Interpret NSG flow logs

5.2 Network Traffic Monitoring and Analysis

📘Microsoft Azure Networking Solutions (AZ-700)

1. What Are NSG Flow Logs?

  • NSG (Network Security Group): A set of rules that controls inbound and outbound traffic to your Azure resources, like VMs or subnets.
  • NSG Flow Logs: Logs that capture detailed information about the traffic allowed or denied by NSG rules.
    • They are not real-time, but stored in Azure Storage for analysis.
    • Think of them as an audit trail of network traffic at the NSG level.

Purpose for IT Teams:

  • Troubleshoot network issues
  • Monitor and secure network traffic
  • Detect unwanted or suspicious activity

2. How NSG Flow Logs Work

When NSG flow logging is enabled:

  1. Every network packet hitting a resource is evaluated against the NSG rules.
  2. NSG flow logs record if traffic is allowed or denied.
  3. Each log entry contains key traffic details:
    • Source IP – Where the traffic came from
    • Destination IP – Where the traffic is going
    • Source Port – Port used by sender
    • Destination Port – Port used by receiver
    • Protocol – TCP, UDP, etc.
    • Action – Allowed or Denied
    • Flow state – Whether it’s a new connection or an existing one

Example IT scenario:
A sysadmin wants to know why a VM cannot reach a database. NSG flow logs show the connection was denied, revealing that a rule blocked TCP traffic on port 1433 (SQL Server).

3. Log Structure

  • NSG flow logs are saved in JSON format in Azure Storage accounts.
  • Example structure:
{
  "time": "2026-03-03T10:00:00Z",
  "srcIP": "10.1.1.4",
  "destIP": "10.2.0.5",
  "srcPort": "54000",
  "destPort": "80",
  "protocol": "TCP",
  "trafficFlow": "Allowed",
  "flowState": "New"
}

Key Fields Explained:

FieldDescription
srcIPSource IP address of the packet
destIPDestination IP address of the packet
srcPortSource port number
destPortDestination port number
protocolProtocol type (TCP/UDP/ICMP)
trafficFlowWhether NSG allowed or denied traffic
flowStateNew for new flows, Established for existing connections

4. Versions of NSG Flow Logs

  • v1: Basic logs, limited detail.
  • v2: Advanced, recommended for AZ-700:
    • Includes flow state, direction, and better performance.
    • Supports traffic analytics integration.

5. How to Interpret NSG Flow Logs

Step 1: Identify the Traffic

  • Look at srcIP and destIP to know the who and where.
  • Check srcPort and destPort to understand what service is being accessed.

Step 2: Check the Action

  • Allowed – traffic passed through NSG rules.
  • Denied – traffic blocked by NSG rules.

Step 3: Flow Direction

  • Logs indicate Inbound or Outbound traffic:
    • Inbound: Traffic entering your VM/subnet
    • Outbound: Traffic leaving your VM/subnet

Step 4: Flow State

  • New – a new connection attempt
  • Established – continuation of an existing session
  • Helps understand network session behavior

6. Tools to Analyze NSG Flow Logs

  • Azure Storage Explorer: View logs in JSON format
  • Azure Monitor / Log Analytics:
    • Import NSG flow logs
    • Run queries to see trends, blocked traffic, top talkers
  • Traffic Analytics (optional but exam-relevant):
    • Aggregates NSG flow logs
    • Shows network traffic patterns, security threats, and bandwidth usage

7. Practical Exam Tips

  • Remember Key Fields: Source, Destination, Ports, Protocol, Action, Flow State.
  • Focus on Allowed vs Denied traffic: Denied logs help troubleshoot connectivity issues.
  • Know Log Locations: Logs are stored in Azure Storage.
  • v2 Logs for Analytics: Always use v2 for exam scenarios that require analytics.

8. Example Scenario for Exams

  1. VM1 tries to reach VM2 on port 443.
  2. NSG rule denies inbound traffic to port 443 on VM2.
  3. Flow log shows:
    • srcIP: VM1 IP
    • destIP: VM2 IP
    • destPort: 443
    • action: Denied
    • flowState: New
  4. Interpretation: The connection failed because NSG rules blocked traffic. Candidate should know how to trace which rule caused the deny.

Summary

  • NSG flow logs = record of network traffic filtered by NSG rules.
  • Key data: source/destination IPs, ports, protocol, action, flow state.
  • Use v2 logs for traffic analytics.
  • Helps troubleshoot, secure, and monitor Azure network traffic.
  • Understand how to read and interpret logs for allowed/denied connections.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by