Enabling Azure Network Security Group (NSG) flow logging in bulk

Written by Admin | Dec 8, 2023 2:32:00 AM

As we speak one of my customers is looking into using Azure Network Watcher for its network auditing and packet logging capabilities. Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. While flow logs target Network Security Groups, they are not displayed in the same way as the other logs. Flow logs are stored only within a storage account.

The Challenge:

The big challenge to enable NSG flow logging is that you have to do it one by one in the Azure portal. A step-by-step guide on how to do this is described here.  You need to select the NSG, tick the box to enable NSG flow logging, specify a storage account etc. This is going to take ages to enable for all my NSG’s! For my customer, this wasn’t going to work as they have a lot of NSG’s defined in their environment.

This blog post will cover how you can enable NSG flow logs for all your NSG’s at once with a PowerShell Script.

Before you begin

This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher. The scenario also assumes that a Resource Group with a storage account has been pre-created.

Solution:

The following PowerShell script will enable NSG Flow logging for all my NSG’s. The script will do the following:

  • Ask for a Resource Group that will be used for saving the NSG logs
    • Ask for a storage account that will be used for saving logs
    • You need to specify the retention period of the NGS logs
    • Ask for a subscription in which you want to enable NSG flow logging
    • In order for flow logging to work successfully, the Microsoft.Insights provider must be registered. The script will register the provider.

NSG flow logging needs to be enabled per Azure Region and per subscription, so the script will loop through all the different regions where Network watcher is enabled. If the script finds an NSG in that region, it will enable NSG flow logging

Once we find a region where Network Watcher is enabled, we will look for NSGs and enable flow logging:

 

That’s it! We just enabled NSG flow logging with one press of a button! You can find the PowerShell script below:

In the next blogpost I will cover how to visualize this data with PowerBi.

Hope this helps,

Alexandre Verkinderen