Merge pull request #102337 from damendo/master

Adding ARM Support

Author: ttorble

articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md

@@ -0,0 +1,173 @@
+---
+title: Network Watcher - Create NSG flow logs using an Azure Resource Manager template
+description: Use an Azure Resource Manager template and PowerShell to easily set up NSG Flow Logs.
+services: network-watcher
+documentationcenter: na
+author: damendo
+manager: twooley
+editor:
+tags: azure-resource-manager
+
+ms.service: network-watcher
+ms.devlang: na
+ms.topic: article
+ms.tgt_pltfrm: na
+ms.workload:  infrastructure-services
+ms.date: 01/26/2020
+ms.author: damendo
+
+---
+
+# Configure NSG Flow Logs from an Azure Resource Manager template
+
+> [!div class="op_single_selector"]
+> - [Azure portal](network-watcher-nsg-flow-logging-portal.md)
+> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
+> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
+> - [REST API](network-watcher-nsg-flow-logging-rest.md)
+> - [Azure Resource Manager](network-watcher-nsg-flow-logging-azure-resource-manager.md)
+
+
+[Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/) is Azure’s native and powerful way to manage your [infrastructure as code](https://docs.microsoft.com/azure/devops/learn/what-is-infrastructure-as-code).
+
+This article shows how you to enable [NSG Flow Logs](https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview) programmatically using an Azure Resource Manager template and Azure PowerShell. We start by providing an overview of the properties of the NSG Flow Log object, followed by a few sample templates. Then we the deploy template using a local PowerShell instance.
+
+
+## NSG Flow Logs object
+
+The NSG Flow Logs object with all with parameters is show below.
+For a complete overview of the properties, you may read the [NSG Flow Logs template reference](https://docs.microsoft.com/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs#RetentionPolicyParameters).
+
+```json
+{
+  "name": "string",
+  "type": "Microsoft.Network/networkWatchers/flowLogs",
+  "location": "string",
+  "apiVersion": "2019-09-01",
+  "properties": {
+    "targetResourceId": "string",
+    "storageId": "string",
+    "enabled": "boolean",
+    "flowAnalyticsConfiguration": {
+      "networkWatcherFlowAnalyticsConfiguration": {
+         "enabled": "boolean",
+         "workspaceResourceId": "string",
+          "trafficAnalyticsInterval": "integer"
+        },
+        "retentionPolicy": {
+           "days": "integer",
+           "enabled": "boolean"
+         },
+        "format": {
+           "type": "string",
+           "version": "integer"
+         }
+      }
+    }
+  }
+```
+To create a Microsoft.Network/networkWatchers/flowLogs resource, add the above JSON to the resources section of your template.
+
+
+## Creating your template
+
+If you are using Azure Resource Manager templates for this time, you can learn more about them the links below.
+
+* [Deploy resources with Resource Manager templates and Azure PowerShell](https://docs.microsoft.com/azure/azure-resource-manager/templates/deploy-powershell#deploy-local-template)
+* [Tutorial: Create and deploy your first Azure Resource Manager template](https://docs.microsoft.com/azure/azure-resource-manager/templates/template-tutorial-create-first-template?tabs=azure-powershell)
+
+
+Below are two examples of complete templates to set up NSG Flow Logs.
+
+Example 1:  The simplest version of the above with minimum parameters passed. The below template enables NSG Flow Logs on a target NSG and stores them in a given storage account.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "apiProfile": "2019-09-01",
+  "resources": [
+ {
+    "name": "NetworkWatcher_centraluseuap/Microsoft.NetworkDalanDemoPerimeterNSG",
+    "type": "Microsoft.Network/networkWatchers/FlowLogs/",
+    "location": "centraluseuap",
+    "apiVersion": "2019-09-01",
+    "properties": {
+      "targetResourceId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
+      "storageId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
+      "enabled": true,
+      "flowAnalyticsConfiguration": {},
+      "retentionPolicy": {},
+      "format": {}
+    }
+
+  }
+  ]
+}
+```
+
+> [!NOTE]
+> * The name of resource has the format "Parent Resource>/Child resource". Here, the parent resource is the regional Network Watcher instance (Format: NetworkWatcher_<RegionName>. Example: NetworkWatcher_centraluseuap)
+> * targetResourceId is the resource ID of the target NSG
+> * storageId is the resource ID of the destination storage account
+
+Example 2: The following templates enabling NSG Flow Logs (version 2) with a retention for 5 days. Enabling Traffic Analytics with a processing interval of 10 minutes.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "apiProfile": "2019-09-01",
+  "resources": [
+ {
+    "name": "NetworkWatcher_centraluseuap/Microsoft.NetworkDalanDemoPerimeterNSG",
+    "type": "Microsoft.Network/networkWatchers/FlowLogs/",
+    "location": "centraluseuap",
+    "apiVersion": "2019-09-01",
+    "properties": {
+      "targetResourceId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
+      "storageId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
+      "enabled": true,
+      "flowAnalyticsConfiguration": {
+		    "enabled": true,
+        "workspaceResourceId": "91a3d1e9-698e-4a49-96dc-f6fc585ae888",
+        "trafficAnalyticsInterval": 10
+	  },
+      "retentionPolicy": {
+        "days": 5,
+        "enabled": true
+      },
+      "format": {
+        "type": "JSON",
+        "version": 1
+      }
+    }
+
+  }
+  ]
+}
+```
+
+## Deploying your Azure Resource Manager template
+
+This tutorial assumes you have an existing Resource group and an NSG you can enable Flow logging on.
+You can save any of the above example templates locally as `azuredeploy.json`. Update the property values so that they point to valid resources in your subscription.
+
+To deploy the template, run the following command in PowerShell.
+```azurepowershell
+New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
+    -TemplateFile "C:\MyTemplates\azuredeploy.json"
+```
+
+
+## Verifying your deployment
+
+There are a couple of ways to check if your deployment has Succeeded. Your PowerShell console should show "ProvisioningState" as "Succeeded". Additionally, you can visit the [NSG Flow Logs portal page](https://ms.portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/flowLogs) to confirm your changes. If there were issues with the deployment, take a look at [Troubleshoot common Azure deployment errors with Azure Resource Manager](https://docs.microsoft.com/azure/azure-resource-manager/templates/common-deployment-errors) article.
+
+
+## Next steps
+
+Learn how to visualize your NSG Flow data using:
+* [Microsoft Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
+* [Open source tools](network-watcher-visualize-nsg-flow-logs-open-source-tools.md)
+* [Azure Traffic Analytics](https://docs.microsoft.com/azure/network-watcher/traffic-analytics)

