Share via

Bulk enabling Azure Network Watcher and NSG flow logs for each virtual network in Azure subscription

EnterpriseArchitect 6,161 Reputation points
2025-07-24T11:34:30.23+00:00

I need some help and a procedure to enable Azure Network Watcher and NSG flow logs for each virtual network in the Azure subscriptions.

What are the things I must know first before enabling this on all of our VNETs. 

Any help and suggestions would be greatly appreciated.

Azure Network Watcher
Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
0 comments
Accepted answer
  1. Marcin Policht 53,675 Reputation points MVP Volunteer Moderator
    2025-07-24T11:57:40.1766667+00:00

    Azure Network Watcher is a regional service that enables monitoring and diagnostic tools for Azure networking. It's enabled automatically in a given region whenever you create the first VNet in that region (provided that the subscription has Network Watcher auto-enablement, which has been enabled by default since 2019). To verify its existence, you can use az network watcher list.

    So effectively, your prerequisites comprise the following:

    Requirement Details
    Network Watcher Must be enabled per region (usually automatic).
    NSGs Must be assigned to subnets or NICs to be effective and loggable.
    Storage Account Required to store logs; should be in the same region as NSGs for cost efficiency.
    Permissions Minimum: Network Contributor on NSG and Storage resources.
    Regions All target regions must be checked to ensure Network Watcher is active.

    There are few decision points to consider:

    Decision Considerations
    Log Format Version Use v2 or higher for enhanced metadata like bytes transferred, VM info.
    Retention Period Set based on compliance or troubleshooting needs (e.g., 30 days).
    Log Destination Logs default to a Storage Account but can also be sent to Log Analytics for querying or Event Hubs for external tools.
    Cost Flow logs incur costs for data generation and storage—estimate based on number of NSGs, traffic volume, and retention.

    To enable NSG Flow logs, use the following procedure:

    Step 1: Confirm or Enable Network Watcher (only if needed)

    az network watcher configure --locations <region> --resource-group <resource-group> --enabled true

    Keep in mind that you will likely be able to skip this (use az network watcher list to verify).

    Step 2: Create or identify a storage account

    • Use a general-purpose v2 storage account (v1 would be cheaper in the short run, but this precludes the ability to use blob lifecycle management, which would help you reduce cost in the long run).
    • Place it in the same region as the NSG.

    Step 3: Enable NSG flow logs

    az network watcher flow-log configure \
  --nsg <nsg-name> \
  --resource-group <rg-name> \
  --enabled true \
  --storage-account <storage-account-name> \
  --retention 30 \
  --format JSON \
  --version 2

    Optionally you can stream to a Log Analytics workspace

    az network watcher flow-log configure \
  --nsg <nsg-name> \
  --resource-group <rg-name> \
  --enabled true \
  --storage-account <storage-account-name> \
  --workspace <log-analytics-workspace-id>

    Step 4: Verify status

    az network watcher flow-log show --nsg <nsg-name> --resource-group <rg-name>

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.