iCompaas Support

Description:

Network Security Group (NSG) Flow Logs provide valuable information about network traffic that passes through NSGs associated with your Azure Virtual Networks. These logs contain details about allowed and denied traffic based on the security rules defined in the NSGs. Capturing NSG flow logs and sending them to Log Analytics allows you to monitor network traffic patterns, detect security issues, and troubleshoot connectivity problems.

By sending NSG flow logs to Log Analytics, you can centralize your network monitoring, use Kusto Query Language (KQL) to analyze the logs, and create alerts based on specific network traffic patterns.

Rationale:

Capturing NSG Flow Logs and sending them to Log Analytics provides:

• Real-time monitoring of network traffic patterns and rule hits for both inbound and outbound traffic.
  

• Security monitoring by identifying suspicious or unauthorized traffic.
  

• Compliance auditing by maintaining records of allowed and denied traffic in the environment.
  

• Troubleshooting by reviewing the flow logs to identify the root cause of connectivity issues or misconfigurations.
  

Impact:

Enabling NSG Flow Logs and sending them to Log Analytics will provide deeper visibility into your network security and traffic, enhancing your ability to detect security threats. However, this may increase storage costs depending on the volume of traffic logs generated and the retention policy in place. It's important to properly manage log retention and query performance to optimize storage and cost.

Default Value:

By default, NSG Flow Logs are not enabled. You must manually configure Network Watcher to capture the flow logs and send them to Log Analytics.

Pre-requisites:

• Azure subscription.
  

• Owner or Contributor role permissions to configure diagnostic settings.
  

• Network Watcher enabled in the region of your Virtual Network.
  

• Log Analytics workspace created to store and query the logs.
  

• NSGs associated with your Virtual Networks.
  

Audit:

1. Sign in to Azure portal as an Owner or Contributor.
   

2. Navigate to Network Watcher and ensure that NSG Flow Logs are enabled.
   

3. Verify that the NSG Flow Logs are being sent to the appropriate Log Analytics workspace.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Network Watcher:
           In the Azure portal, search for Network Watcher and select it.

3. Enable Network Watcher in the Region:
   

   • If Network Watcher is not already enabled in the region where your Virtual Network resides, click + Enable Network Watcher and select the region.
     

   • Network Watcher must be enabled in each region where you want to monitor network traffic.
     

4. Navigate to NSG Flow Logs:
   

   • In Network Watcher, go to Flow logs under the Monitoring section.
     

   • Click + Add to create a new flow log configuration.
     

5. Configure Flow Logs:
   

   • Select the Virtual Network and Network Security Group (NSG) you want to monitor.
     

   • Choose the Log Analytics workspace where you want the logs to be sent.
     

   • Set the retention period for the logs (you can specify how long the logs will be kept in Log Analytics).
     

6. Configure Flow Log Settings:
   

   • Set the Flow log format to JSON (recommended) or Text, depending on your preference.
     

   • Enable Traffic analytics (optional), which will provide deeper insights into the flow data.
     

   • Enable Log analytics workspace and choose the appropriate Log Analytics workspace to store the logs.
     

7. Review and Create:
   

   • Review your configuration and ensure that NSG Flow Logs are enabled for the selected NSG and Virtual Network.
     

   • Click Save to apply the configuration and begin capturing NSG Flow Logs.
     

8. Verify Flow Log Capture:
   

   • After enabling NSG Flow Logs, generate some network traffic to and from your Virtual Network (e.g., connect to resources, simulate traffic).
     

   • In Log Analytics, run a query to verify that the flow logs are being captured.
     

9. Set Up Alerts (Optional):
   

   • You can set up alerts in Azure Monitor based on the NSG Flow Logs to get notified of specific traffic patterns (e.g., denied traffic, security incidents).
     

   • In Azure Monitor, go to Alerts and create a new alert rule based on NSG Flow Logs.
     

   • Define the conditions for the alert (e.g., traffic denied by a specific rule) and configure the action group for notifications (email, SMS, webhook).
     

10. Monitor Logs and Review:
    

    • Use Azure Monitor to regularly review NSG Flow Logs captured in Log Analytics.
      

    • Create custom dashboards or use pre-built templates in Log Analytics to visualize traffic patterns, security issues, and network performance.
      

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Network Watcher:
   

   • Go to Network Watcher in the Azure portal.
     

3. Disable NSG Flow Logs:
   

   • In Flow logs, locate the Virtual Network and Network Security Group (NSG) for which you have enabled flow logs.
     

   • Click Disable flow logs to stop capturing and sending logs to the Log Analytics workspace.
     

4. Verify Log Capture Stopped:
   

   • After disabling flow logs, check your Log Analytics workspace to ensure no further logs are being captured or sent.
     

5. Test the Reverted Configuration:
   

   • Trigger network traffic and verify that no flow logs are generated or sent to the destination (Log Analytics).
     

References:

• Network Watcher - Flow Logs Documentation
  

• Azure Monitor - Diagnostic Settings Overview
  Log Analytics Overview