Manage NSG flow logs using an Azure Resource Manager template
Important
On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.
In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the Azure portal, PowerShell, Azure CLI, or REST API.
An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project using declarative syntax.
Prerequisites
- An Azure account with an active subscription. Create a trial subscription.
NSG flow logs object
The NSG flow logs object with all parameters is shown in the following example. For a complete overview of the object properties, see NSG flow logs template reference.
{
"name": "string",
"type": "Microsoft.Network/networkWatchers/flowLogs",
"location": "string",
"apiVersion": "2022-07-01",
"properties": {
"targetResourceId": "string",
"storageId": "string",
"enabled": "boolean",
"flowAnalyticsConfiguration": {
"networkWatcherFlowAnalyticsConfiguration": {
"enabled": "boolean",
"workspaceResourceId": "string",
"trafficAnalyticsInterval": "integer"
},
"retentionPolicy": {
"days": "integer",
"enabled": "boolean"
},
"format": {
"type": "string",
"version": "integer"
}
}
}
}
To create a Microsoft.Network/networkWatchers/flowLogs resource, add the above JSON to the resources section of your template.
Create your template
To learn more about using Azure Resource Manager templates, see:
- Deploy resources with Resource Manager templates and Azure PowerShell
- Tutorial: Create and deploy your first Azure Resource Manager template
The following examples present complete templates to enable NSG flow logs.
Example 1
Example 1 uses the simplest version of the ARM template with minimum parameters passed. The following template enables NSG flow logs on a target network security group and stores them in a given storage account.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"apiProfile": "2019-09-01",
"resources": [
{
"name": "myNSG-myresourcegroup-flowlog",
"type": "Microsoft.Network/networkWatchers/FlowLogs/",
"location": "chinaeast",
"apiVersion": "2022-11-01",
"properties": {
"targetResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",
"storageId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
"enabled": true,
"flowAnalyticsConfiguration": {},
"retentionPolicy": {},
"format": {}
}
}
]
}
Note
targetResourceId
is the resource ID of the target network security group.storageId
is the resource ID of the destination storage account.
Example 2
Example 2 uses the following template to enable NSG flow logs (version 2) with retention of 5 days and traffic analytics with a processing interval of 10 minutes.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"apiProfile": "2019-09-01",
"resources": [
{
"name": "myNSG-myresourcegroup-flowlog",
"type": "Microsoft.Network/networkWatchers/FlowLogs/",
"location": "chinaeast",
"apiVersion": "2022-11-01",
"properties": {
"targetResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",
"storageId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
"enabled": true,
"flowAnalyticsConfiguration": {
"networkWatcherFlowAnalyticsConfiguration": {
"enabled": true,
"workspaceResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-abcdef01-2345-6789-0abc-def012345678-EUS",
"trafficAnalyticsInterval": 10
}
},
"retentionPolicy": {
"days": 5,
"enabled": true
},
"format": {
"type": "JSON",
"version": 2
}
}
}
]
}
Note
targetResourceId
is the resource ID of the target network security group.storageId
is the resource ID of the destination storage account.workspaceResourceId
is is the resource ID of the traffic analytics workspace.
Deploy your Azure Resource Manager template
This tutorial assumes you have an existing Resource group and a network security group you can enable flow logging on.
You can save any of the above example templates locally as azuredeploy.json
. Update the property values so that they point to valid resources in your subscription.
To deploy the template, run the following command in PowerShell.
$context = Get-AzSubscription -SubscriptionId <SubscriptionId>
Set-AzContext $context
New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
-TemplateFile "C:\MyTemplates\azuredeploy.json"
Note
The previous commands deploys a resource to the NetworkWatcherRG resource group and not the resource group containing the network security group.
Verify your deployment
There are a couple of ways to check if your deployment has succeeded. Your PowerShell console should show "ProvisioningState" as "Succeeded". Additionally, you can visit the Flow logs portal page to confirm your changes. If there were issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.
Delete your resource
Azure enables resource deletion through the Complete deployment mode. To delete a flow logs resource, specify a deployment in Complete mode without including the resource you wish to delete. For more information, see Complete deployment mode.
Next steps
- To learn how to use Azure built-in policies to audit or deploy NSG flow logs, see Manage NSG flow logs using Azure Policy.
- To learn about traffic analytics, see Traffic analytics.