Implement virtual network flow logs

5.2 Network Traffic Monitoring and Analysis

📘Microsoft Azure Networking Solutions (AZ-700)

1. What are Virtual Network (VNet) Flow Logs?

Virtual Network Flow Logs are records of network traffic in an Azure Virtual Network. They show information about incoming and outgoing traffic for network interfaces or subnets. Think of it as a detailed diary of which computer talked to which, which port they used, and whether the traffic was allowed or denied.

Key Points for Exam:

  • Flow logs are part of Azure Network Watcher.
  • They are used for security, auditing, and troubleshooting network traffic.
  • They do not capture the actual content of the network traffic—only metadata like IPs, ports, protocols, and traffic decision (allow/deny).

2. Prerequisites

Before you implement VNet flow logs, make sure you have:

  1. Azure Network Watcher enabled in the region of your virtual network.
  2. A Network Security Group (NSG) attached to the subnet or network interface you want to monitor.
    • Flow logs are tied to NSGs.
  3. A storage account or Log Analytics workspace to store the flow log data.

Exam Tip: You cannot create flow logs if Network Watcher is not enabled in the region.

3. How Flow Logs Work

Flow logs capture network traffic metadata based on NSG rules. For every packet, the log records:

  • Source IP address
  • Destination IP address
  • Source port
  • Destination port
  • Protocol (TCP, UDP, ICMP)
  • Traffic decision: Allowed or Denied
  • Timestamp (when the traffic occurred)

This data helps you analyze who is communicating with whom and identify blocked or unusual traffic.

4. Storage and Retention Options

You have two main options for storing flow logs:

  1. Azure Storage Account
    • Flow logs are stored as JSON files.
    • Good for archival and offline analysis.
    • Can integrate with Azure Storage analytics.
  2. Log Analytics Workspace
    • Allows real-time querying of flow log data.
    • You can run advanced queries to analyze traffic patterns.
    • Supports integration with Azure Monitor and Workbooks for dashboards.

Exam Tip: If the question asks “where can flow logs be stored?” the answer can be Storage Account or Log Analytics.

5. Flow Log Versions

Azure has two versions of flow logs:

  1. Version 1 (v1) – Basic logs.
    • Only supports JSON files in storage accounts.
    • Contains only basic metadata (source, destination, port, protocol, action).
  2. Version 2 (v2) – Enhanced logs.
    • Supports Log Analytics.
    • Provides more detailed fields and improved analytics capabilities.
    • Can integrate with Azure Monitor Workbooks.

Exam Tip: Always use v2 for better analysis in exam scenarios.

6. Steps to Implement VNet Flow Logs

Here’s how to implement them step by step:

Step 1: Enable Network Watcher

  • Go to Azure Portal → Network Watcher → Regions.
  • Enable Network Watcher in the region where your VNet exists.

Step 2: Create or Identify NSG

  • Either create a new Network Security Group or use an existing one.
  • NSG can be attached to subnets or network interfaces (NICs).

Step 3: Configure Flow Logs

  • Go to NSG → Diagnostics settings → Flow logs.
  • Choose:
    • Flow log version (v2 recommended)
    • Storage account or Log Analytics workspace
    • Retention period (how long logs should be kept)

Step 4: Start Flow Logs

  • Once configured, the flow logs start recording traffic metadata automatically.
  • You can now analyze allowed or denied traffic.

Step 5: Analyze Logs

  • If using Storage Account:
    • Logs are JSON files.
    • Can use tools like Azure Storage Explorer or scripts to analyze.
  • If using Log Analytics:
    • Use Kusto Query Language (KQL) to query logs.
    • Example queries:
      • Show all denied inbound traffic: AzureDiagnostics
        | where FlowStatus_s == “Deny” and Direction_s == “Inbound”
      • Count traffic by destination port: AzureDiagnostics
        | summarize count() by DstPort_s

Exam Tip: Questions often test if you know where flow logs are enabled (NSG), where they are stored (Storage Account or Log Analytics), and what they capture (metadata, allow/deny, not content).

7. Key Benefits for IT Environments

  1. Security Analysis – Identify unauthorized access attempts.
  2. Troubleshooting – Check why traffic is blocked or failing.
  3. Audit & Compliance – Maintain records of network traffic.
  4. Network Optimization – See which ports or endpoints are heavily used.

8. Exam Tips

  • Flow logs are enabled per NSG.
  • They capture metadata, not packet content.
  • Storage options: Storage Account or Log Analytics.
  • Version 2 is recommended for richer analysis.
  • They are part of Network Watcher.
  • Commonly tested with scenarios like: “You want to log denied traffic on a subnet” → enable flow logs on the NSG attached to that subnet.

Summary for the Exam:

FeatureDetails
Enabled onNSG (subnet or NIC)
Managed byAzure Network Watcher
CapturesSource/Dest IP, port, protocol, allow/deny, timestamp
StorageStorage Account (JSON) or Log Analytics
Versionv1 (basic), v2 (enhanced, recommended)
Use casesSecurity, troubleshooting, auditing, traffic analysis

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by