|
| 1 | +--- |
| 2 | +title: 'Tutorial: Log network traffic flow to and from a VM' |
| 3 | +titleSuffix: Azure Network Watcher |
| 4 | +description: In this tutorial, you learn how to log network traffic flow to and from a virtual machine (VM) using Network Watcher virtual network (VNet) flow logs. |
| 5 | +author: halkazwini |
| 6 | +ms.author: halkazwini |
| 7 | +ms.service: azure-network-watcher |
| 8 | +ms.topic: tutorial |
| 9 | +ms.date: 09/30/2024 |
| 10 | + |
| 11 | +# CustomerIntent: As an Azure administrator, I need to log the network traffic to and from a virtual machine (VM) so I can analyze the data for anomalies. |
| 12 | +--- |
| 13 | + |
| 14 | +# Tutorial: Log network traffic to and from a virtual machine using the Azure portal |
| 15 | + |
| 16 | +Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see [Virtual network flow logs](vnet-flow-logs-overview.md). |
| 17 | + |
| 18 | +This tutorial helps you use VNet flow logs to log a virtual machine's network traffic that flows through the virtual network. |
| 19 | + |
| 20 | +:::image type="content" source="./media/nsg-flow-logs-tutorial/nsg-flow-logs-tutorial-diagram.png" alt-text="Diagram shows the resources created during the tutorial."::: |
| 21 | + |
| 22 | +In this tutorial, you learn how to: |
| 23 | + |
| 24 | +> [!div class="checklist"] |
| 25 | +> - Create a virtual network |
| 26 | +> - Create a virtual machine |
| 27 | +> - Register Microsoft.insights provider |
| 28 | +> - Enable flow logging for a virtual network using Network Watcher flow logs |
| 29 | +> - Download logged data |
| 30 | +> - View logged data |
| 31 | +
|
| 32 | +## Prerequisites |
| 33 | + |
| 34 | +- An Azure account with an active subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 35 | + |
| 36 | +## Create a virtual network |
| 37 | + |
| 38 | +In this section, you create **myVNet** virtual network with one subnet for the virtual machine. |
| 39 | + |
| 40 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 41 | + |
| 42 | +1. In the search box at the top of the portal, enter ***virtual networks***. Select **Virtual networks** from the search results. |
| 43 | + |
| 44 | + :::image type="content" source="./media/virtual-networks-portal-search.png" alt-text="Screenshot that shows how to search for virtual networks in the Azure portal." lightbox="./media/virtual-networks-portal-search.png"::: |
| 45 | + |
| 46 | +1. Select **+ Create**. In **Create virtual network**, enter or select the following values in the **Basics** tab: |
| 47 | + |
| 48 | + | Setting | Value | |
| 49 | + | --- | --- | |
| 50 | + | **Project details** | | |
| 51 | + | Subscription | Select your Azure subscription. | |
| 52 | + | Resource Group | Select **Create new**. </br> Enter ***myResourceGroup*** in **Name**. </br> Select **OK**. | |
| 53 | + | **Instance details** | | |
| 54 | + | Name | Enter ***myVNet***. | |
| 55 | + | Region | Select **(US) East US**. | |
| 56 | + |
| 57 | +1. Select **Review + create**. |
| 58 | + |
| 59 | +1. Review the settings, and then select **Create**. |
| 60 | + |
| 61 | +## Create a virtual machine |
| 62 | + |
| 63 | +In this section, you create **myVM** virtual machine. |
| 64 | + |
| 65 | +1. In the search box at the top of the portal, enter ***virtual machines***. Select **Virtual machines** from the search results. |
| 66 | + |
| 67 | +1. Select **+ Create** and then select **Azure virtual machine**. |
| 68 | + |
| 69 | +1. In **Create a virtual machine**, enter or select the following values in the **Basics** tab: |
| 70 | + |
| 71 | + | Setting | Value | |
| 72 | + | --- | --- | |
| 73 | + | **Project Details** | | |
| 74 | + | Subscription | Select your Azure subscription. | |
| 75 | + | Resource Group | Select **myResourceGroup**. | |
| 76 | + | **Instance details** | | |
| 77 | + | Virtual machine name | Enter ***myVM***. | |
| 78 | + | Region | Select **(US) East US**. | |
| 79 | + | Availability Options | Select **No infrastructure redundancy required**. | |
| 80 | + | Security type | Select **Standard**. | |
| 81 | + | Image | Select **Windows Server 2022 Datacenter: Azure Edition - x64 Gen2**. | |
| 82 | + | Size | Choose a size or leave the default setting. | |
| 83 | + | **Administrator account** | | |
| 84 | + | Username | Enter a username. | |
| 85 | + | Password | Enter a password. | |
