Merge pull request #303909 from halkazwini/nw-flowlogs

VNet flow logs tutorial

Author: AnnaMHuff

articles/network-watcher/media/register-microsoft-insights.png

@@ -133,6 +133,8 @@
     items:
     - name: Overview
       href: vnet-flow-logs-overview.md
+    - name: Log network traffic
+      href: vnet-flow-logs-tutorial.md
     - name: Manage VNet flow logs
       href: vnet-flow-logs-manage.md
     - name: Audit and deploy using Azure Policy

articles/network-watcher/media/vnet-flow-logs-tutorial/create-vnet-flow-log.png

@@ -7,10 +7,8 @@ ms.author: halkazwini
 ms.service: azure-network-watcher
 ms.topic: concept-article
 ms.date: 05/19/2025
+ms.custom: build-2025
 
-#CustomerIntent: As an Azure administrator, I want to learn about virtual network flow logs so that I can log my network traffic to analyze and optimize network performance.
-ms.custom:
-  - build-2025
 # Customer intent: As an Azure administrator, I want to implement virtual network flow logs so that I can effectively monitor network traffic, optimize performance, and ensure compliance within my virtual network.
 ---
 
@@ -273,6 +271,6 @@ The following tables list the supported regions where you can enable virtual net
 
 ## Related content
 
-- To learn how to create, change, enable, disable, or delete virtual network flow logs, see the [Manage virtual network flow logs](vnet-flow-logs-manage.md).
-- To learn how to use Azure built-in policies to audit or deploy virtual network flow logs, see [Manage virtual network flow logs using Azure Policy](traffic-analytics-policy-portal.md).
-- To learn about traffic analytics, see [Traffic analytics overview](traffic-analytics.md) and [Schema and data aggregation in Azure Network Watcher traffic analytics](traffic-analytics-schema.md).
+- [Tutorial: Log network traffic to and from a virtual network using the Azure portal](vnet-flow-logs-tutorial.md)
+- [Create, change, enable, disable, or delete virtual network flow logs](vnet-flow-logs-manage.md)
+- [Traffic analytics overview](traffic-analytics.md)

