Viewing Traffic to Azure VMs using NSG Flow Logs
Setting up NSG flow logs allows for viewing the traffic coming in through a network security group. This can be useful for a few things:
- Troubleshooting access issues (maybe something shouldn’t have access, or vise versa).
- Providing logging on the traffic accessing a server.
You’ll need the following to get started with this guide:
- Ensure that a network watcher is configured.
- An Azure subscription with the Insights provider installed.
- An existing Network Security Group.
- A storage account (ideally stored in the same resource group) that will hold the log data.
Configuration
Go into Network Watcher and click on ‘NSG Flow Logs’:
Turn on Flow logs, and select the storage account to store logs in. A few notes here:
- If retention is kept at 0, all logs will stay in the storage account forever. Useful for audits, but will end up costing more in the long run. (I personally set to 7 days).
Accessing Logs
For viewing the logs, you can either use the Azure Portal or use the Microsoft Azure Storage Explorer.
View the insights-logs-networksecuritygroupflowevent container in the configured storage account.
Access the PT1H.json file.
The number associates to the following:
- Timestamp
- Inbound IP (coming in from Internet)
- Outbound IP (going through the NSG)
- Inbound Port
- Outbound Port
- Protocol
- Traffic Flow (I – Inbound, O – Outbound)
- Acceptance (A – Allowed, D – Denied)
Reference
https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal