Merge pull request #266457 from halkazwini/nw-faq

prmerger-automator[bot] · web-flow · commit 70ab769a4ddb · 2024-02-15T22:56:52.000Z
New Q&amp;As
diff --git a/articles/network-watcher/frequently-asked-questions.yml b/articles/network-watcher/frequently-asked-questions.yml
@@ -6,7 +6,7 @@ metadata:
   ms.author: halkazwini
   ms.service: network-watcher
   ms.topic: faq
-  ms.date: 12/12/2023
+  ms.date: 02/15/2024
 title: "Network Watcher frequently asked questions (FAQ)"
 summary: |
   This article provides answers to some of the frequently asked questions asked about Azure Network Watcher.
@@ -166,7 +166,7 @@ sections:
   - name: Flow logs
     questions:
       - question: |
-          What does NSG flow logs do?
+          What does flow logging do?
         answer: |
           Flow logs enable you to log 5-tuple flow information about your Azure IP traffic that passes through a network security group or Azure virtual network. The raw flow logs are written to an Azure storage account. From there, you can further process, analyze, query, or export them as needed.
 
@@ -185,10 +185,20 @@ sections:
         answer: |
           No. NSG flow logs and VNet flow logs don't support ICMP protocol.
 
+      - question: |
+          Can I delete a network security group that has flow logging enabled?
+        answer: |
+          Yes. The associated flow log resource will be deleted too. Flow log data is retained in the storage account for the retention period configured in the flow log.
+
+      - question: |
+          Can I move a network security group that has flow logging enabled to a different resource group or subscription?
+        answer: |
+          Yes, but you you must delete the associated flow log resource. After you migrate the network security group, you can re-create the flow logs to enable flow logging on it.
+
       - question: |
           Can I use a storage account in a different subscription than the network security group or virtual network that the flow log is enabled for?
         answer: |
-          Yes, you can use a storage account from a different subscription as long as this subscription is associated with the same Microsoft Entra tenant of the network security group or virtual network's subscription.
+          Yes, you can use a storage account from a different subscription as long as this subscription is in the same region of the network security group and associated with the same Microsoft Entra tenant of the network security group or virtual network's subscription.
 
       - question: |
           How do I use NSG flow logs with a storage account behind a firewall?
@@ -208,7 +218,7 @@ sections:
           Network Watcher has a built-in fallback mechanism that it uses when connecting to a storage account behind a firewall (firewall enabled). It tries to connect to the storage account using a key, and if that fails, it switches to a token. In this case, a 403 error is logged in the storage account activity log.
 
       - question: |
-          Can NSG flow logs send data to a storage account using an Azure Private Endpoint?
+          Can Network Watcher send NSG flow logs data to a storage account enabled with Private Endpoint?
         answer: |
           Yes, Network Watcher supports sending NSG flow logs data to a storage account enabled with a private endpoint.
 
