Edit

Quickstart: Configure Azure Network Watcher NSG flow logs using a Bicep file

  • Article

In this quickstart, you learn how to enable NSG flow logs using a Bicep file.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

Prerequisites

Review the Bicep file

This quickstart uses the Create NSG flow logs Bicep template from Azure Quickstart Templates.

@description('Name of the Network Watcher attached to your subscription. Format: NetworkWatcher_<region_name>')
param networkWatcherName string = 'NetworkWatcher_${location}'

@description('Name of your Flow log resource')
param flowLogName string = 'FlowLog1'

@description('Region where you resources are located')
param location string = resourceGroup().location

@description('Resource ID of the target NSG')
param existingNSG string

@description('Retention period in days. Default is zero which stands for permanent retention. Can be any Integer from 0 to 365')
@minValue(0)
@maxValue(365)
param retentionDays int = 0

@description('FlowLogs Version. Correct values are 1 or 2 (default)')
@allowed([
  1
  2
])
param flowLogsVersion int = 2

@description('Storage Account type')
@allowed([
  'Standard_LRS'
  'Standard_GRS'
  'Standard_ZRS'
])
param storageAccountType string = 'Standard_LRS'

var storageAccountName = 'flowlogs${uniqueString(resourceGroup().id)}'

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountType
  }
  kind: 'StorageV2'
  properties: {}
}

resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
  name: networkWatcherName
  location: location
  properties: {}
}

resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2022-01-01' = {
  name: '${networkWatcherName}/${flowLogName}'
  location: location
  properties: {
    targetResourceId: existingNSG
    storageId: storageAccount.id
    enabled: true
    retentionPolicy: {
      days: retentionDays
      enabled: true
    }
    format: {
      type: 'JSON'
      version: flowLogsVersion
    }
  }
}

The following resources are defined in the Bicep file:

The highlighted code in the preceding sample shows an NSG flow log resource definition.

Deploy the Bicep file

This quickstart assumes that you have a network security group that you can enable flow logging on.

  1. Save the Bicep file as main.bicep to your local computer.

  2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

    az group create --name exampleRG --location eastus
az deployment group create --resource-group exampleRG --template-file main.bicep

    You'll be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:

    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkSecurityGroups/<network-security-group-name>"

When the deployment finishes, you should see a message indicating the deployment succeeded.

Validate the deployment

You have two options to see whether your deployment succeeded:

If there are issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.

Clean up resources

You can delete Azure resources using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about complete deployment mode.

You also can disable an NSG flow log in the Azure portal:

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  3. Under Logs, select Flow logs.

  4. In the list of flow logs, select the flow log that you want to disable.

  5. Select Disable.

Related content

To learn how to visualize your NSG flow logs data, see: