Merge pull request #209371 from mumian/0826-bicep-watcher

[network watcher] - new Bicep quickstart

Author: v-dirichards

articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-arm-template.md

@@ -1,10 +1,10 @@
 ---
-title: 'Quickstart: Configure network security group flow logs by using an Azure Resource Manager template (ARM template)'
+title: 'Quickstart: Configure Network Watcher network security group flow logs by using an Azure Resource Manager template (ARM template)'
 description: Learn how to enable network security group (NSG) flow logs programmatically by using an Azure Resource Manager template (ARM template) and Azure PowerShell.
 services: network-watcher
 author: damendo
 ms.author: damendo
-ms.date: 01/07/2021
+ms.date: 09/01/2022
 ms.topic: quickstart
 ms.service: network-watcher
 ms.custom: devx-track-azurepowershell, subject-armqs, mode-arm
@@ -31,91 +31,15 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 The template that we use in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/networkwatcher-flowlogs-create/).
 
-:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.network/networkwatcher-flowLogs-create/azuredeploy.json":::
+:::code language="json" source="~/quickstart-templates/quickstarts/microsoft.network/networkwatcher-flowLogs-create/azuredeploy.json" range="1-117" highlight="94-115":::
 
 These resources are defined in the template:
 
-- [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts)
-- [Microsoft.Resources/deployments](/azure/templates/microsoft.resources/deployments)
-
-## NSG flow logs object
-
-The following code shows an NSG flow logs object and its parameters. To create a `Microsoft.Network/networkWatchers/flowLogs` resource, add this code to the resources section of your template:
-
-```json
-{
-  "name": "string",
-  "type": "Microsoft.Network/networkWatchers/flowLogs",
-  "location": "string",
-  "apiVersion": "2019-09-01",
-  "properties": {
-    "targetResourceId": "string",
-    "storageId": "string",
-    "enabled": "boolean",
-    "flowAnalyticsConfiguration": {
-      "networkWatcherFlowAnalyticsConfiguration": {
-        "enabled": "boolean",
-        "workspaceResourceId": "string",
-        "trafficAnalyticsInterval": "integer"
-      },
-      "retentionPolicy": {
-        "days": "integer",
-        "enabled": "boolean"
-      },
-      "format": {
-        "type": "string",
-        "version": "integer"
-      }
-    }
-  }
-}
-```
-
-For a complete overview of the NSG flow logs object properties, see [Microsoft.Network networkWatchers/flowLogs](/azure/templates/microsoft.network/networkwatchers/flowlogs).
-
-## Create your template
-
-If you're using ARM templates for the first time, see the following articles to learn more about ARM templates:
-
-- [Deploy resources with ARM templates and Azure PowerShell](../azure-resource-manager/templates/deploy-powershell.md#deploy-local-template)
-- [Tutorial: Create and deploy your first ARM template](../azure-resource-manager/templates/template-tutorial-create-first-template.md)
-
-The following example is a complete template. It's also the simplest version of the template. The example contains the minimum parameters that are passed to set up NSG flow logs. For more examples, see the overview article [Configure NSG flow logs from an Azure Resource Manager template](network-watcher-nsg-flow-logging-azure-resource-manager.md).
-
-### Example
-
-The following template enables flow logs for an NSG, and then stores the logs in a specific storage account:
-
-```json
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-  "contentVersion": "1.0.0.0",
-  "apiProfile": "2019-09-01",
-  "resources": [
-    {
-      "name": "NetworkWatcher_centraluseuap/Microsoft.NetworkDalanDemoPerimeterNSG",
-      "type": "Microsoft.Network/networkWatchers/FlowLogs/",
-      "location": "centraluseuap",
-      "apiVersion": "2019-09-01",
-      "properties": {
-        "targetResourceId": "/subscriptions/<subscription Id>/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
-        "storageId": "/subscriptions/<subscription Id>/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
-        "enabled": true,
-        "flowAnalyticsConfiguration": {},
-        "retentionPolicy": {},
-        "format": {}
-      }
-    }
-  ]
-}
-```
+- [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-arm-template)
+- [Microsoft.Network networkWatchers](/azure/templates/microsoft.network/networkwatchers?tabs=bicep&pivots=deployment-language-arm-template)
+- [Microsoft.Network networkWatchers/flowLogs](/azure/templates/microsoft.network/networkwatchers/flowlogs?tabs=bicep&pivots=deployment-language-arm-template)
 
-> [!NOTE]
-> - The resource name uses the format _ParentResource_ChildResource_. In our example, the parent resource is the regional Azure Network Watcher instance:
->    - **Format**: NetworkWatcher_RegionName
->    - **Example**: NetworkWatcher_centraluseuap
-> - `targetResourceId` is the resource ID of the target NSG.
-> - `storageId` is the resource ID of the destination storage account.
+The highlighted code in the preceding sample shows an NSG flow logs resource definition.
 
