1 min read

Enabling Azure Network Security Group (NSG) flow logging in bulk

Admin : Dec 7, 2023 9:32:00 PM

As we speak one of my customers is looking into using Azure Network Watcher for its network auditing and packet logging capabilities. Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. While flow logs target Network Security Groups, they are not displayed in the same way as the other logs. Flow logs are stored only within a storage account.

The Challenge:

The big challenge to enable NSG flow logging is that you have to do it one by one in the Azure portal. A step-by-step guide on how to do this is described here.  You need to select the NSG, tick the box to enable NSG flow logging, specify a storage account etc. This is going to take ages to enable for all my NSG’s! For my customer, this wasn’t going to work as they have a lot of NSG’s defined in their environment.

This blog post will cover how you can enable NSG flow logs for all your NSG’s at once with a PowerShell Script.

Before you begin

This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher. The scenario also assumes that a Resource Group with a storage account has been pre-created.

Solution:

The following PowerShell script will enable NSG Flow logging for all my NSG’s. The script will do the following:

  • Ask for a Resource Group that will be used for saving the NSG logs
    • Ask for a storage account that will be used for saving logs
    • You need to specify the retention period of the NGS logs
    • Ask for a subscription in which you want to enable NSG flow logging
    • In order for flow logging to work successfully, the Microsoft.Insights provider must be registered. The script will register the provider.

NSG flow logging needs to be enabled per Azure Region and per subscription, so the script will loop through all the different regions where Network watcher is enabled. If the script finds an NSG in that region, it will enable NSG flow logging

Once we find a region where Network Watcher is enabled, we will look for NSGs and enable flow logging:

 

That’s it! We just enabled NSG flow logging with one press of a button! You can find the PowerShell script below:

In the next blogpost I will cover how to visualize this data with PowerBi.

Hope this helps,

Alexandre Verkinderen
Publish the new Azure API Management Service Developer Portal behind an Application Gateway

2 min read

Publish the new Azure API Management Service Developer Portal behind an Application Gateway

Alexandre Verkinderen : Dec 7, 2023 9:32:00 PM

There are currently 2 developer portals for the Azure API Management service: a legacy portal and the new portal experience. We deployed our Azure...

Read More

3 min read

Use Azure DevOps Self Hosted agents with Azure App Service access restrictions

Alexandre Verkinderen : Dec 7, 2023 9:32:00 PM

By default, when you deploy a new Azure WebApp, Function app or API app it will be publicly available to the internet. For the current customer I’m...

Read More

2 min read

How to define an Azure Limited Admin custom role

Admin : Dec 7, 2023 9:32:00 PM

Hi all, After implementing the Governance policies and foundations described in“Deploying Azure resource policies” it is important to make sure the...

Read More