You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Manage Azure Network Watcher traffic analytics using Azure Policy
15
15
16
-
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, you'll learn how to use three built-in policies available for [traffic analytics](./traffic-analytics.md) to manage your setup.
16
+
Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, you learn how to use three built-in policies available for [traffic analytics](./traffic-analytics.md) to manage your setup.
17
17
18
18
To learn more about Azure policy, see [What is Azure Policy?](../governance/policy/overview.md) and [Quickstart: Create a policy assignment to identify non-compliant resources](../governance/policy/assign-policy-portal.md).
19
19
20
20
## <aname="audit"></a>Audit flow logs using a built-in policy
21
21
22
-
**Network Watcher flow logs should have traffic analytics enabled** policy audits all existing Azure Resource Manager objects of type `Microsoft.Network/networkWatchers/flowLogs` and checks if traffic analytics is enabled via the `networkWatcherFlowAnalyticsConfiguration.enabled` property of the flow logs resource. It flags the flow logs resource which have the property set to false.
22
+
**Network Watcher flow logs should have traffic analytics enabled** policy audits all existing Azure Resource Manager objects of type `Microsoft.Network/networkWatchers/flowLogs` and checks if traffic analytics is enabled via the `networkWatcherFlowAnalyticsConfiguration.enabled` property of the flow logs resource. It flags the flow logs resource that have the property set to false.
23
23
24
24
To assign policy and audit your flow logs, use the following steps:
25
25
@@ -64,7 +64,7 @@ There are two *deployIfNotExists* policies available to configure NSG flow logs:
64
64
65
65
-**Configure network security groups to use specific workspace, storage account and flow log retention policy for traffic analytics**: This policy flags the network security group that doesn't have traffic analytics enabled. For a flagged network security group, either the corresponding NSG flow logs resource doesn't exist or the NSG flow logs resource exist but traffic analytics isn't enabled on it. You can create a *remediation* task if you want the policy to affect existing resources.
66
66
67
-
Remediation can be assigned while assigning policy or after policy is assigned and evaluated. Remediation enables traffic analytics on all the flagged resources with the provided parameters. If a network security group already has flow logs enabled into a particular storage ID but it doesn't have traffic analytics enabled, then remediation will enable traffic analytics on this network security group with the provided parameters. If the storage ID provided in the parameters is different from the one enabled for flow logs, then the latter gets overwritten with the provided storage ID in the remediation task. If you don't want to overwrite, use **Configure network security groups to enable traffic analytics** policy.
67
+
Remediation can be assigned while assigning policy or after policy is assigned and evaluated. Remediation enables traffic analytics on all the flagged resources with the provided parameters. If a network security group already has flow logs enabled into a particular storage ID but it doesn't have traffic analytics enabled, then remediation enables traffic analytics on this network security group with the provided parameters. If the storage ID provided in the parameters is different from the one enabled for flow logs, then the latter gets overwritten with the provided storage ID in the remediation task. If you don't want to overwrite, use **Configure network security groups to enable traffic analytics** policy.
68
68
69
69
-**Configure network security groups to enable traffic analytics**: This policy is similar to the previous policy except that during remediation, it doesn't overwrite flow logs settings on the flagged network security groups that have flow logs enabled but traffic analytics disabled with the parameter provided in the policy assignment.
70
70
@@ -88,7 +88,7 @@ To assign any of the *deployIfNotExists* two policies, repeat steps 1-4 from the
88
88
| Effect | Select **DeployIfNotExists**. |
89
89
| Network security group region | Select the region of your network security group that you're targeting with the policy. |
90
90
| Storage resource ID | Enter the full resource ID of the storage account. The storage account must be in the same region as the network security group. The format of storage resource ID is: `/subscriptions/<SubscriptionID>/resourceGroups/<ResouceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>`. |
91
-
| Traffic analytics processing interval in minutes | Select the frequency at which processed logs will be pushed into the workspace. Currently available values are 10 and 60 minutes. Default value is 60 minutes. |
91
+
| Traffic analytics processing interval in minutes | Select the frequency at which processed logs are pushed into the workspace. Currently available values are 10 and 60 minutes. Default value is 60 minutes. |
92
92
| Workspace resource ID | Enter the full resource ID of the workspace where traffic analytics has to be enabled. The format of workspace resource ID is: `/subscriptions/<SubscriptionID>/resourcegroups/<ResouceGroupName>/providers/microsoft.operationalinsights/workspaces/<WorkspaceName>`. |
93
93
| Workspace region | Select the region of your traffic analytics workspace. |
94
94
| Workspace ID | Enter your traffic analytics workspace ID. |
@@ -108,7 +108,7 @@ To assign any of the *deployIfNotExists* two policies, repeat steps 1-4 from the
108
108
| Create Remediation task | Check the box if you want the policy to affect existing resources. |
109
109
| Create a Managed Identity | Check the box. |
110
110
| Type of Managed Identity | Select the type of Managed Identity that you want to use. |
111
-
| System assigned identity location | Select the of your Managed Identity. |
111
+
| System assigned identity location | Select the region of your Managed Identity. |
112
112
113
113
:::image type="content" source="./media/traffic-analytics-policy-portal/assign-deploy-policy-remediation.png" alt-text="Screenshot of the Remediation tab of assigning a deploy policy in the Azure portal." lightbox="./media/traffic-analytics-policy-portal/assign-deploy-policy-remediation.png":::
0 commit comments