This chapter covers Network Watcher and NSG flow logs, a critical feature for network security monitoring and troubleshooting in Azure. For the AZ-500 exam, this topic appears in approximately 5-10% of questions, often integrated with traffic analytics, diagnostic logging, and security incident response scenarios. You will learn the architecture, configuration, and practical use of flow logs to detect anomalous traffic patterns and meet compliance requirements.
Jump to a section
Network Watcher flow logs are like a security camera system for your network. The camera (NSG) records every person (packet) that passes through a door (NSG rule). But instead of storing full video (packet capture), it only logs a summary: who entered, when, from where, and whether they were allowed. The DVR (storage account) keeps these logs for a configurable period (default 30 days). If a security incident occurs, you can 'rewind' by querying the logs to see exactly which packets were allowed or denied, at what time, and from which source/destination. Traffic analytics is like an AI that analyzes the footage to detect patterns—like a person visiting the same door every day at 3 AM (anomaly detection). The key mechanical parallel: just as a camera system records metadata (timestamp, person ID, direction) without storing full video, flow logs record metadata about network flows without capturing payload. And just as you can set different retention periods for different cameras, you can set different retention policies per NSG. The logs are stored in a blob container, and you query them using Log Analytics or directly from the blob. If you don't have a storage account configured, the logs are lost—like a camera with no DVR.
What are NSG Flow Logs and Why Do They Exist?
Network Security Group (NSG) flow logs are a feature of Azure Network Watcher that enable you to log information about IP traffic flowing through an NSG. They exist because traditional network monitoring lacks visibility into which traffic is actually being allowed or denied by NSG rules. Without flow logs, you might configure an NSG rule to deny all inbound traffic from the internet, but you wouldn't know if legitimate traffic is being blocked or if malicious traffic is being allowed due to misconfiguration. Flow logs provide that visibility by recording, at regular intervals, the flows that pass through the NSG.
How Flow Logs Work Internally
When a packet arrives at a subnet or NIC associated with an NSG, Azure's virtual switch processes it against the NSG rules. For each flow (a sequence of packets from a source to a destination in the same direction), the switch determines whether the first packet is allowed or denied. This decision is cached for approximately 4 minutes (the flow timeout). While the flow is active, subsequent packets are forwarded without re-evaluating rules. At the end of the flow (or after the timeout), the switch generates a flow log record. The record contains:
Source and destination IP addresses
Source and destination ports
Protocol (TCP, UDP, ICMP)
Traffic direction (inbound/outbound)
Decision (allow/deny)
State of the flow (begun, continued, ended)
Packets and bytes transferred
These records are aggregated and written to a blob storage container in JSON format every 60 seconds (the aggregation interval). You can configure a retention period (in days) for the logs; after that period, Azure automatically deletes them.
Key Components and Defaults
Network Watcher: Regional service that must be enabled in the subscription for flow logs to work. It is enabled by default in each region where you have virtual networks.
NSG Flow Logs: Configured per NSG, not per subnet or NIC. You must specify a storage account (must be in the same region as the NSG) and a retention period (0-365 days; 0 means no retention, i.e., delete immediately after aggregation).
Traffic Analytics: An add-on that processes flow logs and provides intelligent insights, such as top talkers, anomalous flows, and geo-maps. It requires Log Analytics workspace and is billed separately.
Flow Log Version 2: The current version supports flow state (begun, continued, ended). Version 1 is legacy and does not include state.
Configuration and Verification
To enable flow logs via Azure CLI:
az network watcher flow-log create \
--resource-group myResourceGroup \
--name myFlowLog \
--nsg myNSG \
--storage-account myStorageAccount \
--retention 30 \
--enabled trueTo enable traffic analytics:
az network watcher flow-log create \
--resource-group myResourceGroup \
--name myFlowLog \
--nsg myNSG \
--storage-account myStorageAccount \
--retention 30 \
--enabled true \
--traffic-analytics true \
--workspace myLogAnalyticsWorkspaceTo query flow logs from Log Analytics, you use the AzureNetworkAnalytics_CL table (if traffic analytics is enabled) or query the raw JSON in blob storage. For example:
AzureNetworkAnalytics_CL
| where FlowType_s == "S2S" // Site-to-site
| project TimeGenerated, SrcIP_s, DestIP_s, L4Protocol_s, AllowedInFlows_d, DeniedInFlows_d
| take 10Interaction with Related Technologies
NSG Diagnostic Logs: These are separate logs that record rule evaluation events (e.g., when a rule is created or modified). Flow logs record actual traffic flows.
