|
| 1 | +--- |
| 2 | +title: Migrate to VNet flow logs |
| 3 | +titleSuffix: Azure Network Watcher |
| 4 | +description: Learn how to migrate your Azure Network Watcher NSG flow logs to VNet flow logs using the Azure portal and PowerShell. |
| 5 | +author: halkazwini |
| 6 | +ms.author: halkazwini |
| 7 | +ms.service: network-watcher |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 04/15/2024 |
| 10 | + |
| 11 | +#CustomerIntent: As an Azure administrator, I want to learn how to migrate my NSG flow logs to the new VNet flow logs so that I can use VNet flow logs to log my virtual network IP traffic. |
| 12 | +--- |
| 13 | + |
| 14 | +# Migrate from NSG flow logs to VNet flow logs |
| 15 | + |
| 16 | +In this article, you learn how to migrate your existing NSG flow logs to VNet flow logs. VNet flow logs overcome some of the limitations of NSG flow logs. For more information, see [VNet flow logs](vnet-flow-logs-overview.md). |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | + |
| 20 | +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 21 | + |
| 22 | +- PowerShell 7. For more information, see [Install PowerShell on Windows, Linux, and macOS](/powershell/scripting/install/installing-powershell). This article requires the Az PowerShell module. For more information, see [How to install Azure PowerShell](/powershell/azure/install-azure-powershell). To find the installed version, run `Get-Module -ListAvailable Az`. |
| 23 | + |
| 24 | +- Necessary RBAC permissions for subscriptions of the flow logs and Log Analytics workspaces if traffic analytics is enabled for any of the NSG flow logs. For more information, see [Network Watcher RBAC permissions](required-rbac-permissions.md). |
| 25 | + |
| 26 | +- NSG flow logs in a region or more. For more information, see [Create NSG flow logs](nsg-flow-logs-portal.md#create-a-flow-log). |
| 27 | + |
| 28 | +## Generate migration script |
| 29 | + |
| 30 | +In this section, you learn how to generate and download the migration files for the NSG flow logs that you want to migrate. |
| 31 | + |
| 32 | +1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results. |
| 33 | + |
| 34 | + :::image type="content" source="./media/nsg-flow-logs-migrate/portal-search.png" alt-text="Screenshot that shows how to search for Network Watcher in the Azure portal." lightbox="./media/nsg-flow-logs-migrate/portal-search.png"::: |
| 35 | + |
| 36 | +1. Under **Logs**, select **Migrate flow logs**. |
| 37 | + |
| 38 | + :::image type="content" source="./media/nsg-flow-logs-migrate/migrate-flow-logs.png" alt-text="Screenshot that shows the NSG flow logs migration page in the Azure portal." lightbox="./media/nsg-flow-logs-migrate/migrate-flow-logs.png"::: |
| 39 | + |
| 40 | +1. Select the subscriptions that contain the NSG flow logs that you want to migrate. |
| 41 | + |
| 42 | +1. For each subscription, select the regions that contain the flow logs that you want to migrate. **Total NSG flow logs** shows the total number of flow logs that are in the selected subscriptions. **Selected NSG flow logs** shows the number of flow logs in the selected regions. |
| 43 | + |
| 44 | +1. After you chose the subscriptions and regions, select **Download script and JSON file** to download the migration files as a zip file. |
| 45 | + |
| 46 | + :::image type="content" source="./media/nsg-flow-logs-migrate/download-migration-files.png" alt-text="Screenshot that shows how to generate a migration script in the Azure portal." lightbox="./media/nsg-flow-logs-migrate/download-migration-files.png"::: |
| 47 | + |
| 48 | +1. Extract `MigrateFlowLogs.zip` file on your local machine. The zip file contains these two files: |
| 49 | + - a script file: `MigrationFromNsgToAzureFlowLogging.ps1` |
| 50 | + - a JSON file: `RegionSubscriptionConfig.json`. |
| 51 | + |
| 52 | +## Run migration script |
| 53 | + |
| 54 | +In this section, you learn how to use the script file that you downloaded in the previous section to migrate your NSG flow logs. |
| 55 | + |
| 56 | +1. Use [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) to sign in to Azure with the subscription that contains the NSG flow logs that you want to migrate. |
| 57 | + |
| 58 | + ```powershell |
| 59 | + Connect-AzAccount -Subscription 'mySubscription' |
| 60 | + ``` |
| 61 | +
|
| 62 | +1. Run the script file `MigrationFromNsgToAzureFlowLogging.ps1`. |
| 63 | +
|
| 64 | +1. Enter **1** for **Run analysis** option. |
| 65 | +
|
| 66 | + ```powershell |
| 67 | + .\MigrationFromNsgToAzureFlowLogging.ps1 |
| 68 | + |
| 69 | + Select one of the following options for flowlog migration: |
| 70 | + 1. Run analysis |
| 71 | + 2. Delete NSG flowlogs |
| 72 | + 3. Quit |
| 73 | + ``` |
| 74 | +
|
| 75 | +1. Enter the JSON file name. |
| 76 | +
|
| 77 | + ```powershell |
| 78 | + Please enter the path to scope selecting config file: .\RegionSubscriptionConfig.json |
| 79 | + ``` |
| 80 | +
|
| 81 | +1. Enter **16** for the number of threads or press enter. |
| 82 | +
|
| 83 | + ```powershell |
| 84 | + Please enter the number of threads you would like to use, press enter for using default value of 16: 16 |
| 85 | + ``` |
| 86 | +
|
| 87 | + After the analysis is complete, you'll see the analysis report on screen and in an html file in the same directory of the migration files. The report lists the number of NSG flow logs that will be disabled and the number of VNet flow logs that are created to replace them. The number of VNet flow logs that will be created depends on the type of migration that you choose. For example, if the network security group that you're migrating its flow log is associated with three network interfaces in the same virtual network, then you can choose *migration with aggregation* to have a single VNet flow log resource applied to the virtual network. You can also choose *migration without aggregation* to have three VNet flow logs (one VNet flow log resource per network interface). |
| 88 | +
|
| 89 | +1. Enter **2** or **3** to choose the type of migration that you want to perform. |
| 90 | +
|
| 91 | + ```powershell |
| 92 | + Select one of the following options for flowlog migration: |
| 93 | + 1. Re-Run analysis |
| 94 | + 2. Proceed with migration with aggregation |
| 95 | + 3. Proceed with migration without aggregation |
| 96 | + 4. Quit |
| 97 | + ``` |
| 98 | +
|
| 99 | +> [!NOTE] |
| 100 | +> See `AnalysisReport-<subscriptionId>-<region>-<time>.html` file for a full report of the migration that you performed. The file is available in the same directory of the script. |
| 101 | +
|
| 102 | +## Related content |
| 103 | +
|
| 104 | +- [NSG flow logs](nsg-flow-logs-overview.md) |
| 105 | +- [VNet flow logs](vnet-flow-logs-overview.md) |
0 commit comments