articles/network-watcher/media/vnet-flow-logs-tutorial/flow-log-file.png

@@ -0,0 +1,293 @@
+---
+title: 'Tutorial: Log network traffic'
+titleSuffix: Azure Network Watcher
+description: In this tutorial, you learn how to log network traffic flow to and from a virtual network (VNet) using Network Watcher virtual network flow logs.
+author: halkazwini
+ms.author: halkazwini
+ms.service: azure-network-watcher
+ms.topic: tutorial
+ms.date: 08/06/2025
+
+# CustomerIntent: As an Azure administrator, I need to log the network traffic to and from a virtual network so I can analyze the data for anomalies.
+---
+
+# Tutorial: Log network traffic to and from a virtual network using the Azure portal
+
+Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see [Virtual network flow logs](vnet-flow-logs-overview.md).
+
+This tutorial helps you use VNet flow logs to log a virtual machine's network traffic that flows through the virtual network.
+
+:::image type="content" source="./media/vnet-flow-logs-tutorial/flow-logs-tutorial-diagram.png" alt-text="Diagram shows the resources created during the tutorial.":::
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> - Create a virtual network
+> - Create a virtual machine
+> - Register Microsoft.insights provider
+> - Enable flow logging for a virtual network using Network Watcher flow logs
+> - Download logged data
+> - View logged data
+
+## Prerequisites
+
+- An Azure account with an active subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+## Create a virtual network
+
+In this section, you create **myVNet** virtual network with one subnet for the virtual machine.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. In the search box at the top of the portal, enter ***virtual networks***. Select **Virtual networks** from the search results.
+
+    :::image type="content" source="./media/virtual-networks-portal-search.png" alt-text="Screenshot that shows how to search for virtual networks in the Azure portal." lightbox="./media/virtual-networks-portal-search.png":::
+
+1. Select **+ Create**. In **Create virtual network**, enter or select the following values in the **Basics** tab:
+
+    | Setting | Value |
+    | --- | --- |
+    | **Project details** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource Group | Select **Create new**. </br> Enter ***myResourceGroup*** in **Name**. </br> Select **OK**. |
+    | **Instance details** |  |
+    | Name | Enter ***myVNet***. |
+    | Region | Select **(US) East US**. |
+
+1. Select **Review + create**.
+
+1. Review the settings, and then select **Create**. 
+
+## Create a virtual machine
+
+In this section, you create **myVM** virtual machine.
+
+1. In the search box at the top of the portal, enter ***virtual machines***. Select **Virtual machines** from the search results.
+
+1. Select **+ Create** and then select **Virtual machine**.
+
+1. In **Create a virtual machine**, enter or select the following values in the **Basics** tab:
+
+    | Setting | Value |
+    | --- | --- |
+    | **Project Details** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource Group | Select **myResourceGroup**. |
+    | **Instance details** |  |
+    | Virtual machine name | Enter ***myVM***. |
+    | Region | Select **(US) East US**. |
+    | Availability Options | Select **No infrastructure redundancy required**. |
+    | Security type | Select **Standard**. |
+    | Image | Select the image that you prefer. This tutorial uses **Windows Server 2022 Datacenter: Azure Edition - x64 Gen2**. |
+    | Size | Choose a VM size or leave the default setting. |
+    | **Administrator account** |  |
+    | Username | Enter a username. |
+    | Password | Enter a password. |
+    | Confirm password | Reenter password. |
+
+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.
+
+1. In the Networking tab, select the following values:
+
+    | Setting | Value |
+    | --- | --- |
+    | **Network interface** |  |
+    | Virtual network | Select **myVNet**. |
+    | Subnet | Select **mySubnet**. |
+    | Public IP | Select **(new) myVM-ip**. |
+    | NIC network security group | Select **Basic**. |
+    | Public inbound ports | Select **Allow selected ports**. |
+    | Select inbound ports | Select **RDP (3389)**. |
+
+    > [!CAUTION]
+    > Leaving the RDP port open to the internet is only recommended for testing. For production environments, it's recommended to restrict access to the RDP port to a specific IP address or range of IP addresses. You can also block internet access to the RDP port and use [Azure Bastion](../bastion/bastion-overview.md) to securely connect to your virtual machine from the Azure portal. 
+
+1. Select **Review + create**.
+
+1. Review the settings, and then select **Create**. 
+
+1. Once the deployment is complete, select **Go to resource** to go to the **Overview** page of **myVM**.  
+
+1. Select **Connect** then select **RDP**.
+
+1. Select **Download RDP File** and open the downloaded file.
+
+1. Select **Connect** and then enter the username and password that you created in the previous steps. Accept the certificate if prompted.