Azure Firewall Logs: If you use Azure Firewall, its logs provide similar flow information but at the firewall level. Flow logs are for NSGs, which are distributed at subnet/NIC level.
Network Watcher Packet Capture: This captures full packet data, not just metadata. Use packet capture for deep forensic analysis; use flow logs for ongoing monitoring.
Virtual Network Flow Logs (Preview): A newer feature that logs flows at the virtual network level, not just NSG. Not yet covered in AZ-500 extensively.
Performance and Scale Considerations
Flow logs are generated by the Azure host infrastructure and do not affect VM performance. However, they do consume storage: a typical flow log record is about 1 KB, and a busy NSG can generate millions of records per day. Traffic analytics adds additional processing and cost. You should set appropriate retention periods and consider using lifecycle management policies on the storage account to tier older logs to cool or archive storage.
Enable Network Watcher in Region
Before you can use flow logs, Network Watcher must be enabled in the region where your NSG resides. In most regions, it is enabled by default. If not, you can enable it via the Azure portal, CLI, or PowerShell. Network Watcher is a regional service that monitors and diagnoses network health. Without it, flow log configuration options will be unavailable.
Create or Select a Storage Account
Flow logs are written to a blob storage container (insights-logs-networksecuritygroupflowevent) in a general-purpose v2 storage account. The storage account must be in the same Azure region as the NSG. You can choose an existing account or create a new one. Consider data sovereignty and cost: each flow log record is about 1 KB, and high-traffic NSGs can generate gigabytes per day.
Configure NSG Flow Log Settings
In the Azure portal, navigate to the NSG, select 'NSG flow logs' under 'Monitoring', then click 'Create'. Provide a name, select the storage account, set retention (in days, 0-365), and optionally enable traffic analytics. For CLI/PowerShell, use the commands shown earlier. The aggregation interval is fixed at 60 seconds; you cannot change it.
Enable Traffic Analytics (Optional)
Traffic Analytics processes raw flow logs and provides dashboards, geo-maps, and anomaly detection. It requires a Log Analytics workspace. Enabling it adds cost but is highly recommended for security monitoring. The data is ingested into the AzureNetworkAnalytics_CL table. You can query it with KQL to identify suspicious traffic patterns, such as port scanning or data exfiltration.
Query and Analyze Flow Logs
Once enabled, flow logs appear in the storage account under the container 'insights-logs-networksecuritygroupflowevent'. You can download the JSON files directly or use Log Analytics (if traffic analytics is enabled). For exam purposes, know how to write basic KQL queries to filter allowed/denied traffic, identify top talkers, and detect anomalies. Also understand that flow logs are not real-time; they are aggregated every 60 seconds.
In a large enterprise with thousands of VMs across multiple regions, a security operations center (SOC) uses NSG flow logs to monitor for data exfiltration attempts. They enable traffic analytics on all NSGs attached to internet-facing subnets. The logs are ingested into a central Log Analytics workspace, where they run KQL queries to flag outbound traffic to known malicious IPs (using threat intelligence feeds). They also set up alerts for when a single VM sends more than 100 MB of data to an external IP in an hour—a possible indicator of data exfiltration.
Another scenario: a financial institution needs to meet PCI DSS compliance, which requires logging all network traffic to and from cardholder data environments. They enable flow logs on all NSGs associated with those environments, set retention to 90 days (as required by PCI), and use Azure Policy to enforce that flow logs are enabled on every NSG. They also export the logs to a SIEM (via Event Hubs) for correlation with other logs.
A common misconfiguration is forgetting to enable flow logs on both inbound and outbound NSG rules. Flow logs capture traffic based on the NSG's rules, but if the NSG is applied at the subnet level and a VM has a separate NIC-level NSG, you need to enable flow logs on both to get complete visibility. Also, some engineers set retention to 0 thinking it means 'infinite', but 0 actually means no retention—logs are deleted immediately after aggregation. The correct setting for indefinite retention is 365 (the max) or use lifecycle management to archive to cool storage.
AZ-500 tests NSG flow logs under objective 'Configure and manage security monitoring' (3.1). The exam expects you to know:
The difference between NSG flow logs and NSG diagnostic logs (diagnostic logs record rule changes; flow logs record traffic).
The exact default aggregation interval: 60 seconds.
The retention range: 0-365 days, where 0 means delete immediately.
That flow logs are written to a storage account in JSON format.
That traffic analytics requires a Log Analytics workspace.
That you can query flow logs using KQL from the AzureNetworkAnalytics_CL table.
Common wrong answers: 1. 'Flow logs capture full packet payloads.' Wrong—they capture only metadata (IPs, ports, protocol, decision). Packet capture is for payload. 2. 'Flow logs are real-time.' Wrong—they are aggregated every 60 seconds. 3. 'You can enable flow logs on a single NIC.' Wrong—flow logs are enabled per NSG, not per NIC. However, you can enable them on the NSG attached to a NIC. 4. 'Traffic analytics is required for flow logs.' Wrong—traffic analytics is optional; flow logs work without it.
Edge cases: If you delete the storage account, flow logs stop. If you change the NSG rules, existing flows are not retroactively logged. Flow logs do not capture traffic that is blocked by Azure DDoS Protection or Azure Firewall before it reaches the NSG—those logs are separate. Also, flow logs are not generated for traffic within the same subnet if the NSG is applied at the subnet level (because the traffic does not cross the NSG boundary).
NSG flow logs capture metadata of IP traffic allowed or denied by an NSG, including source/destination IP, port, protocol, direction, and decision.
Flow logs are aggregated and written to blob storage every 60 seconds (fixed interval).
Retention period can be set from 0 to 365 days; 0 means logs are deleted immediately after aggregation.
Traffic Analytics is an optional add-on that provides intelligent analysis using Log Analytics.
Flow logs are enabled per NSG, not per NIC or subnet directly.
To query flow logs with traffic analytics, use the AzureNetworkAnalytics_CL table in Log Analytics with KQL.
Flow logs do not capture packet payloads—use Network Watcher packet capture for that.
Network Watcher must be enabled in the region for flow logs to work (enabled by default in most regions).
These come up on the exam all the time. Here's how to tell them apart.
NSG Flow Logs
Logs metadata of flows (IPs, ports, protocol, decision)
Always-on, continuous monitoring
Stored in blob storage as JSON files
Aggregated every 60 seconds
Lower cost, suitable for long-term monitoring
Network Watcher Packet Capture
Captures full packet payloads
On-demand, manual trigger or scheduled
Stored in .cap file in storage account
Real-time capture (up to 5 minutes)
Higher cost, used for forensic analysis
Mistake
NSG flow logs capture full packet payloads.
Correct
Flow logs capture only metadata: source/destination IP, port, protocol, direction, decision, and packet/byte counts. Full packet capture is a separate Network Watcher feature.
Mistake
Flow logs are generated in real-time.
Correct
Flow logs are aggregated and written every 60 seconds. They are not real-time. For near-real-time insights, use traffic analytics which processes the logs with minimal delay.
Mistake
Setting retention to 0 means keep forever.
Correct
Retention 0 means no retention—logs are deleted immediately after aggregation. To keep logs indefinitely, set retention to 365 (maximum) or use lifecycle management policies.
Mistake
You can enable flow logs on a specific NIC.
Correct
Flow logs are enabled per NSG, not per NIC. If a NIC has an NSG attached, you enable flow logs on that NSG. For subnet-level NSGs, all NICs in the subnet are covered.
Mistake
Traffic analytics must be enabled to use flow logs.
Correct
Traffic analytics is an optional add-on that provides advanced analysis. Flow logs themselves work independently and are stored in blob storage without traffic analytics.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the command `az network watcher flow-log create --resource-group <rg> --name <flowlogname> --nsg <nsgname> --storage-account <storageaccount> --retention <days> --enabled true`. The storage account must be in the same region as the NSG. For traffic analytics, add `--traffic-analytics true --workspace <workspaceid>`.
NSG diagnostic logs record events related to rule changes (e.g., rule created, modified, deleted). NSG flow logs record actual traffic flows that are allowed or denied by the NSG rules. Both are useful for security monitoring but serve different purposes.
Yes. You can configure a storage account to send flow logs to Event Hubs (using diagnostic settings) and then stream to a SIEM. Alternatively, you can use traffic analytics to export to Log Analytics and then connect Log Analytics to your SIEM via connector.
No, if the NSG is applied at the subnet level, traffic between VMs in the same subnet is not logged because it does not cross the NSG boundary. To log intra-subnet traffic, you would need to apply NSGs at the NIC level.
There is a cost for storing the logs in blob storage (based on amount of data). Traffic analytics adds additional costs per GB processed. There is no charge for enabling flow logs themselves. Check Azure pricing for current rates.
If using traffic analytics, query `AzureNetworkAnalytics_CL | where DeniedInFlows_d > 0 or DeniedOutFlows_d > 0`. Without traffic analytics, you can parse the JSON files in the storage account using Azure Data Lake or other tools.
Flow logs will stop being written. You will need to reconfigure the flow log to point to a new storage account. Existing logs in the deleted account are lost unless you have a backup.
You've just covered NSG Flow Logs and Network Watcher — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?