articles/network-watcher/network-watcher-nsg-flow-logging-portal.md

@@ -1,7 +1,6 @@
 ---
-title: 'Tutorial - Log network traffic flow to and from a VM using the Azure portal'
-titleSuffix: Azure Network Watcher
-description: In this tutorial, learn how to log network traffic flow to and from a VM using Network Watcher's NSG flow logs capability.
+title: Log network traffic flow to and from a VM - tutorial - Azure portal | Microsoft Docs
+description: Learn how to log network traffic flow to and from a VM using Network Watcher's NSG flow logs capability.
 services: network-watcher
 documentationcenter: na
 author: KumudD
@@ -24,6 +23,13 @@ ms.custom: mvc
 
 # Tutorial: Log network traffic to and from a virtual machine using the Azure portal
 
+> [!div class="op_single_selector"]
+> - [Azure portal](network-watcher-nsg-flow-logging-portal.md)
+> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
+> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
+> - [REST API](network-watcher-nsg-flow-logging-rest.md)
+> - [Azure Resource Manager](network-watcher-nsg-flow-logging-azure-resource-manager.md)
+
 A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual machine (VM). You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability. In this tutorial, you learn how to:
 
 > [!div class="checklist"]
@@ -90,7 +96,10 @@ NSG flow logging requires the **Microsoft.Insights** provider. To register the p
     | Location       | Select **East US**                                           |
     | Resource group | Select **Use existing**, and then select **myResourceGroup** |
 
