Introduction
Azure Virtual Network (VNet) Flow Logs provide valuable insights into network traffic patterns, enabling organizations to monitor, analyze, and troubleshoot network behavior. By leveraging flow logs, IT teams can improve security, optimize performance, and ensure compliance with regulatory standards. In this article, we’ll explore how to enable, configure, and manage Azure VNet Flow Logs effectively.
Important
On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you’ll no longer be able to create new NSG flow logs starting June 30, 2025.
What Are Azure VNet Flow Logs?
VNet Flow Logs capture network traffic information at the Network Security Group (NSG) level. These logs record metadata about traffic flows, such as source and destination IPs, ports, protocols, and whether the traffic was allowed or denied based on NSG rules.
Benefits of Using Flow Logs
- Security Monitoring: Detect malicious activity, unauthorized access, and potential threats.
- Performance Optimization: Identify bottlenecks and optimize network configurations.
- Compliance and Auditing: Maintain logs for regulatory requirements and internal audits.
- Troubleshooting: Quickly diagnose connectivity issues and application failures.
Enabling and Configuring VNet Flow Logs
To start using VNet Flow Logs, follow these steps:
Step 1: Enable Flow Logs
- Navigate to the Azure portal.
- Select Network Watcher from the search results.
- Under Logs, select Flow logs.
- In Network Watcher | Flow logs, select + Create or Create flow log blue button.
- Choose a destination for logs:
- Storage Account (for long-term retention)
- Log Analytics Workspace (for querying and visualization)
- Event Hub (for real-time processing and third-party integrations)
- Click Save.
Step 2: Configure Log Retention
When storing logs in a Storage Account, configure lifecycle management policies to automatically delete older logs and optimize storage costs.
Step 3: Choose the Appropriate Flow Log Version
Azure provides two versions of Flow Logs:
- Version 1: Basic logging with source/destination IP, port, protocol, and action.
- Version 2: Includes additional metadata like bytes transferred, session duration, and Flow Tuples.
To enable Version 2, select Enable Traffic Analytics in the Flow Logs configuration.
Analyzing VNet Flow Logs
Once flow logs are enabled, use the following methods to analyze them:
1. Using Azure Monitor and Log Analytics
If logs are sent to Log Analytics Workspace, use Kusto Query Language (KQL) to analyze traffic patterns:
AzureDiagnostics | where Category == "NetworkSecurityGroupFlowEvent" | project TimeGenerated, SourceIP, DestinationIP, Action | order by TimeGenerated desc
2. Visualizing with Traffic Analytics
Azure Traffic Analytics provides a high-level overview of traffic flows, identifying top talkers, blocked traffic, and threats.
3. Exporting Logs for Advanced Analysis
Export logs to Event Hub or SIEM tools like Splunk, Sentinel, or ELK stack for deeper analysis and real-time alerts.
Best Practices for Managing Flow Logs
1. Filter and Retain Only Relevant Data
Avoid excessive storage costs by filtering logs based on NSG rules and only retaining necessary data.
2. Automate Log Analysis
Use Azure Functions or Logic Apps to automate alerts when suspicious traffic is detected.
3. Enable Traffic Analytics
Enable Traffic Analytics for deeper insights and anomaly detection without manual log parsing.
4. Integrate with Security Solutions
Send logs to Microsoft Sentinel or other SIEM tools to correlate network events with security incidents.
5. Regularly Review NSG Rules
Use flow logs to identify redundant or overly permissive NSG rules and optimize firewall policies.