Quickstart: Configure Azure Network Watcher NSG flow logs using an Azure Resource Manager (ARM) template
In this quickstart, you learn how to enable NSG flow logs using an Azure Resource Manager (ARM) template and Azure PowerShell. For more information, see What is Azure Resource Manager? and NSG flow logs overview.
A Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.
We start with an overview of the properties of the NSG flow log object. We provide sample templates. Then, we use a local Azure PowerShell instance to deploy the template.
If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template opens in the Azure portal.
Note
When we download the specific template from https://raw.githubusercontent.com/ website and try to deploy with custom template, there will be encounter certain issue sometime.
We can follow the directions below to deploy template on Azure China 21Vianet:
Copy the template URI, convert the URI by changing the prefix, infix, and tempalte file name. For example: the origin URI is
https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/vnet-two-subnets/azuredeploy.jsonCategory Original value Converted value Action Prefix https://raw.githubusercontent.comhttps://github.comUpdate Infix blobAdd before masterormain(default branch name of git repository)Template file name azuredeploy.json keep the default value or replace with new template file name. update After modified, the converted URI will show like
https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/vnet-two-subnets/azuredeploy.json.Please be kindly noticed that many templates have been moved to the path like https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/{Microsoft_Resource_Provider_Name}/, you can follow the corresponding path regulation to update the original URI.
Copy the converted URI and download the specific template content in Internet browsers manully.
Select Build your own template in the editor in the Custom deployment page of portal.
Copy the downloaded template content in the Edit template page and update the parameters to meet Azure China Cloud, such as endpoint, Location, VM images, VM sizes, SKU , and resource-provider's API Version that is not supported on Azure China Cloud environment.
Select save to return the Custom deployment page.
Select Review + create.
Prerequisites
An Azure account with an active subscription. If you don't have one, create a trial subscription before you begin.
Review the template
The template that we use in this quickstart is from Azure Quickstart Templates.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.9.1.41621",
"templateHash": "14580725600461536175"
}
},
"parameters": {
"networkWatcherName": {
"type": "string",
"defaultValue": "[format('NetworkWatcher_{0}', parameters('location'))]",
"metadata": {
"description": "Name of the Network Watcher attached to your subscription. Format: NetworkWatcher_<region_name>"
}
},
"flowLogName": {
"type": "string",
"defaultValue": "FlowLog1",
"metadata": {
"description": "Name of your Flow log resource"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Region where you resources are located"
}
},
"existingNSG": {
"type": "string",
"metadata": {
"description": "Resource ID of the target NSG"
}
},
"retentionDays": {
"type": "int",
"defaultValue": 0,
"maxValue": 365,
"minValue": 0,
"metadata": {
"description": "Retention period in days. Default is zero which stands for permanent retention. Can be any Integer from 0 to 365"
}
},
"flowLogsVersion": {
"type": "int",
"defaultValue": 2,
"allowedValues": [
1,
2
],
"metadata": {
"description": "FlowLogs Version. Correct values are 1 or 2 (default)"
}
},
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS"
],
"metadata": {
"description": "Storage Account type"
}
}
},
"variables": {
"storageAccountName": "[format('flowlogs{0}', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-09-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "StorageV2",
"properties": {}
},
{
"type": "Microsoft.Network/networkWatchers",
"apiVersion": "2022-01-01",
"name": "[parameters('networkWatcherName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/networkWatchers/flowLogs",
"apiVersion": "2022-01-01",
"name": "[format('{0}/{1}', parameters('networkWatcherName'), parameters('flowLogName'))]",
"location": "[parameters('location')]",
"properties": {
"targetResourceId": "[parameters('existingNSG')]",
"storageId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"enabled": true,
"retentionPolicy": {
"days": "[parameters('retentionDays')]",
"enabled": true
},
"format": {
"type": "JSON",
"version": "[parameters('flowLogsVersion')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
]
}
]
}
The following resources are defined in the template:
- Microsoft.Storage/storageAccounts
- Microsoft.Network networkWatchers
- Microsoft.Network networkWatchers/flowLogs
The highlighted code in the preceding sample shows an NSG flow logs resource definition.
Deploy the template
This tutorial assumes that you have an existing resource group and an NSG that you can enable flow logging on.
You can save any of the example templates that are shown in this article locally as azuredeploy.json. Update the property values so they point to valid resources in your subscription.
To deploy the template, run the following command in Azure PowerShell:
$context = Get-AzSubscription -SubscriptionId <subscription Id>
Set-AzContext $context
New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
-TemplateFile "C:\MyTemplates\azuredeploy.json"
Note
These commands deploy a resource to NetworkWatcherRG resource group, and not to the resource group that contains the network security group.
Validate the deployment
You have two options to see whether your deployment succeeded:
- Your PowerShell console shows
ProvisioningStateasSucceeded. - Go to the NSG flow logs portal page to confirm your changes.
If there were issues with the deployment, see Troubleshoot common Azure deployment errors with Azure Resource Manager.
Clean up resources
You can delete Azure resources by using complete deployment mode. To delete a flow log resource, specify a deployment in complete mode without including the resource you want to delete. Read more about complete deployment mode.
You can also disable or delete a flow log in the Azure portal:
In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.
Under Logs, select Flow logs.
In Network Watcher | Flow logs, select the checkbox of the flow log that you want to delete.
Select Disable or Delete. For more information, see Disable a flow log or Delete a flow log.
Related content
In this quickstart, you learned how to enable NSG flow logs using an ARM template. Next, learn how to visualize your NSG flow data using traffic analytics: