Merge pull request #299912 from asudbring/us431473-flow-timeout

Added screenshot for portal to flow timeout section

Author: v-dirichards

articles/network-watcher/media/nsg-flow-logs-overview/virtual-network-flow-timeout-settings.png

@@ -448,12 +448,23 @@ Flows affected by non-default inbound rules become non-terminating. Additionally
 
 You can resolve this difference by setting the `FlowTimeoutInMinutes` property on the associated virtual networks to a non-null value. You can achieve default stateful behavior by setting `FlowTimeoutInMinutes` to 4 minutes. For long-running connections where you don't want flows to disconnect from a service or destination, you can set `FlowTimeoutInMinutes` to a value of up to 30 minutes. Use [Set-AzVirtualNetwork](/powershell/module/az.network/set-azvirtualnetwork) to set `FlowTimeoutInMinutes` property:
 
+
 ```azurepowershell-interactive
-$virtualNetwork = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'
-$virtualNetwork.FlowTimeoutInMinutes = 4
-$virtualNetwork |  Set-AzVirtualNetwork
+$virtualNetwork = @{
+    Name               = 'myVNet'
+    ResourceGroupName  = 'myResourceGroup'
+}
+
+$virtualNetworkConfig = Get-AzVirtualNetwork @virtualNetwork
+$virtualNetworkConfig.FlowTimeoutInMinutes = 4
+$virtualNetworkConfig | Set-AzVirtualNetwork
 ```
 
+Flow timeout can also be set using the Azure portal:
+
+:::image type="content" source="./media/nsg-flow-logs-overview/virtual-network-flow-timeout-settings.png" alt-text="Screenshot showing the virtual network timeout settings in the Azure portal." lightbox="./media/nsg-flow-logs-overview/virtual-network-flow-timeout-settings.png":::
+
+
 ### Inbound flows logged from internet IPs to VMs without public IPs
 
 Virtual machines (VMs) that don't have a public IP address associated with the NIC as an instance-level public IP, or that are part of a basic load balancer back-end pool, use [default SNAT](../load-balancer/load-balancer-outbound-connections.md). Azure assigns an IP address to those VMs to facilitate outbound connectivity. As a result, you might see flow log entries for flows from internet IP addresses, if the flow is destined to a port in the range of ports that are assigned for SNAT.

articles/network-watcher/nsg-flow-logs-overview.md

@@ -101,6 +101,10 @@ For more information, see [Azure service tags](service-tags-overview.md). For an
 
 Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. To learn more, see [Application security groups](application-security-groups.md).
 
+## Flow timeout
+
+Flow timeout settings determine how long a flow record remains active before expiring. You can configure this setting using the Azure portal or through the command line. For more details, see [NSG flow logs overview](../network-watcher/nsg-flow-logs-overview.md?tabs=Americas#non-default-inbound-tcp-rules).
+
 ## Azure platform considerations
 
 - **Virtual IP of the host node**: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. By default, these services aren't subject to the configured network security groups unless targeted by [service tags](service-tags-overview.md) specific to each service. To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. Learn how to [diagnose network traffic filtering](diagnose-network-traffic-filter-problem.md) and [diagnose network routing](diagnose-network-routing-problem.md).