Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Managed identities enable secure and credential-free access to Azure services by providing an automatically managed identity in Microsoft Entra ID. These identities can be used to authenticate to services that support Microsoft Entra authentication, without the need to manage credentials in code. For more information, see Managed identities for Azure resources.
Virtual network flow logs can use user-assigned managed identities to securely authenticate to the storage account where flow logs are stored. This approach eliminates the need to embed credentials in scripts or configuration files, reducing the risk of credential leakage and simplifying operational management.
Benefits of using managed identity with virtual network flow logs
Using managed identities with virtual network flow logs offers several advantages:
- Administrators can securely grant access to the storage account using role-based access control (RBAC).
- Identity management is centralized through Microsoft Entra ID.
- Beneficial in large-scale environments where flow logs are enabled across multiple virtual networks.
Integration with traffic analytics
Traffic analytics benefits from user-assigned managed identities by enabling secure ingestion of flow logs into the Log Analytics workspace without the need to manage credentials. This approach:
- Streamlines access control for automated deployments.
- Aligns with Zero Trust principles.
- Enhances overall security posture.
Prerequisites
A virtual network with flow logs enabled. For more information, see Create virtual network flow logs.
An Azure storage account. For more information, see Create a storage account.
A Log Analytics workspace for traffic analytics. For more information, see Create a Log Analytics workspace.
A user-assigned managed identity. For more information, see Create a user-assigned managed identity.
Storage Blob Data Contributor role assigned to the managed identity. For more information, see Grant a managed identity access to a resource.
Azure PowerShell.
The steps in this article run the Azure PowerShell cmdlets in your local PC.
You can also install Azure PowerShell locally to run the cmdlets. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount -Environment AzureChinaCloud cmdlet.
Use a user-assigned managed identity with virtual network flow logs
To create a new virtual network flow log using a user-assigned managed identity, use the New-AzNetworkWatcherFlowLog cmdlet with the parameter -UserAssignedIdentityId.
New-AzNetworkWatcherFlowLog -Enabled $true -Name <FLOW LOG NAME> -NetworkWatcherName NetworkWatcher_{REGION} -ResourceGroupName NetworkWatcherRG -StorageId <STORAGE ID> -TargetResourceId <VNET ID> -UserAssignedIdentityId <USER ASSIGNED MANAGED IDENTITY ID>
To associate or dissociate a user-assigned managed identity to an existing virtual network flow log, use the Set-AzNetworkWatcherFlowLog cmdlet with the parameter -UserAssignedIdentityId.
# Associate a user-assigned managed identity to an existing flow log
Set-AzNetworkWatcherFlowLog -Enabled $true -Name <FLOW LOG NAME> -NetworkWatcherName NetworkWatcher_<REGION> -ResourceGroupName NetworkWatcherRG -StorageId <STORAGE ID> -TargetResourceId <VNET ID> -UserAssignedIdentityId <USER ASSIGNED MANAGED IDENTITY ID>
# Dissociate a user-assigned managed identity from an existing flow log
Set-AzNetworkWatcherFlowLog -Enabled $true -Name <FLOW LOG NAME> -NetworkWatcherName NetworkWatcher_<REGION> -ResourceGroupName NetworkWatcherRG -StorageId <STORAGE ID> -TargetResourceId <VNET ID> -UserAssignedIdentityId <USER ASSIGNED MANAGED IDENTITY ID>