Flow Logs - Create Or Update

Service:

Network Watcher

API Version:

2025-05-01

Create or update a flow log for the specified network security group.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/flowLogs/{flowLogName}?api-version=2025-05-01

URI Parameters

Name	In	Required	Type	Description
flowLogName	path	True	string	The name of the flow log resource.
networkWatcherName	path	True	string	The name of the network watcher.
resourceGroupName	path	True	string minLength: 1 maxLength: 90	The name of the resource group. The name is case insensitive.
subscriptionId	path	True	string (uuid)	The ID of the target subscription. The value must be an UUID.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Required	Type	Description
properties.storageId	True	string	ID of the storage account which is used to store the flow log.
properties.targetResourceId	True	string	ID of network security group to which flow log will be applied.
id		string	Resource ID.
identity		ManagedServiceIdentity	FlowLog resource Managed Identity
location		string	Resource location.
properties.enabled		boolean	Flag to enable/disable flow logging.
properties.enabledFilteringCriteria		string	Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged.
properties.flowAnalyticsConfiguration		TrafficAnalyticsProperties	Parameters that define the configuration of traffic analytics.
properties.format		FlowLogFormatParameters	Parameters that define the flow log format.
properties.recordTypes		string	Optional field to filter network traffic logs based on flow states. Value of this field could be any comma separated combination string of letters B,C,E or D. B represents Begin, when a flow is created. C represents Continue for an ongoing flow generated at every five-minute interval. E represents End, when a flow is terminated. D represents Deny, when a flow is denied. If not specified, all network traffic will be logged.
properties.retentionPolicy		RetentionPolicyParameters	Parameters that define the retention policy for flow log.
tags		object	Resource tags.

Responses

Name	Type	Description
200 OK	FlowLog	Resource 'FlowLog' update operation succeeded
201 Created	FlowLog	Resource 'FlowLog' create operation succeeded Headers Azure-AsyncOperation: string Retry-After: integer
Other Status Codes	ErrorResponse	An unexpected error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Create or update flow log

Sample request

HTTP

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/flowLogs/fl?api-version=2025-05-01

{
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {}
    }
  },
  "location": "centraluseuap",
  "properties": {
    "format": {
      "type": "JSON",
      "version": 1
    },
    "enabled": true,
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "recordTypes": "B,E",
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg"
  }
}

JavaScript

const { NetworkManagementClient } = require("@azure/arm-network");
const { DefaultAzureCredential } = require("@azure/identity");
require("dotenv/config");

/**
 * This sample demonstrates how to Create or update a flow log for the specified network security group.
 *
 * @summary Create or update a flow log for the specified network security group.
 * x-ms-original-file: specification/network/resource-manager/Microsoft.Network/Network/stable/2025-05-01/examples/NetworkWatcherFlowLogCreate.json
 */
async function createOrUpdateFlowLog() {
  const subscriptionId = process.env["NETWORK_SUBSCRIPTION_ID"] || "subid";
  const resourceGroupName = process.env["NETWORK_RESOURCE_GROUP"] || "rg1";
  const networkWatcherName = "nw1";
  const flowLogName = "fl";
  const parameters = {
    format: { type: "JSON", version: 1 },
    enabled: true,
    enabledFilteringCriteria: "srcIP=158.255.7.8 || dstPort=56891",
    identity: {
      type: "UserAssigned",
      userAssignedIdentities: {
        "/subscriptions/subid/resourceGroups/rg1/providers/MicrosoftManagedIdentity/userAssignedIdentities/id1":
          {},
      },
    },
    location: "centraluseuap",
    recordTypes: "B,E",
    storageId:
      "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    targetResourceId:
      "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
  };
  const credential = new DefaultAzureCredential();
  const client = new NetworkManagementClient(credential, subscriptionId);
  const result = await client.flowLogs.beginCreateOrUpdateAndWait(
    resourceGroupName,
    networkWatcherName,
    flowLogName,
    parameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:

200

{
  "name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
  "type": "Microsoft.Network/networkWatchers/FlowLogs",
  "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
        "clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
        "principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
      }
    }
  },
  "location": "centraluseuap",
  "properties": {
    "format": {
      "type": "JSON",
      "version": 1
    },
    "enabled": true,
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "flowAnalyticsConfiguration": {},
    "provisioningState": "Updating",
    "recordTypes": "B,E",
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    },
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "targetResourceGuid": "00000000-0000-0000-0000-000000000000",
    "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg"
  }
}

Status code:

201

{
  "name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
  "type": "Microsoft.Network/networkWatchers/FlowLogs",
  "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
        "clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
        "principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
      }
    }
  },
  "location": "centraluseuap",
  "properties": {
    "format": {
      "type": "JSON",
      "version": 1
    },
    "enabled": true,
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "flowAnalyticsConfiguration": {},
    "provisioningState": "Succeeded",
    "recordTypes": "B,E",
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    },
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "targetResourceGuid": "00000000-0000-0000-0000-000000000000",
    "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg"
  }
}