| 86 | + | Confirm password | Reenter password. | |
| 87 | + |
| 88 | +1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**. |
| 89 | + |
| 90 | +1. In the Networking tab, select the following values: |
| 91 | + |
| 92 | + | Setting | Value | |
| 93 | + | --- | --- | |
| 94 | + | **Network interface** | | |
| 95 | + | Virtual network | Select **myVNet**. | |
| 96 | + | Subnet | Select **mySubnet**. | |
| 97 | + | Public IP | Select **(new) myVM-ip**. | |
| 98 | + | NIC network security group | Select **Basic**. This setting creates a network security group named **myVM-nsg** and associates it with the network interface of **myVM** virtual machine. | |
| 99 | + | Public inbound ports | Select **Allow selected ports**. | |
| 100 | + | Select inbound ports | Select **RDP (3389)**. | |
| 101 | + |
| 102 | + > [!CAUTION] |
| 103 | + > Leaving the RDP port open to the internet is only recommended for testing. For production environments, it's recommended to restrict access to the RDP port to a specific IP address or range of IP addresses. You can also block internet access to the RDP port and use [Azure Bastion](../bastion/bastion-overview.md) to securely connect to your virtual machine from the Azure portal. |
| 104 | +
|
| 105 | +1. Select **Review + create**. |
| 106 | + |
| 107 | +1. Review the settings, and then select **Create**. |
| 108 | + |
| 109 | +1. Once the deployment is complete, select **Go to resource** to go to the **Overview** page of **myVM**. |
| 110 | + |
| 111 | +1. Select **Connect** then select **RDP**. |
| 112 | + |
| 113 | +1. Select **Download RDP File** and open the downloaded file. |
| 114 | + |
| 115 | +1. Select **Connect** and then enter the username and password that you created in the previous steps. Accept the certificate if prompted. |
| 116 | + |
| 117 | +## Register Insights provider |
| 118 | + |
| 119 | +NSG flow logging requires the **Microsoft.Insights** provider. To check its status, follow these steps: |
| 120 | + |
| 121 | +1. In the search box at the top of the portal, enter ***subscriptions***. Select **Subscriptions** from the search results. |
| 122 | + |
| 123 | +1. Select the Azure subscription that you want to enable the provider for in **Subscriptions**. |
| 124 | + |
| 125 | +1. Select **Resource providers** under **Settings** of your subscription. |
| 126 | + |
| 127 | +1. Enter ***insight*** in the filter box. |
| 128 | + |
| 129 | +1. Confirm the status of the provider displayed is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Insights** provider then select **Register**. |
| 130 | + |
| 131 | + :::image type="content" source="./media/register-microsoft-insights.png" alt-text="Screenshot that shows how to register Microsoft Insights provider in the Azure portal." lightbox="./media/register-microsoft-insights.png"::: |
| 132 | + |
| 133 | +## Create a storage account |
| 134 | + |
| 135 | +In this section, you create a storage account to use it to store the flow logs. |
| 136 | + |
| 137 | +1. In the search box at the top of the portal, enter ***storage accounts***. Select **Storage accounts** from the search results. |
| 138 | + |
| 139 | +1. Select **+ Create**. In **Create a storage account**, enter or select the following values in the **Basics** tab: |
| 140 | + |
| 141 | + | Setting | Value | |
| 142 | + | --- | --- | |
| 143 | + | **Project details** | | |
| 144 | + | Subscription | Select your Azure subscription. | |
| 145 | + | Resource Group | Select **myResourceGroup**. | |
| 146 | + | **Instance details** | | |
| 147 | + | Storage account name | Enter a unique name. This tutorial uses **mynwstorageaccount**. | |
| 148 | + | Region | Select **(US) East US**. The storage account must be in the same region as the virtual machine and its network security group. | |
| 149 | + | Performance | Select **Standard**. NSG flow logs only support Standard-tier storage accounts. | |
| 150 | + | Redundancy | Select **Locally-redundant storage (LRS)** or different replication strategy that matches your durability requirements. | |
| 151 | + |
| 152 | +1. Select the **Review** tab or select the **Review** button at the bottom. |
| 153 | + |
| 154 | +1. Review the settings, and then select **Create**. |
| 155 | + |
| 156 | +## Create an NSG flow log |
| 157 | + |
| 158 | +In this section, you create an NSG flow log that's saved into the storage account created previously in the tutorial. |