+
+## Register Insights provider
+
+Flow logging requires the **Microsoft.Insights** provider. To check its status, follow these steps:
+
+1. In the search box at the top of the portal, enter ***subscriptions***. Select **Subscriptions** from the search results.
+
+1. Select the Azure subscription that you want to enable the provider for in **Subscriptions**.
+
+1. Under **Settings**, select **Resource providers**.
+
+1. Enter ***insight*** in the filter box.
+
+1. Confirm the status of the provider displayed is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Insights** provider then select **Register**.
+
+    :::image type="content" source="./media/register-microsoft-insights.png" alt-text="Screenshot that shows how to register Microsoft Insights provider in the Azure portal." lightbox="./media/register-microsoft-insights.png":::
+
+## Create a storage account
+
+In this section, you create a storage account to use it to store the flow logs.
+
+1. In the search box at the top of the portal, enter ***storage accounts***. Select **Storage accounts** from the search results.
+
+1. Select **+ Create**. In **Create a storage account**, enter or select the following values in the **Basics** tab:
+
+    | Setting | Value |
+    | --- | --- |
+    | **Project details** |  |
+    | Subscription | Select your Azure subscription. |
+    | Resource Group | Select **myResourceGroup**. |
+    | **Instance details** |  |
+    | Storage account name | Enter a unique name. This tutorial uses **nwteststorageaccount**. |
+    | Region | Select **(US) East US**. The storage account must be in the same region as the virtual machine and its network security group. |
+    | Primary service | Select **Azure Blob Storage or Azure Data Lake Storage Gen 2**. |
+    | Performance | Select **Standard**. Flow logs only support Standard-tier storage accounts. |
+    | Redundancy | Select the redundancy you prefer. This tutorial uses **Locally-redundant storage (LRS)**. |
+
+1. Select the **Review** tab or select the **Review** button at the bottom.
+
+1. Review the settings, and then select **Create**.
+
+## Create a flow log
+
+In this section, you create a virtual network flow log that's saved into the storage account created previously in the tutorial.
+
+1. In the search box at the top of the portal, enter ***network watcher***. Select **Network Watcher** from the search results.
+
+1. Under **Logs**, select **Flow logs**.
+
+1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.
+
+    :::image type="content" source="./media/flow-logs.png" alt-text="Screenshot of Network Watcher flow logs in the Azure portal." lightbox="./media/flow-logs.png":::
+
+1. Enter or select the following values in **Create a flow log**:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Project details** |   |
+    | Subscription | Select the Azure subscription of your network security group that you want to log. |
+    | Flow log type | Select **Virtual network**. |
+    | Virtual Network | Select **+ Select target resource**. <br> In **Select virtual network**, select **myVNet**. Then, select **Confirm selection**. |
+    | Flow Log Name | Leave the default of **myVNet-myresourcegroup-flowlog**. |
+    | **Instance details** |   |
+    | Subscription | Select the Azure subscription of your storage account. |
+    | Storage accounts | Select the storage account you created in the previous steps. |
+    | Retention (days) | Enter ***10*** to retain the flow logs data in the storage account for 10 days. To keep the flow logs data in the storage account forever (until you delete it), enter ***0***. For information about storage pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |
+
+    :::image type="content" source="./media/vnet-flow-logs-tutorial/create-vnet-flow-log.png" alt-text="Screenshot of create a flow log page in the Azure portal."  lightbox="./media/vnet-flow-logs-tutorial/create-vnet-flow-log.png":::
+
+    > [!NOTE]
+    > The Azure portal creates virtual network flow logs in the **NetworkWatcherRG** resource group.
+
+1. Select **Review + create**.
+
+1. Review the settings, and then select **Create**.
+
+1. Once the deployment is complete, select **Go to resource** to confirm the flow log created and listed in the **Flow logs** page.
+
+    :::image type="content" source="./media/vnet-flow-logs-tutorial/flow-logs-list.png" alt-text="Screenshot of Flow logs page in the Azure portal showing the newly created flow log." lightbox="./media/vnet-flow-logs-tutorial/flow-logs-list.png":::
+
+1. Go back to your RDP session with **myVM** virtual machine.
+
+1. Open Microsoft Edge and go to `www.bing.com`.
+
+## Download the flow log
+
+In this section, you go to the storage account you previously selected and download the flow log created in the previous section.
+
+1. In the search box at the top of the portal, enter ***storage accounts***. Select **Storage accounts** from the search results.
+
