to Policy definition to choose the built-in policy that you want to assign. Enter flow log in the search box, and then select the Built-in filter. From the search results, select Flow logs should be configured for every network security group, and then select Add.

   

6. Enter a name in Assignment name, and enter your name in Assigned by.

   This policy doesn't require any parameters. It also doesn't contain any role definitions, so you don't need to create role assignments for the managed identity on the Remediation tab.

7. Select Review + create, and then select Create.

   

8. Select Compliance. Search for the name of your assignment, and then select it.

   

9. Select Resource compliance to get a list of all non-compliant network security groups.

   

Deploy and configure NSG flow logs using a built-in policy

The Deploy a flow log resource with target network security group policy checks all existing network security groups in a scope by checking all Azure Resource Manager objects of type Microsoft.Network/networkSecurityGroups. It then checks for linked flow logs via the flow logs property of the network security group. If the property doesn't exist, the policy deploys a flow log.

To assign the deployIfNotExists policy:

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter policy. Select Policy in the search results.

   

3. Select Assignments, and then select Assign policy.

   

4. Select the ellipsis (...) next to Scope to choose your Azure subscription that has the network security groups that you want the policy to audit. You can also choose the resource group that has the network security groups. After you make your selections, choose the Select button.

   

5. Select the ellipsis (...) next to Policy definition to choose the built-in policy that you want to assign. Enter flow log in the search box, and then select the Built-in filter. From the search results, select Deploy a flow log resource with target network security group, and then select Add.

   

6. Enter a name in Assignment name, and enter your name in Assigned by.

   

7. Select Next button twice, or select the Parameters tab. Then enter or select the following values:

   Setting	Value
   NSG Region	Select the region of your network security group that you're targeting with the policy.
   Storage id	Enter the full resource ID of the storage account. The storage account must be in the same region as the network security group. The format of storage resource ID is /subscriptions/<SubscriptionID>/resourceGroups/<ResouceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>.
   Network Watchers RG	Select the resource group of your Azure Network Watcher instance.
   Network Watcher name	Enter the name of your Network Watcher instance.

   

8. Select Next or the Remediation tab. Enter or select the following values:

   Setting	Value
   Create a remediation task	Select the checkbox if you want the policy to affect existing resources.
   Create a Managed Identity	Select the checkbox.
   Type of Managed Identity	Select the type of managed identity that you want to use.
   System assigned identity location	Select the region of your system assigned identity.
   Scope	Select the scope of your user-assigned identity.
   Existing user assigned identities	Select your user-assigned identity.

   Note

   You need Contributor or Owner permission to use this policy.

   

9. Select Review + create, and then select Create.

10. Select Compliance. Search for the name of your assignment, and then select it.

    

11. Select Resource compliance to get a list of all non-compliant network security groups.

    

12. Leave the policy runs to evaluate and deploy flow logs for all non-compliant network security groups. Then select Resource compliance again to check the status of network security groups (you don't see noncompliant network security groups if the policy completed its remediation).

    

Next steps

• To learn more about NSG flow logs, see Flow logs for network security groups.
• To learn about using built-in policies with traffic analytics, see Manage traffic analytics using Azure Policy.
• To learn how to use an Azure Resource Manager (ARM) template to deploy flow logs and traffic analytics, see Configure NSG flow logs using an Azure Resource Manager template.