Manage NSG flow logs using an Azure Resource Manager template

Important

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.

Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.

In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the Azure portal, PowerShell, Azure CLI, or REST API.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project using declarative syntax.

Prerequisites

NSG flow logs object

The NSG flow logs object with all parameters is shown in the following example. For a complete overview of the object properties, see NSG flow logs template reference.

{
  "name": "string",
  "type": "Microsoft.Network/networkWatchers/flowLogs",
  "location": "string",
  "apiVersion": "2022-07-01",
  "properties": {
    "targetResourceId": "string",
    "storageId": "string",
    "enabled": "boolean",
    "flowAnalyticsConfiguration": {
      "networkWatcherFlowAnalyticsConfiguration": {
         "enabled": "boolean",
         "workspaceResourceId": "string",
          "trafficAnalyticsInterval": "integer"
        },
        "retentionPolicy": {
           "days": "integer",
           "enabled": "boolean"
         },
        "format": {
           "type": "string",
           "version": "integer"
         }
      }
    }
  }

To create a Microsoft.Network/networkWatchers/flowLogs resource, add the above JSON to the resources section of your template.

Create your template

To learn more about using Azure Resource Manager templates, see:

The following examples present complete templates to enable NSG flow logs.

Example 1

Example 1 uses the simplest version of the ARM template with minimum parameters passed. The following template enables NSG flow logs on a target network security group and stores them in a given storage account.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "apiProfile": "2019-09-01",
  "resources": [
 {
    "name": "myNSG-myresourcegroup-flowlog",
    "type": "Microsoft.Network/networkWatchers/FlowLogs/",
    "location": "chinaeast",
    "apiVersion": "2022-11-01",
    "properties": {
      "targetResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",
      "storageId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
      "enabled": true,
      "flowAnalyticsConfiguration": {},
      "retentionPolicy": {},
      "format": {}
    }

  }
  ]
}

Note

  • targetResourceId is the resource ID of the target network security group.
  • storageId is the resource ID of the destination storage account.

Example 2

Example 2 uses the following template to enable NSG flow logs (version 2) with retention of 5 days and traffic analytics with a processing interval of 10 minutes.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "apiProfile": "2019-09-01",
  "resources": [
    {
      "name": "myNSG-myresourcegroup-flowlog",
      "type": "Microsoft.Network/networkWatchers/FlowLogs/",
      "location": "chinaeast",
      "apiVersion": "2022-11-01",
      "properties": {
        "targetResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",
        "storageId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
        "enabled": true,
        "flowAnalyticsConfiguration": {
          "networkWatcherFlowAnalyticsConfiguration": {
            "enabled": true,
            "workspaceResourceId": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-abcdef01-2345-6789-0abc-def012345678-EUS",
            "trafficAnalyticsInterval": 10
          }
        },
        "retentionPolicy": {
          "days": 5,
          "enabled": true
        },
        "format": {
          "type": "JSON",
          "version": 2
        }
      }
    }
  ]
}

Note

  • targetResourceId is the resource ID of the target network security group.
  • storageId is the resource ID of the destination storage account.
  • workspaceResourceId is is the resource ID of the traffic analytics workspace.

Deploy your Azure Resource Manager template

This tutorial assumes you have an existing Resource group and a network security group you can enable flow logging on. You can save any of the above example templates locally as azuredeploy.json. Update the property values so that they point to valid resources in your subscription.

To deploy the template, run the following command in PowerShell.

$context = Get-AzSubscription -SubscriptionId <SubscriptionId>
Set-AzContext $context
New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
    -TemplateFile "C:\MyTemplates\azuredeploy.json"

Note

The previous commands deploys a resource to the NetworkWatcherRG resource group and not the resource group containing the network security group.

Verify your deployment

There are a couple of ways to check if your deployment has succeeded. Your PowerShell console should show "ProvisioningState" as "Succeeded". Additionally, you can visit the Flow logs portal page to confirm your changes. If there were issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.

Delete your resource

Azure enables resource deletion through the Complete deployment mode. To delete a flow logs resource, specify a deployment in Complete mode without including the resource you wish to delete. For more information, see Complete deployment mode.

Next steps