+2. Select **nwteststorageaccount** or the storage account you previously created and selected to store the logs.
+
+3. Under **Data storage**, select **Containers**.
+
+4. Select the **insights-logs-flowlogflowevent** container.
+
+5. In the container, navigate the folder hierarchy until you get to the `PT1H.json` file that you want to download. Virtual network flow log files follow the following path::
+
+    ```
+    https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/{subscriptionID}_NETWORKWATCHERRG/NETWORKWATCHER_{Region}_{ResourceName}-{ResourceGroupName}-FLOWLOGS/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
+    ```
+
+6. Select the ellipsis **...** to the right of the PT1H.json file, then select **Download**.
+
+   :::image type="content" source="./media/vnet-flow-logs-tutorial/flow-log-file.png" alt-text="Screenshot showing how to download virtual network flow log data from the storage account in the Azure portal." lightbox="./media/vnet-flow-logs-tutorial/flow-log-file.png":::
+
+> [!NOTE]
+> You can use Azure Storage Explorer to access and download flow logs from your storage account. For more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).
+
+## View the flow log
+
+Open the downloaded `PT1H.json` file using a text editor of your choice. The following example is a section taken from the downloaded `PT1H.json` file, which shows a flow processed by the rule **DefaultRule_AllowInternetOutBound**.
+
+```json
+{
+    "time": "2025-08-06T20:39:33.3186341Z",
+    "flowLogGUID": "00000000-0000-0000-0000-000000000000",
+    "macAddress": "6045BDD6DD48",
+    "category": "FlowLogFlowEvent",
+    "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e//RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS/FLOWLOGS/MYVNET-MYRESOURCEGROUP-FLOWLOG",
+	"flowLogVersion": 4,
+    "operationName": "FlowLogFlowEvent",
+    "flowRecords": {
+        "flows": [
+            {
+				"aclID": "00000000-0000-0000-0000-000000000000",
+				"flowGroups": [
+					{
+                        "rule": "DefaultRule_AllowInternetOutBound",
+                        "flowTuples": [
+                            "1754512773,10.0.0.4,13.107.21.200,49982,443,6,O,C,NX,7,1158,12,8143"                            
+                        ]
+                    }
+                ]
+            }
+        ]
+    }
+}
+```
+
+The comma-separated information for **flowTuples** is as follows:
+
+| Example data | What data represents | Explanation |
+| ------------ | -------------------- | ----------  |
+| 1754512773 | Time stamp | The time stamp of when the flow occurred in UNIX EPOCH format. In the previous example, the date converts to August 06, 2025 08:39:33 PM UTC/GMT. |
+| 10.0.0.4 | Source IP address | The source IP address that the flow originated from. 10.0.0.4 is the private IP address of the VM you previously created.
+| 13.107.21.200 | Destination IP address | The destination IP address that the flow was destined to. 13.107.21.200 is the IP address of `www.bing.com`. Since the traffic is destined outside Azure, the security rule **DefaultRule_AllowInternetOutBound** processed the flow. |
+| 49982 | Source port | The source port that the flow originated from. |
+| 443 | Destination port | The destination port that the flow was destined to. |
+| 6 | Protocol | The layer 4 protocol of the flow in IANA assigned values: 6: TCP. |
+| O | Direction | The direction of the flow. O: Outbound. |
+| C | Flow state | The state of the flow. C: Continuing for an ongoing flow. |
+| NX | Flow encryption | The connection is unencrypted. |
+| 7 | Packets sent | The total number of TCP packets sent to destination since the last update. |
+| 1158 | Bytes sent | The total number of TCP packet bytes sent from source to destination since the last update. Packet bytes include the packet header and payload. |
+| 12 | Packets received | The total number of TCP packets received from destination since the last update. |
+| 8143 | Bytes received | The total number of TCP packet bytes received from destination since the last update. Packet bytes include packet header and payload.|
+
+## Clean up resources
+
+When no longer needed, delete **myResourceGroup** resource group and all of the resources it contains:
+
+1. In the search box at the top of the portal, enter ***myResourceGroup***. Select **myResourceGroup** from the search results.
+
+1. Select **Delete resource group**.
+
+1. In **Delete a resource group**, enter ***myResourceGroup***, and then select **Delete**.
+
+1. Select **Delete** to confirm the deletion of the resource group and all its resources.
+
+> [!NOTE]
+> The **NetworkWatcher_eastus/myVNet-myresourcegroup-flowlog** resource is in the **NetworkWatcherRG** resource group, but it'll be deleted after deleting the **myVNet** virtual network (by deleting the **myResourceGroup** resource group).
+
+## Related content
+
+- [Virtual network flow logs](vnet-flow-logs-overview.md)
+- [Create, change, enable, disable, or delete virtual network flow logs](vnet-flow-logs-manage.md)
+- [Traffic analytics overview](traffic-analytics.md)