-    The storage account must be in the same region as the NSG. The storage account may take around minute to create. Don't continue with remaining steps until the storage account is created.     
+    The storage account may take around minute to create. Don't continue with remaining steps until the storage account is created. If you use an existing storage account instead of creating one, ensure you select a storage account that has **All networks** (default) selected for **Firewalls and virtual networks**, under the **SETTINGS** for the storage account. In all cases, the storage account must be in the same region as the NSG.
+
+    > [!NOTE]
+    > While Microsoft.Insight and Microsoft.Network providers are currently supported as trusted Microsoft Services for Azure Storage, NSG Flow logs is still not fully onboarded. To enable NSG Flow logging, **All Networks** must still be selected until this feature is fully onboarded. 
 4. In the top, left corner of portal, select **All services**. In the **Filter** box, type *Network Watcher*. When **Network Watcher** appears in the search results, select it.
 5. Under **LOGS**, select **NSG flow logs**, as shown in the following picture:
 
@@ -104,8 +113,9 @@ NSG flow logging requires the **Microsoft.Insights** provider. To register the p
 
 9. Select the storage account that you created in step 3.
    > [!NOTE]
-   > NSG Flow Logs will not work with a storage account if:
-   > * The storage account has a [hierarchical namespace](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-namespace) enabled.
+   > NSG Flow Logs do not work with storage accounts if:
+   > * The storage accounts have a firewall enabled.
+   > * The storage accounts have [hierarchical namespace](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-namespace) enabled.
 1. In the top, left corner of portal, select **All services**. In the **Filter** box, type *Network Watcher*. When **Network Watcher** appears in the search results, select it.
 10. Set **Retention (days)** to 5, and then select **Save**.
 
@@ -117,7 +127,7 @@ NSG flow logging requires the **Microsoft.Insights** provider. To register the p
    ![Download flow logs](./media/network-watcher-nsg-flow-logging-portal/download-flow-logs.png)
 
 3. Select the storage account that you configured in step 2 of [Enable NSG flow log](#enable-nsg-flow-log).
-4. Under **Blob service**, select **Containers**, and then select the **insights-logs-networksecuritygroupflowevent** container.
+4. Under **Blob service**, select **Blobs**, and then select the **insights-logs-networksecuritygroupflowevent** container.
 5. In the container, navigate the folder hierarchy until you get to a PT1H.json file, as shown in the picture that follows. Log files are written to a folder hierarchy that follows the following naming convention:
    https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
 
@@ -218,4 +228,4 @@ The value for **mac** in the previous output is the MAC address of the network i
 
 ## Next steps
 
-In this tutorial, you learned how to enable NSG flow logging for an NSG. You also learned how to download and view data logged in a file. The raw data in the json file can be difficult to interpret. To visualize the data, you can use Network Watcher [traffic analytics](traffic-analytics.md), Microsoft [PowerBI](network-watcher-visualize-nsg-flow-logs-power-bi.md), and other tools.
+In this tutorial, you learned how to enable NSG flow logging for an NSG. You also learned how to download and view data logged in a file. The raw data in the json file can be difficult to interpret. To visualize Flow Logs data, you can use [Azure Traffic Analytics](traffic-analytics.md), [Microsoft Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md), and other tools. You can try alternate methods of enabling NSG Flow Logs like [PowerShell](network-watcher-nsg-flow-logging-powershell.md), [Azure CLI](network-watcher-nsg-flow-logging-cli.md), [REST API](network-watcher-nsg-flow-logging-rest.md) and [ARM templates](network-watcher-nsg-flow-logging-azure-resource-manager.md).

articles/network-watcher/toc.yml

@@ -101,6 +101,8 @@
         href: network-watcher-nsg-flow-logging-cli.md
       - name: REST
         href: network-watcher-nsg-flow-logging-rest.md
+      - name: Azure Resoure Manager
+        href: network-watcher-nsg-flow-logging-azure-resource-manager.md
     - name: Delete NSG flow log storage blobs
       href: network-watcher-delete-nsg-flow-log-blobs.md
     - name: Analyze NSG flow logs