Quickstart: Configure NSG flow logs using a Bicep file

2025-06-27

Important

Network security group (NSG) flow logs will be retired on September 30, 2027. After June 30, 2025, you'll no longer be able to create new NSG flow logs. We recommend migrating to virtual network flow logs, which address the limitations of NSG flow logs. After the retirement date, traffic analytics enabled for NSG flow logs will no longer be supported, and existing NSG flow log resources in your subscriptions will be deleted. However, existing NSG flow log records won't be deleted from Azure Storage and will continue to follow their configured retention policies. For more information, see the official announcement.

In this quickstart, you learn how to enable NSG flow logs using a Bicep file. For more information, see NSG flow logs overview and What is Azure Resource Manager?

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

An Azure account with an active subscription. If you don't have one, create a trial subscription before you begin.
Azure PowerShell installed locally to run the cmdlets. Use Connect-AzAccount -Environment AzureChinaCloud cmdlet to sign in to Azure.

Review the Bicep file

This quickstart uses the Create NSG flow logs Bicep file from Azure Quickstart Templates.

@description('Name of the Network Watcher attached to your subscription. Format: NetworkWatcher_<region_name>')
param networkWatcherName string = 'NetworkWatcher_${location}'

@description('Name of your Flow log resource')
param flowLogName string = 'FlowLog1'

@description('Region where you resources are located')
param location string = resourceGroup().location

@description('Resource ID of the target NSG')
param existingNSG string

@description('Retention period in days. Default is zero which stands for permanent retention. Can be any Integer from 0 to 365')
@minValue(0)
@maxValue(365)
param retentionDays int = 0

@description('FlowLogs Version. Correct values are 1 or 2 (default)')
@allowed([
  1
  2
])
param flowLogsVersion int = 2

@description('Storage Account type')
@allowed([
  'Standard_LRS'
  'Standard_GRS'
  'Standard_ZRS'
])
param storageAccountType string = 'Standard_LRS'

var storageAccountName = 'flowlogs${uniqueString(resourceGroup().id)}'

resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountType
  }
  kind: 'StorageV2'
  properties: {}
}

resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
  name: networkWatcherName
  location: location
  properties: {}
}

resource flowLog 'Microsoft.Network/networkWatchers/flowLogs@2022-01-01' = {
  name: '${networkWatcherName}/${flowLogName}'
  location: location
  properties: {
    targetResourceId: existingNSG
    storageId: storageAccount.id
    enabled: true
    retentionPolicy: {
      days: retentionDays
      enabled: true
    }
    format: {
      type: 'JSON'
      version: flowLogsVersion
    }
  }
}

The following resources are defined in the Bicep file:

The highlighted code in the preceding sample shows an NSG flow log resource definition.

Deploy the Bicep file

This quickstart assumes that you have a network security group that you can enable flow logging on.

PowerShell
Azure CLI

Save the Bicep file as main.bicep to your local computer.

Deploy the Bicep file.

New-AzResourceGroup -Name 'exampleRG' -Location 'chinaeast'
New-AzResourceGroupDeployment -ResourceGroupName 'exampleRG' -TemplateFile ./main.bicep

You'll be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:

"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkSecurityGroups/<network-security-group-name>"

When the deployment finishes, you should see a message indicating the deployment succeeded.

Save the Bicep file as main.bicep to your local computer.

Deploy the Bicep file.

az group create --name 'exampleRG' --location 'chinaeast'
az deployment group create --resource-group 'exampleRG' --template-file main.bicep

You'll be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:

"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkSecurityGroups/<network-security-group-name>"

When the deployment finishes, you should see a message indicating the deployment succeeded.

Validate the deployment

You have two options to see whether your deployment succeeded:

Your console shows ProvisioningState as Succeeded.
Go to the NSG flow logs portal page to confirm your changes.

If there are issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.

Clean up resources

You can delete Azure resources using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about complete deployment mode.

You also can disable an NSG flow log in the Azure portal:

Sign in to the Azure portal.
In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.
Under Logs, select Flow logs.
In the list of flow logs, select the flow log that you want to disable.
Select Disable.

In this quickstart, you learned how to enable NSG flow logs using a Bicep file. Next, learn how to visualize your NSG flow logs data using traffic analytics: