You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/network-watcher/nsg-flow-logs-policy-portal.md
+15-11Lines changed: 15 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,27 +1,27 @@
1
1
---
2
-
title: Manage NSG flow logs by using Azure Policy
2
+
title: Manage NSG flow logs using Azure Policy
3
3
titleSuffix: Azure Network Watcher
4
-
description: Learn how to use built-in policies to audit network security groups and deploy Azure Network Watcher NSG flow logs.
4
+
description: Learn how to use Azure Policy built-in policies to audit network security groups and deploy Azure Network Watcher NSG flow logs.
5
5
services: network-watcher
6
6
author: halkazwini
7
7
ms.service: network-watcher
8
8
ms.topic: how-to
9
-
ms.date: 04/30/2023
9
+
ms.date: 05/30/2023
10
10
ms.author: halkazwini
11
11
ms.custom: template-how-to, engagement-fy23
12
12
---
13
13
14
-
# Manage NSG flow logs by using Azure Policy
14
+
# Manage NSG flow logs using Azure Policy
15
15
16
16
Azure Policy helps you enforce organizational standards and assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. To learn more about Azure policy, see [What is Azure Policy?](../governance/policy/overview.md) and [Quickstart: Create a policy assignment to identify non-compliant resources](../governance/policy/assign-policy-portal.md).
17
17
18
18
In this article, you learn how to use two built-in policies to manage your setup of network security group (NSG) flow logs. The first policy flags any network security group that doesn't have flow logs enabled. The second policy automatically deploys NSG flow logs that don't have flow logs enabled.
19
19
20
-
## Audit network security groups by using a built-in policy
20
+
## Audit network security groups using a built-in policy
21
21
22
22
The **Flow logs should be configured for every network security group** policy audits all existing network security groups in a scope by checking all Azure Resource Manager objects of type `Microsoft.Network/networkSecurityGroups`. This policy then checks for linked flow logs via the flow logs property of the network security group, and it flags any network security group that doesn't have flow logs enabled.
23
23
24
-
To audit your flow logs by using the built-in policy:
24
+
To audit your flow logs using the built-in policy:
25
25
26
26
1. Sign in to the [Azure portal](https://portal.azure.com).
27
27
@@ -55,9 +55,9 @@ To audit your flow logs by using the built-in policy:
55
55
56
56
1. Select **Resource compliance** to get a list of all non-compliant network security groups.
57
57
58
-
:::image type="content" source="./media/nsg-flow-logs-policy-portal/audit-policy-compliance-details.png" alt-text="Screenshot of the page for audit policy compliance in the Azure portal." lightbox="./media/nsg-flow-logs-policy-portal/audit-policy-compliance-details.png":::
58
+
:::image type="content" source="./media/nsg-flow-logs-policy-portal/audit-policy-compliance-details.png" alt-text="Screenshot of the Policy compliance page that shows the noncompliant resources based on the audit policy." lightbox="./media/nsg-flow-logs-policy-portal/audit-policy-compliance-details.png":::
59
59
60
-
## Deploy and configure NSG flow logs by using a built-in policy
60
+
## Deploy and configure NSG flow logs using a built-in policy
61
61
62
62
The **Deploy a flow log resource with target network security group** policy checks all existing network security groups in a scope by checking all Azure Resource Manager objects of type `Microsoft.Network/networkSecurityGroups`. It then checks for linked flow logs via the flow logs property of the network security group. If the property doesn't exist, the policy deploys a flow log.
63
63
@@ -103,7 +103,7 @@ To assign the *deployIfNotExists* policy:
103
103
|**Create a remediation task**| Select the checkbox if you want the policy to affect existing resources. |
104
104
|**Create a Managed Identity**| Select the checkbox. |
105
105
|**Type of Managed Identity**| Select the type of managed identity that you want to use. |
106
-
|**System assigned identity location**| Select the region of your system-assigned identity. |
106
+
|**System assigned identity location**| Select the region of your systemassigned identity. |
107
107
|**Scope**| Select the scope of your user-assigned identity. |
108
108
|**Existing user assigned identities**| Select your user-assigned identity. |
109
109
@@ -120,10 +120,14 @@ To assign the *deployIfNotExists* policy:
120
120
121
121
1. Select **Resource compliance** to get a list of all non-compliant network security groups.
122
122
123
-
:::image type="content" source="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details.png" alt-text="Screenshot of the page for deployment policy compliance in the Azure portal." lightbox="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details.png":::
123
+
:::image type="content" source="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details.png" alt-text="Screenshot of the Policy compliance page that shows the noncompliant resources." lightbox="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details.png":::
124
+
125
+
1. Leave the policy runs to evaluate and deploy flow logs for all non-compliant network security groups. Then select **Resource compliance** again to check the status of network security groups (you don't see noncompliant network security groups if the policy completed its remediation).
126
+
127
+
:::image type="content" source="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details-compliant-resources.png" alt-text="Screenshot of the Policy compliance page that shows all resources are compliant." lightbox="./media/nsg-flow-logs-policy-portal/deploy-policy-compliance-details-compliant-resources.png":::
124
128
125
129
## Next steps
126
130
127
131
- To learn more about NSG flow logs, see [Flow logs for network security groups](./network-watcher-nsg-flow-logging-overview.md).
128
132
- To learn about using built-in policies with traffic analytics, see [Manage traffic analytics using Azure Policy](./traffic-analytics-policy-portal.md).
129
-
- To learn how to use an Azure Resource Manager template (ARM template) to deploy flow logs and traffic analytics, see [Configure NSG flow logs using an Azure Resource Manager template](./quickstart-configure-network-security-group-flow-logs-from-arm-template.md).
133
+
- To learn how to use an Azure Resource Manager (ARM) template to deploy flow logs and traffic analytics, see [Configure NSG flow logs using an Azure Resource Manager template](./quickstart-configure-network-security-group-flow-logs-from-arm-template.md).
0 commit comments