Quickstart: Configure network security group flow logs by using an ARM template

In this quickstart, you learn how to enable network security group (NSG) flow logs by using an Azure Resource Manager template (ARM template) and Azure PowerShell.

An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

We start with an overview of the properties of the NSG flow log object. We provide sample templates. Then, we use a local Azure PowerShell instance to deploy the template.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template opens in the Azure portal.

Deploy to Azure

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Review the template

The template that we use in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Region where you resources are located"
      }
    },
    "NetworkWatcherName": {
      "type": "string",
      "defaultValue": "[concat('NetworkWatcher_', parameters('location'))]",
      "metadata": {
        "description": "Name of the Network Watcher attached to your subscription. Format: NetworkWatcher_<region_name>"
      }
    },
    "FlowLogName": {
      "type": "string",
      "defaultValue": "FlowLog1",
      "metadata": {
        "description": "Chosen name of your Flow log resource"
      }
    },
    "existingNSG": {
      "type": "string",
      "metadata": {
        "description": "Resource ID of the target NSG"
      }
    },
    "RetentionDays": {
      "type": "int",
      "defaultValue": 0,
      "minValue": 0,
      "maxValue": 365,
      "metadata": {
        "description": "Retention period in days. Default is zero which stands for permanent retention. Can be any Integer from 0 to 365"
      }
    },
    "FlowLogsversion": {
      "type": "string",
      "defaultValue": "2",
      "allowedValues": [
        "1",
        "2"
      ],
      "metadata": {
        "description": "FlowLogs Version. Correct values are 1 or 2 (default)"
      }
    },
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_ZRS"
      ],
      "metadata": {
        "description": "Storage Account type"
      }
    }
  },
  "variables": {
    "storageAccountName": "[concat('flowlogs', uniquestring(resourceGroup().id))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[variables('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "StorageV2",
      "properties": {
      }
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-06-01",
      "name": "deployFlowLogs",
      "resourceGroup": "NetworkWatcherRG",
      "dependsOn": [
        "[variables('storageAccountName')]"
      ],
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "location": {
              "type": "string"
            },
            "NetworkWatcherName": {
              "type": "string"
            },
            "FlowLogName": {
              "type": "string"
            },
            "existingNSG": {
              "type": "string"
            },
            "RetentionDays": {
              "type": "int"
            },
            "FlowLogsversion": {
              "type": "string"
            },
            "storageAccountResourceId": {
              "type": "string"
            }
          },
          "resources": [
            {
              "type": "Microsoft.Network/networkWatchers/flowLogs",
              "apiVersion": "2020-06-01",
              "name": "[concat(parameters('NetworkWatcherName'), '/', parameters('FlowLogName'))]",
              "location": "[parameters('location')]",
              "properties": {
                "targetResourceId": "[parameters('existingNSG')]",
                "storageId": "[parameters('storageAccountResourceId')]",
                "enabled": true,
                "retentionPolicy": {
                  "days": "[parameters('RetentionDays')]",
                  "enabled": true
                },
                "format": {
                  "type": "JSON",
                  "version": "[parameters('FlowLogsversion')]"
                }
              }
            }
          ]
        },
        "parameters": {
          "location": {
            "value": "[parameters('location')]"
          },
          "NetworkWatcherName": {
            "value": "[parameters('NetworkWatcherName')]"
          },
          "FlowLogName": {
            "value": "[parameters('FlowLogName')]"
          },
          "existingNSG": {
            "value": "[parameters('existingNSG')]"
          },
          "RetentionDays": {
            "value": "[parameters('RetentionDays')]"
          },
          "FlowLogsversion": {
            "value": "[parameters('FlowLogsversion')]"
          },
          "storageAccountResourceId": {
            "value": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
          }
        }
      }
    }
  ]
}

These resources are defined in the template:

NSG flow logs object

The following code shows an NSG flow logs object and its parameters. To create a Microsoft.Network/networkWatchers/flowLogs resource, add this code to the resources section of your template:

{
  "name": "string",
  "type": "Microsoft.Network/networkWatchers/flowLogs",
  "location": "string",
  "apiVersion": "2019-09-01",
  "properties": {
    "targetResourceId": "string",
    "storageId": "string",
    "enabled": "boolean",
    "flowAnalyticsConfiguration": {
      "networkWatcherFlowAnalyticsConfiguration": {
        "enabled": "boolean",
        "workspaceResourceId": "string",
        "trafficAnalyticsInterval": "integer"
      },
      "retentionPolicy": {
        "days": "integer",
        "enabled": "boolean"
      },
      "format": {
        "type": "string",
        "version": "integer"
      }
    }
  }
}

For a complete overview of the NSG flow logs object properties, see Microsoft.Network networkWatchers/flowLogs.

Create your template

If you're using ARM templates for the first time, see the following articles to learn more about ARM templates:

The following example is a complete template. It's also the simplest version of the template. The example contains the minimum parameters that are passed to set up NSG flow logs. For more examples, see the overview article Configure NSG flow logs from an Azure Resource Manager template.

Example

The following template enables flow logs for an NSG, and then stores the logs in a specific storage account:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "apiProfile": "2019-09-01",
  "resources": [
    {
      "name": "NetworkWatcher_centraluseuap/Microsoft.NetworkDalanDemoPerimeterNSG",
      "type": "Microsoft.Network/networkWatchers/FlowLogs/",
      "location": "centraluseuap",
      "apiVersion": "2019-09-01",
      "properties": {
        "targetResourceId": "/subscriptions/<subscription Id>/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
        "storageId": "/subscriptions/<subscription Id>/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
        "enabled": true,
        "flowAnalyticsConfiguration": {},
        "retentionPolicy": {},
        "format": {}
      }
    }
  ]
}

Note

  • The resource name uses the format ParentResource_ChildResource. In our example, the parent resource is the regional Azure Network Watcher instance:
    • Format: NetworkWatcher_RegionName
    • Example: NetworkWatcher_centraluseuap
  • targetResourceId is the resource ID of the target NSG.
  • storageId is the resource ID of the destination storage account.

Deploy the template

This tutorial assumes that you have an existing resource group and an NSG that you can enable flow logging on.

You can save any of the example templates that are shown in this article locally as azuredeploy.json. Update the property values so they point to valid resources in your subscription.

To deploy the template, run the following command in Azure PowerShell:

$context = Get-AzSubscription -SubscriptionId <subscription Id>
Set-AzContext $context
New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
    -TemplateFile "C:\MyTemplates\azuredeploy.json"

Note

These commands deploy a resource to the example NetworkWatcherRG resource group, and not to the resource group that contains the NSG.

Validate the deployment

You have two options to see whether your deployment succeeded:

If there were issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.

Clean up resources

You can delete Azure resources by using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about complete deployment mode.

You also can disable an NSG flow log in the Azure portal:

  1. Sign in to the Azure portal.
  2. Select All services. In the Filter box, enter network watcher. In the search results, select Network Watcher.
  3. Under Logs, select NSG flow logs.
  4. In the list of NSGs, select the NSG for which you want to disable flow logs.
  5. Under Flow logs settings, select Off.
  6. Select Save.

Next steps

In this quickstart, you learned how to enable NSG flow logs by using an ARM template. Next, learn how to visualize your NSG flow data by using one of these options: