Configuring VNet Flow Logs on the Microsoft Azure portal

The Virtual Network (VNet) Flow Logs event is a feature of Microsoft Azure Network Watcher. You can use the flow logs to log information about the IP traffic that is flowing through a virtual network.

Before you begin

To configure the VNet flow logs in the Microsoft Azure, complete the below prerequisites.

  1. Configure Event Hub, Consumer Group and Storage Account.
    Attention: If these tools are already created in your azure portal, you can skip the create process and gather the name of the tool.
  2. Create a Resource Group for the same Region as that of the VNet flow logs. For more information, see Create resource groups.
  3. Create a new Event Hubs namespace and enter the Resource Group and Region. For more information, see Create an Event Hubs namespace.
    1. Create an Event Hub under the Event Hub namespace. For more information, see Create an event hub.
  4. Create a shared access policy under the Event Hub. Assign Send and Listen access and configure the Event Hub Connection String.
  5. Create a consumer group under the Event Hub.
  6. From the Storage Account's Access Key, fetch the Storage Account Connection String.

Procedure

  1. Create a Virtual Network with data traffic before you enable the VNet flow logs. For more information, see Create a virtual network and an Azure Bastion host.
  2. Create a Log Analytics Workspace by entering the Resource Group and Region. For more information, see Create a Log Analytics workspace.
  3. Enable Network Watcher and add the Region for which you are configuring the VNet flow logs. For more information, see Enable Network Watcher for your region.
  4. Enable VNet flow log.
    1. Gather the Region, the Virtual Network, the Storage Account, and the Log Analytics Workspace.
    2. Enter the information in the below command. For more information, see Create, change, enable, disable, or delete VNet flow logs using the Azure CLI. 
      az network watcher flow-log create --location <region> --name <myVNetFlowLog> --resource-group <myResourceGroup> --vnet <myVNet> --storage-account <myStorageAccount> --workspace <myWorkspace> --interval 10 --traffic-analytics true
  5. Create Traffic Analytics.
    1. Navigate to the Log Analytics Workspace.
    2. Select Data Export and click Create Export Rule.
    3. Enter the rule Name and select the table name NTANetAnalytics.
    4. Select Event Hub as the Destination name.
    5. Enter a Subscription.
    6. Enter the Event Hub Workspace name and Event Hub name.
    7. Click Create.
  6. After completing the above steps, add the Event Hub Connection String, Consumer Group name and Storage Account String to the Log Source. The events are now recorded as per the configurations.