| 159 | + |
| 160 | +1. In the search box at the top of the portal, enter ***network watcher***. Select **Network Watcher** from the search results. |
| 161 | + |
| 162 | +1. Under **Logs**, select **Flow logs**. |
| 163 | + |
| 164 | +1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button. |
| 165 | + |
| 166 | + :::image type="content" source="./media/flow-logs.png" alt-text="Screenshot of Network Watcher flow logs in the Azure portal." lightbox="./media/flow-logs.png"::: |
| 167 | + |
| 168 | +1. Enter or select the following values in **Create a flow log**: |
| 169 | + |
| 170 | + | Setting | Value | |
| 171 | + | ------- | ----- | |
| 172 | + | **Project details** | | |
| 173 | + | Subscription | Select the Azure subscription of your network security group that you want to log. | |
| 174 | + | Network security group | Select **+ Select resource**. <br> In **Select network security group**, select **myVM-nsg**. Then, select **Confirm selection**. | |
| 175 | + | Flow Log Name | Leave the default of **myVM-nsg-myResourceGroup-flowlog**. | |
| 176 | + | **Instance details** | | |
| 177 | + | Subscription | Select the Azure subscription of your storage account. | |
| 178 | + | Storage Accounts | Select the storage account you created in the previous steps. This tutorial uses **mynwstorageaccount**. | |
| 179 | + | Retention (days) | Enter ***0*** to retain the flow logs data in the storage account forever (until you delete it from the storage account). To apply a retention policy, enter the retention time in days. For information about storage pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). | |
| 180 | + |
| 181 | + :::image type="content" source="./media/nsg-flow-logs-tutorial/create-nsg-flow-log.png" alt-text="Screenshot of create NSG flow log page in the Azure portal."::: |
| 182 | + |
| 183 | + > [!NOTE] |
| 184 | + > The Azure portal creates NSG flow logs in the **NetworkWatcherRG** resource group. |
| 185 | +
|
| 186 | +1. Select **Review + create**. |
| 187 | + |
| 188 | +1. Review the settings, and then select **Create**. |
| 189 | + |
| 190 | +1. Once the deployment is complete, select **Go to resource** to confirm the flow log created and listed in the **Flow logs** page. |
| 191 | + |
| 192 | + :::image type="content" source="./media/nsg-flow-logs-tutorial/flow-logs-list.png" alt-text="Screenshot of Flow logs page in the Azure portal showing the newly created flow log." lightbox="./media/nsg-flow-logs-tutorial/flow-logs-list.png"::: |
| 193 | + |
| 194 | +1. Go back to your RDP session with **myVM** virtual machine. |
| 195 | + |
| 196 | +1. Open Microsoft Edge and go to `www.bing.com`. |
| 197 | + |
| 198 | +## Download the flow log |
| 199 | + |
| 200 | +In this section, you go to the storage account you previously selected and download the NSG flow log created in the previous section. |
| 201 | + |
| 202 | +1. In the search box at the top of the portal, enter ***storage accounts***. Select **Storage accounts** from the search results. |
| 203 | + |
| 204 | +2. Select **mynwstorageaccount** or the storage account you previously created and selected to store the logs. |
| 205 | + |
| 206 | +3. Under **Data storage**, select **Containers**. |
| 207 | + |
| 208 | +4. Select the **insights-logs-networksecuritygroupflowevent** container. |
| 209 | + |
| 210 | +5. In the container, navigate the folder hierarchy until you get to the `PT1H.json` file. NSG log files are written to a folder hierarchy that follows the following naming convention: |
| 211 | + |
| 212 | + ``` |
| 213 | + https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{networSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={acAddress}/PT1H.json |
| 214 | + ``` |
| 215 | +
|
| 216 | +6. Select the ellipsis **...** to the right of the PT1H.json file, then select **Download**. |
| 217 | +
|
| 218 | + :::image type="content" source="./media/nsg-flow-logs-tutorial/nsg-log-file.png" alt-text="Screenshot showing how to download nsg flow log from the storage account container in the Azure portal." lightbox="./media/nsg-flow-logs-tutorial/nsg-log-file.png"::: |
| 219 | +
|
| 220 | +> [!NOTE] |
| 221 | +> You can use Azure Storage Explorer to access and download flow logs from your storage account. Fore more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md). |
