Network Security Group Flow Logs

Network Security Group (NSG) flow logs provide visibility into IP traffic flowing through an NSG. They allow you to record information about the inbound and outbound traffic. This data can be used to troubleshoot network connectivity and security issues, monitor traffic distribution, or validate network configuration.

What are NSG Flow Logs?

NSG flow logs capture the following information for each flow:

Source IP address
Destination IP address
Source port
Destination port
Protocol (TCP, UDP, ICMP)
Timestamp
Traffic flow direction (Inbound/Outbound)
Allow or Deny rule that allowed or denied the traffic
Number of bytes sent/received
Number of packets sent/received

Enabling NSG Flow Logs

To enable NSG flow logs, you need to:

Navigate to your Network Security Group in the Azure portal.
Under Monitoring + Logging, select Flow logs.
Toggle Status to On.
Choose a Retention period (in days).
Select a Storage account where the flow logs will be stored.
Optionally, enable Traffic Analytics for richer insights.

Tip: For detailed steps and options, refer to the official Azure documentation on NSG flow logs.

Viewing and Analyzing Flow Logs

Once enabled, flow logs are stored in a storage account. You can access them directly or use tools like Azure Monitor, Log Analytics, or Azure Sentinel for analysis.

Using Log Analytics

Log Analytics provides a powerful querying interface (Kusto Query Language - KQL) to explore your flow log data.

Here's a sample KQL query to retrieve denied inbound traffic to a specific VM:


NSGFlowLogs
| where DestinationIP == "10.0.0.4"
| where FlowDirection == "Inbound"
| where Action == "Deny"
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Protocol, Rule
| order by TimeGenerated desc

Traffic Analytics

Traffic Analytics processes NSG flow logs and visualizes traffic flow data in a dashboard. It helps identify network choke points, security threats, and compliance issues. It requires enabling NSG flow logs and selecting a Log Analytics workspace.

Key Use Cases

Troubleshooting Connectivity: Identify why traffic is blocked or not reaching its destination.
Security Auditing: Monitor for unauthorized access attempts or suspicious traffic patterns.
Network Performance Monitoring: Understand traffic distribution and identify potential bottlenecks.
Compliance Reporting: Ensure network traffic adheres to security policies.

Note: NSG flow logs are charged based on the volume of data stored. Consider your retention policy carefully.

Common Flow Log Fields

Field	Description
`Timestamp`	The time the flow record was generated.
`ResourceID`	The NSG resource ID.
`FlowTuple`	A unique identifier for a flow record.
`SourceIp`	The source IP address of the flow.
`DestinationIp`	The destination IP address of the flow.
`SourcePort`	The source port of the flow.
`DestinationPort`	The destination port of the flow.
`Protocol`	The protocol used by the flow (e.g., 6 for TCP, 17 for UDP).
`Action`	The action taken on the flow (`Allow` or `Deny`).
`FlowDirection`	The direction of the flow (`Inbound` or `Outbound`).
`Rule`	The name of the NSG rule that processed the flow.
`PacketsSent`	The number of packets sent.
`PacketsReceived`	The number of packets received.
`BytesSent`	The number of bytes sent.
`BytesReceived`	The number of bytes received.

Important: NSG flow logs are not a replacement for network intrusion detection systems (NIDS) but complement them by providing flow-level data.

MSDN Documentation