Definitions

Name	Description
ErrorDetails	Common error details representation.
ErrorResponse	The error object.
FlowLog	A flow log resource.
FlowLogFormatParameters	Parameters that define the flow log format.
FlowLogFormatType	The file type of flow log.
ManagedServiceIdentity	Identity for the resource.
ManagedServiceIdentityUserAssignedIdentities
ProvisioningState	Provisioning states of a resource.
ResourceIdentityType	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
RetentionPolicyParameters	Parameters that define the retention policy for flow log.
TrafficAnalyticsConfigurationProperties	Parameters that define the configuration of traffic analytics.
TrafficAnalyticsProperties	Parameters that define the configuration of traffic analytics.

ErrorDetails

Object

Common error details representation.

Name	Type	Description
code	string	Error code.
message	string	Error message.
target	string	Error target.

ErrorResponse

Object

The error object.

Name	Type	Description
error	ErrorDetails	Error The error details object.

FlowLog

Object

A flow log resource.

Name	Type	Description
etag	string	A unique read-only string that changes whenever the resource is updated.
id	string	Resource ID.
identity	ManagedServiceIdentity	FlowLog resource Managed Identity
location	string	Resource location.
name	string	Resource name.
properties.enabled	boolean	Flag to enable/disable flow logging.
properties.enabledFilteringCriteria	string	Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged.
properties.flowAnalyticsConfiguration	TrafficAnalyticsProperties	Parameters that define the configuration of traffic analytics.
properties.format	FlowLogFormatParameters	Parameters that define the flow log format.
properties.provisioningState	ProvisioningState	The provisioning state of the flow log.
properties.recordTypes	string	Optional field to filter network traffic logs based on flow states. Value of this field could be any comma separated combination string of letters B,C,E or D. B represents Begin, when a flow is created. C represents Continue for an ongoing flow generated at every five-minute interval. E represents End, when a flow is terminated. D represents Deny, when a flow is denied. If not specified, all network traffic will be logged.
properties.retentionPolicy	RetentionPolicyParameters	Parameters that define the retention policy for flow log.
properties.storageId	string	ID of the storage account which is used to store the flow log.
properties.targetResourceGuid	string	Guid of network security group to which flow log will be applied.
properties.targetResourceId	string	ID of network security group to which flow log will be applied.
tags	object	Resource tags.
type	string	Resource type.

FlowLogFormatParameters

Object

Parameters that define the flow log format.

Name	Type	Default value	Description
type	FlowLogFormatType		The file type of flow log.
version	integer (int32)	0	The version (revision) of the flow log.

FlowLogFormatType

Enumeration

The file type of flow log.

Value	Description
JSON	JSON

ManagedServiceIdentity

Object

Identity for the resource.

Name	Type	Description
principalId	string	The principal id of the system assigned identity. This property will only be provided for a system assigned identity.
tenantId	string	The tenant id of the system assigned identity. This property will only be provided for a system assigned identity.
type	ResourceIdentityType	The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
userAssignedIdentities	<string,  ManagedServiceIdentityUserAssignedIdentities>	The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

ManagedServiceIdentityUserAssignedIdentities

Object

Name	Type	Description
clientId	string	The client id of user assigned identity.
principalId	string	The principal id of user assigned identity.

ProvisioningState

Enumeration

Provisioning states of a resource.

Value	Description
Failed	Failed
Succeeded	Succeeded
Canceled	Canceled
Creating	Creating
Updating	Updating
Deleting	Deleting

ResourceIdentityType

Enumeration

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

Value	Description
SystemAssigned	SystemAssigned
UserAssigned	UserAssigned
SystemAssigned, UserAssigned	SystemAssigned, UserAssigned
None	None

RetentionPolicyParameters

Object

Parameters that define the retention policy for flow log.

Name	Type	Default value	Description
days	integer (int32)	0	Number of days to retain flow log records.
enabled	boolean	False	Flag to enable/disable retention.

TrafficAnalyticsConfigurationProperties

Object

Parameters that define the configuration of traffic analytics.

Name	Type	Description
enabled	boolean	Flag to enable/disable traffic analytics.
trafficAnalyticsInterval	integer (int32)	The interval in minutes which would decide how frequently TA service should do flow analytics.
workspaceId	string	The resource guid of the attached workspace.
workspaceRegion	string	The location of the attached workspace.
workspaceResourceId	string	Resource Id of the attached workspace.

TrafficAnalyticsProperties

Object

Parameters that define the configuration of traffic analytics.

Name	Type	Description
networkWatcherFlowAnalyticsConfiguration	TrafficAnalyticsConfigurationProperties	Parameters that define the configuration of traffic analytics.