Azure Network Security Groups

Enabling granular network traffic filtering for your Azure resources.

Analyzing Network Traffic with NSG Flow Logs

Azure Network Security Group (NSG) flow logs provide visibility into the IP traffic that flows to and from your Azure network resources. You can use NSG flow logs to diagnose security issues, monitor network traffic patterns, and understand how your network is being accessed.

Tip: NSG flow logs are essential for security auditing and understanding network behavior. Enable them for critical NSGs.

What are NSG Flow Logs?

NSG flow logs record information about the IP traffic flowing through an NSG. They capture details such as:

  • Source and destination IP address
  • Source and destination port
  • Protocol (TCP, UDP, ICMP)
  • Whether the traffic was allowed or denied
  • The NSG rule that allowed or denied the traffic
  • Interface Received/Sent (Bytes and Packets)

These logs are stored in a JSON format.

How to Enable NSG Flow Logs

You can enable NSG flow logs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. Here's a step-by-step guide using the Azure portal:

  1. Navigate to your Network Security Group:

    In the Azure portal, search for and select "Network security groups". Choose the NSG for which you want to enable flow logs.

  2. Access Flow Logs Settings:

    In the NSG blade, under the "Monitoring + logging" section, select "Flow logs".

  3. Configure Flow Logs:
    • Set Status to On.
    • Retention (days): Choose how long you want to retain the logs. The default is 90 days.
    • Storage account: Select an existing or create a new storage account where the flow logs will be stored. NSG flow logs are saved as .json files.
    • Version: Choose the flow log version. Version 2 includes MAC address information.
  4. Save Changes:

    Click the "Save" button at the top of the page to apply the configuration.

Once enabled, it may take a few minutes for the flow logs to start appearing in the configured storage account.

Analyzing Flow Logs with Log Analytics

While logs can be viewed directly in the storage account, a more powerful way to analyze them is by sending them to Azure Log Analytics. This allows you to run complex Kusto Query Language (KQL) queries.

Steps to send logs to Log Analytics:

  1. Create a Log Analytics Workspace:

    If you don't have one, create a Log Analytics workspace in your Azure subscription.

  2. Configure Diagnostic Settings:

    Navigate back to your Network Security Group, then to "Diagnostic settings" under "Monitoring + logging".

  3. Add Diagnostic Setting:

    Click "Add diagnostic setting".

    • Select the log category AzureNetworkAnalytics - NSG Flow Logs.
    • Under "Destination details", choose "Send to Log Analytics workspace" and select your workspace.
  4. Save Diagnostic Setting:

    Click "Save".

Example KQL Queries:

Once data is flowing into Log Analytics, you can query it using KQL.

1. View all allowed traffic:
AzureNetworkAnalytics_CL
| where SubType_s == "V2FlowLog" and OperationName == "ApplicationGatewayAccess"
| where isnotempty(MACAddress_s) and isnotempty(TimeGenerated)
| project TimeGenerated, MACAddress_s, Protocol_d, SourceIP_s, DestinationIP_s, SourcePort_d, DestinationPort_d, TrafficFlow_s, PacketCount_d, ByteCount_d, NSGRuleName_s
| order by TimeGenerated desc
2. Identify denied traffic to a specific VM's IP:
AzureNetworkAnalytics_CL
| where SubType_s == "V2FlowLog" and OperationName == "NetworkSecurityGroupFlowEvent"
| where isnotempty(MACAddress_s) and isnotempty(TimeGenerated)
| where DestinationIP_s == "YOUR_VM_IP_ADDRESS" // Replace with the actual VM IP
| where TrafficFlow_s == "DENY"
| project TimeGenerated, MACAddress_s, Protocol_d, SourceIP_s, DestinationIP_s, SourcePort_d, DestinationPort_d, PacketCount_d, ByteCount_d, NSGRuleName_s
| order by TimeGenerated desc
Note: Ensure you replace placeholder values like YOUR_VM_IP_ADDRESS with actual information. The table names and column names might vary slightly based on the flow log version and diagnostic settings.

Use Cases for NSG Flow Logs

  • Security Auditing: Track who accessed your resources and how.
  • Network Troubleshooting: Identify connectivity issues by seeing if traffic is allowed or denied by NSG rules.
  • Traffic Analysis: Understand communication patterns between resources.
  • Compliance: Meet regulatory requirements for logging network activity.
  • Threat Detection: Spot unusual traffic patterns that might indicate a security breach.

By leveraging NSG flow logs, you gain critical insights into your Azure network's security posture and operational status.

Get Started with NSG Flow Logs