Manage NSG flow logs using the Azure CLI
Important
On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.
Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.
In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the Azure portal, PowerShell, REST API, or ARM template.
Prerequisites
An Azure account with an active subscription. Create a trial subscription.
Insights provider. For more information, see Register Insights provider.
A network security group. If you need to create a network security group, see Create, change, or delete a network security group.
An Azure storage account. If you need to create a storage account, see create a storage account using PowerShell.
Azure CLI installed locally.
- You can install Azure CLI locally to run the commands. If you run Azure CLI locally, sign in to Azure using the az login command.
Register Insights provider
Microsoft.Insights provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the Microsoft.Insights provider is registered, use az provider register to register it.
# Register Microsoft.Insights provider.
az provider register --namespace 'Microsoft.Insights'
Create a flow log
Create a flow log using az network watcher flow-log create. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.
# Create a version 1 NSG flow log.
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount'
Note
- If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
- If the storage account is in a different resource group or subscription, you must specify the full ID of the storage account instead of only its name. For example, if myStorageAccount storage account is in a resource group named StorageRG while the network security group is in the resource group myResourceGroup, you must use
/subscriptions/{SubscriptionID}/resourceGroups/RG-Storage/providers/Microsoft.Storage/storageAccounts/myStorageAccount
for--storage-account
parameter instead ofmyStorageAccount
.
# Place the storage account resource ID into a variable.
sa=$(az storage account show --name 'myStorageAccount' --query 'id' --output 'tsv')
# Create a version 1 NSG flow log (the storage account is in a different resource group).
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account $sa
Create a flow log and traffic analytics workspace
Create a Log Analytics workspace using az monitor log-analytics workspace create.
# Create a Log Analytics workspace. az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup'
Create a flow log using az network watcher flow-log create. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.
# Create a version 1 NSG flow log and enable traffic analytics for it. az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'true' --workspace 'myWorkspace'
Note
- The storage account can't have network rules that restrict network access to only Azure services or specific virtual networks.
- If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
- If the storage account is in a different resource group or subscription, the full ID of the storage account must be used. For example, if myStorageAccount storage account is in a resource group named StorageRG while the network security group is in the resource group myResourceGroup, you must use
/subscriptions/{SubscriptionID}/resourceGroups/RG-Storage/providers/Microsoft.Storage/storageAccounts/myStorageAccount
for--storage-account
parameter instead ofmyStorageAccount
.
# Place the storage account resource ID into a variable.
sa=$(az storage account show --name 'myStorageAccount' --query 'id' --output 'tsv')
# Create a Log Analytics workspace.
az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup'
# Create a version 1 NSG flow log and enable traffic analytics for it (the storage account is in a different resource group).
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account $sa --traffic-analytics 'true' --workspace 'myWorkspace'
Change a flow log
You can use az network watcher flow-log update to change the properties of a flow log. For example, you can change the flow log version or disable traffic analytics.
# Update the flow log.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'false' --log-version '2'
List all flow logs in a region
Use az network watcher flow-log list to list all NSG flow log resources in a particular region in your subscription.
# Get all NSG flow logs in China East region.
az network watcher flow-log list --location 'chinaeast' --out table
View details of a flow log resource
Use az network watcher flow-log show to see details of a flow log resource.
# Get the details of a flow log.
az network watcher flow-log show --name 'myFlowLog' --resource-group 'NetworkWatcherRG' --location 'chinaeast'
Download a flow log
The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see Get started with Storage Explorer.
NSG flow log files saved to a storage account follow this path:
https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
For information about the structure of a flow log, see Log format of NSG flow logs.
Disable a flow log
To temporarily disable a flow log without deleting it, use az network watcher flow-log update command. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.
Note
If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log.
# Disable traffic analytics log if it's enabled.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'false' --workspace 'myWorkspace'
# Disable the flow log.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --enabled 'false'
Delete a flow log
To permanently delete a flow log, use az network watcher flow-log delete command. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.
# Delete the flow log.
az network watcher flow-log delete --name 'myFlowLog' --location 'chinaeast' --no-wait 'true'
Note
Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follow the configured retention policy.
Related content
- To learn how to use Azure built-in policies to audit or deploy NSG flow logs, see Manage NSG flow logs using Azure Policy.
- To learn about traffic analytics, see Traffic analytics.