| 222 | +
|
| 223 | +## View the flow log |
| 224 | +
|
| 225 | +Open the downloaded `PT1H.json` file using a text editor of your choice. The following example is a section taken from the downloaded `PT1H.json` file, which shows a flow processed by the rule **DefaultRule_AllowInternetOutBound**. |
| 226 | +
|
| 227 | +```json |
| 228 | +{ |
| 229 | + "time": "2023-02-26T23:45:44.1503927Z", |
| 230 | + "systemId": "00000000-0000-0000-0000-000000000000", |
| 231 | + "macAddress": "112233445566", |
| 232 | + "category": "NetworkSecurityGroupFlowEvent", |
| 233 | + "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/MYVM-NSG", |
| 234 | + "operationName": "NetworkSecurityGroupFlowEvents", |
| 235 | + "properties": { |
| 236 | + "Version": 2, |
| 237 | + "flows": [ |
| 238 | + { |
| 239 | + "rule": "DefaultRule_AllowInternetOutBound", |
| 240 | + "flows": [ |
| 241 | + { |
| 242 | + "mac": "112233445566", |
| 243 | + "flowTuples": [ |
| 244 | + "1677455097,10.0.0.4,13.107.21.200,49982,443,T,O,A,C,7,1158,12,8143" |
| 245 | + ] |
| 246 | + } |
| 247 | + ] |
| 248 | + } |
| 249 | + ] |
| 250 | + } |
| 251 | +} |
| 252 | +``` |
| 253 | + |
| 254 | +The comma-separated information for **flowTuples** is as follows: |
| 255 | + |
| 256 | +| Example data | What data represents | Explanation | |
| 257 | +| ------------ | -------------------- | ---------- | |
| 258 | +| 1677455097 | Time stamp | The time stamp of when the flow occurred in UNIX EPOCH format. In the previous example, the date converts to February 26, 2023 11:44:57 PM UTC/GMT. | |
| 259 | +| 10.0.0.4 | Source IP address | The source IP address that the flow originated from. 10.0.0.4 is the private IP address of the VM you previously created. |
| 260 | +| 13.107.21.200 | Destination IP address | The destination IP address that the flow was destined to. 13.107.21.200 is the IP address of `www.bing.com`. Since the traffic is destined outside Azure, the security rule **DefaultRule_AllowInternetOutBound** processed the flow. | |
| 261 | +| 49982 | Source port | The source port that the flow originated from. | |
| 262 | +| 443 | Destination port | The destination port that the flow was destined to. | |
| 263 | +| T | Protocol | The protocol of the flow. T: TCP. | |
| 264 | +| O | Direction | The direction of the flow. O: Outbound. | |
| 265 | +| A | Decision | The decision made by the security rule. A: Allowed. | |
| 266 | +| C | Flow State **Version 2 only** | The state of the flow. C: Continuing for an ongoing flow. | |
| 267 | +| 7 | Packets sent **Version 2 only** | The total number of TCP packets sent to destination since the last update. | |
| 268 | +| 1158 | Bytes sent **Version 2 only** | The total number of TCP packet bytes sent from source to destination since the last update. Packet bytes include the packet header and payload. | |
| 269 | +| 12 | Packets received **Version 2 only** | The total number of TCP packets received from destination since the last update. | |
| 270 | +| 8143 | Bytes received **Version 2 only** | The total number of TCP packet bytes received from destination since the last update. Packet bytes include packet header and payload.| |
| 271 | + |
| 272 | +## Clean up resources |
| 273 | + |
| 274 | +When no longer needed, delete **myResourceGroup** resource group and all of the resources it contains: |
| 275 | + |
| 276 | +1. In the search box at the top of the portal, enter ***myResourceGroup***. Select **myResourceGroup** from the search results. |
| 277 | + |
| 278 | +1. Select **Delete resource group**. |
| 279 | + |
| 280 | +1. In **Delete a resource group**, enter ***myResourceGroup***, and then select **Delete**. |
| 281 | + |
| 282 | +1. Select **Delete** to confirm the deletion of the resource group and all its resources. |
| 283 | + |
| 284 | +> [!NOTE] |
| 285 | +> The **myVM-nsg-myResourceGroup-flowlog** flow log is in the **NetworkWatcherRG** resource group, but it'll be deleted after deleting the **myVM-nsg** network security group (by deleting the **myResourceGroup** resource group). |
| 286 | +
|
| 287 | +## Related content |
| 288 | + |
| 289 | +- [Virtual network flow logs](vnet-flow-logs-overview.md) |
| 290 | +- [Create, change, enable, disable, or delete virtual network flow logs](nsg-flow-logs-manage.md) |
| 291 | +- [Traffic analytics overview](traffic-analytics.md) |
0 commit comments