Quickstart: Configure Azure Network Watcher NSG flow logs using a Bicep file

In this quickstart, you learn how to enable NSG flow logs using a Bicep file.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

Prerequisites

• An Azure account with an active subscription. If you don't have one, create a free account before you begin.

• To deploy the Bicep files, either Azure CLI or PowerShell installed.

  Azure CLI

  1. Install Azure CLI locally to run the commands.

  2. Sign in to Azure using the az login command.

  PowerShell

  1. Install Azure PowerShell locally to run the cmdlets.

  2. Sign in to Azure using the Connect-AzAccount cmdlet.

Review the Bicep file

This quickstart uses the Create NSG flow logs Bicep template from Azure Quickstart Templates.

@description('Name of the Network Watcher attached to your subscription. Format: NetworkWatcher_<region_name>')
param networkWatcherName string = 'NetworkWatcher_${location}'

@description('Name of your Flow log resource')
param flowLogName string = 'FlowLog1'

@description('Region where you resources are located')
param location string = resourceGroup().location

@description('Resource ID of the target NSG')
param existingNSG string

@description('Retention period in days. Default is zero which stands for permanent retention. Can be any Integer from 0 to 365')
@minValue(0)
@maxValue(365)
param retentionDays int = 0

@description('FlowLogs Version. Correct values are 1 or 2 (default)')
@allowed([
  1
  2
])
param flowLogsVersion int = 2

@description('Storage Account type')
@allowed([
  'Standard_LRS'
  'Standard_GRS'
  'Standard_ZRS'
])
param storageAccountType string = 'Standard_LRS'

var storageAccountName = 'flowlogs${uniqueString(resourceGroup().id)}'

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountType
  }
  kind: 'StorageV2'
  properties: {}
}

resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
  name: networkWatcherName
  location: location
  properties: {}
}

resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2022-01-01' = {
  name: '${networkWatcherName}/${flowLogName}'
  location: location
  properties: {
    targetResourceId: existingNSG
    storageId: storageAccount.id
    enabled: true
    retentionPolicy: {
      days: retentionDays
      enabled: true
    }
    format: {
      type: 'JSON'
      version: flowLogsVersion
    }
  }
}

The following resources are defined in the Bicep file:

• Microsoft.Storage/storageAccounts
• Microsoft.Network networkWatchers
• Microsoft.Network networkWatchers/flowLogs

The highlighted code in the preceding sample shows an NSG flow log resource definition.

Deploy the Bicep file

This quickstart assumes that you have a network security group that you can enable flow logging on.

1. Save the Bicep file as main.bicep to your local computer.

2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

   Azure CLI

   az group create --name exampleRG --location eastus
   az deployment group create --resource-group exampleRG --template-file main.bicep
   

   PowerShell

   New-AzResourceGroup -Name exampleRG -Location eastus
   New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep
   

   You'll be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:

   "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkSecurityGroups/<network-security-group-name>"
   

When the deployment finishes, you should see a message indicating the deployment succeeded.

Validate the deployment

You have two options to see whether your deployment succeeded:

• Your console shows ProvisioningState as Succeeded.
• Go to the NSG flow logs portal page to confirm your changes.

If there are issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.

Clean up resources

You can delete Azure resources using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about complete deployment mode.

You also can disable an NSG flow log in the Azure portal:

1. Sign in to the Azure portal.

2. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

3. Under Logs, select Flow logs.

4. In the list of flow logs, select the flow log that you want to disable.

5. Select Disable.

Related content

To learn how to visualize your NSG flow logs data, see:

• Visualizing NSG flow logs using Power BI.
• Visualize NSG flow logs using open source tools.
• Traffic Analytics.