Azure: Enable NSG Flow Logs

To enable Azure VPC flow logs, follow the below steps.

Procedure


Step 1

In the Security Cloud Control platform menu, choose Products > Multicloud Defense .

Step 2

Go to the Resource Groups section in Azure portal.

Step 3

Click the Create button.

Step 4

Choose the subscription and provide a name for this new resource group.

Step 5

Select a Region. (example: (US) East US).

Step 6

Click the Review + create button.

Step 7

Go to the storage accounts section and click the Create button.

Step 8

Select the Subscription and Resource group that was just created.

Step 9

Select the same region as the resource group.

Step 10

Provide a name for the storage account.

Note that Redundancy cannot be locally-redundant storage(LRS)

Step 11

Click the Review + create button. This creates a storage account where NSG flow logs are stored.

Step 12

Go to the Subscription section and find the subscription that was recently created.

Step 13

Navigate to Resource Providers.

Step 14

Ensure that the microsoft.insights and Microsoft.EventGrid providers are registered. If they are not registered, click the Register button.

Step 15

Go to the Network Watcher section.

Step 16

Click Add and add the regions that you want NSG flow logs to be enabled for.

Step 17

Go to Network Watcher > NSG flow logs.

Step 18

Create flow logs for the NSG where you want to enable NSG flow log. Provide the storage account created above. Set the Retention days as 30.

Step 19

Navigate to the storage account created and click on Events.

Step 20

Click Event Subscription.

Step 21

Provide a name for this event subscription.

Step 22

Select the resource group that was created above.

Step 23

Provide a System Topic Name.

Step 24

For Filter to Event Types, the default value is Blob Created and Blob Deleted.

Step 25

For Endpoint Type, select Web Hook.

Step 26

Click the Select an endpoint link.

The Subscriber Endpoint is https://prod1-webhook.vtxsecurityservices.com:8093/webhook/<tenant_name>/azure. Tenant name is assigned by Multicloud Defense. You can find tenant name by clicking on the username in Multicloud Defense Controller.