 ## Deploy the template
 

articles/network-watcher/quickstart-configure-network-security-group-flow-logs-from-bicep.md

@@ -0,0 +1,99 @@
+---
+title: 'Quickstart: Configure Network Watcher network security group flow logs by using a Bicep file'
+description: Learn how to enable network security group (NSG) flow logs programmatically by using Bicep and Azure PowerShell.
+services: network-watcher
+author: damendo
+ms.author: damendo
+ms.date: 08/26/2022
+ms.topic: quickstart
+ms.service: network-watcher
+ms.custom: devx-track-azurepowershell, subject-bicepqs, mode-arm
+#Customer intent: I need to enable the network security group flow logs by using a Bicep file.
+---
+
+# Quickstart: Configure network security group flow logs by using a Bicep file
+
+In this quickstart, you learn how to enable [network security group (NSG) flow logs](network-watcher-nsg-flow-logging-overview.md) by using a Bicep file
+
+[!INCLUDE [About Bicep](../../includes/resource-manager-quickstart-bicep-introduction.md)]
+
+We start with an overview of the properties of the NSG flow log object. We provide a sample Bicep file. Then, we deploy the Bicep file.
+
+## Prerequisites
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+## Review the Bicep file
+
+The Bicep file that we use in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/networkwatcher-flowlogs-create/).
+
+:::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.network/networkwatcher-flowLogs-create/main.bicep" range="1-67" highlight="51-67":::
+
+These resources are defined in the Bicep file:
+
+- [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-bicep)
+- [Microsoft.Network networkWatchers](/azure/templates/microsoft.network/networkwatchers?tabs=bicep&pivots=deployment-language-bicep)
+- [Microsoft.Network networkWatchers/flowLogs](/azure/templates/microsoft.network/networkwatchers/flowlogs?tabs=bicep&pivots=deployment-language-bicep)
+
+The highlighted code in the preceding sample shows an NSG flow resource definition.
+
+## Deploy the Bicep file
+
+This tutorial assumes that you have a network security group that you can enable flow logging on.
+
+1. Save the Bicep file as **main.bicep** to your local computer.
+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.
+
+    # [CLI](#tab/CLI)
+
+    ```azurecli
+    az group create --name exampleRG --location eastus
+    az deployment group create --resource-group exampleRG --template-file main.bicep
+    ```
+
+    # [PowerShell](#tab/PowerShell)
+
+    ```azurepowershell
+    New-AzResourceGroup -Name exampleRG -Location eastus
+    New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep
+    ```
+
+    ---
+
+    You will be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:
+
+    ```json
+    "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Network/networkSecurityGroups/<network-security-group-name>"
+    ```
+
+When the deployment finishes, you should see a message indicating the deployment succeeded.
+
+## Validate the deployment
+
+You have two options to see whether your deployment succeeded:
+
+- Your console shows `ProvisioningState` as `Succeeded`.
+- Go to the [NSG flow logs portal page](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/flowLogs) to confirm your changes.
+
+If there were issues with the deployment, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](../azure-resource-manager/troubleshooting/common-deployment-errors.md).
+
+## Clean up resources
+
+You can delete Azure resources by using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about [complete deployment mode](../azure-resource-manager/templates/deployment-modes.md#complete-mode).
+
+You also can disable an NSG flow log in the Azure portal:
+
+1. Sign in to the Azure portal.
+1. Select **All services**. In the **Filter** box, enter **network watcher**. In the search results, select **Network Watcher**.
+1. Under **Logs**, select **NSG flow logs**.
+1. In the list of NSGs, select the NSG for which you want to disable flow logs.
+1. Under **Flow logs settings**, select **Off**.
+1. Select **Save**.
+
+## Next steps
+
+In this quickstart, you learned how to enable NSG flow logs by using a Bicep file. Next, learn how to visualize your NSG flow data by using one of these options:
+
+- [Microsoft Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
+- [Open-source tools](network-watcher-visualize-nsg-flow-logs-open-source-tools.md)
+- [Azure Traffic Analytics](traffic-analytics.md)

articles/network-watcher/toc.yml

@@ -13,6 +13,9 @@
     href: diagnose-vm-network-traffic-filtering-problem-powershell.md
   - name: Diagnose VM traffic filter problem - Azure CLI
     href: diagnose-vm-network-traffic-filtering-problem-cli.md
+  - name: Configure NSG flow logs using Bicep
+    displayName: Resource Manager,arm,template
+    href: quickstart-configure-network-security-group-flow-logs-from-bicep.md
   - name: Configure NSG flow logs using ARM template
     displayName: Resource Manager
     href: quickstart-configure-network-security-group-flow-logs-from-arm-template.md
@@ -22,7 +25,7 @@
     href: diagnose-vm-network-routing-problem.md
   - name: Monitor communication between VMs
     href: connection-monitor.md
-  - name: Monitor communication with virtual machine scale set  
+  - name: Monitor communication with virtual machine scale set
     href: connection-monitor-virtual-machine-scale-set.md
   - name: Diagnose a communication problem between networks
     href: diagnose-communication-problem-between-networks.md
@@ -58,7 +61,7 @@
     href: network-watcher-troubleshoot-overview.md
   - name: Variable packet capture
     href: network-watcher-packet-capture-overview.md
-  - name: Traffic Analytics overview 
+  - name: Traffic Analytics overview
     items:
     - name: Overview
       href: traffic-analytics.md
@@ -93,7 +96,7 @@
     - name: Using ARMClient
       href: connection-monitor-create-using-template.md
     - name: Using PowerShell
-      href: connection-monitor-create-using-powershell.md 
+      href: connection-monitor-create-using-powershell.md
   - name: Migrate to Connection Monitor
     items:
     - name: From Network Performance Monitor