Merge pull request #100566 from damendo/faq-update

v-albemi · web-flow · commit ef0167d3750c · 2020-01-09T09:13:31.000-08:00
Removing Firewall caveats
diff --git a/articles/network-watcher/frequently-asked-questions.md b/articles/network-watcher/frequently-asked-questions.md
@@ -68,47 +68,17 @@ Only Packet Capture, Connection Troubleshoot and Connection Monitor need the Net
 ### What does NSG Flow Logs do?
 Azure network resources can be combined and managed through [Network Security Groups (NSGs)](https://docs.microsoft.com/azure/virtual-network/security-overview). NSG Flow Logs enable you to log 5-tuple flow information about all traffic through your NSGs. The raw flow logs are written to an Azure Storage account from where they can be further processed, analyzed, queried, or exported as needed.
 
-### Are there any caveats to using NSG Flow Logs?
-There are no pre-requisites for using NSG Flow Logs. However, there are two limitations
-- **Service Endpoints must not be present on your VNET**: NSG Flow Logs are emitted from agents on your VMs to Storage accounts. However, today you can only emit logs directly to storage accounts and cannot use a service endpoint added to your VNET.
+### How do I use NSG Flow Logs on a Storage account with a firewall or through a Service Endpoints?
 
-- **Storage Account must not be firewalled**: Due to internal limitations, Storage accounts must be accessible through the public internet for NSG Flow Logs to work with them. Traffic will still be routed through Azure internally and you will not face extra egress charges.
-
-See the next two questions for instructions on how to work around these issues. Both of these limitations are expected to be addressed by Jan 2020.
-
-### How do I use NSG Flow Logs with Service Endpoints?
-
-*Option 1: Reconfigure NSG flow logs to emit to Azure Storage account without VNET endpoints*
-
-* Find subnets with endpoints:
-
-	- On the Azure portal, search for **Resource Groups** in the global search at the top
-	- Navigate to the Resource Group containing the NSG you are working with
-	- Use the second dropdown to filter by type and select **Virtual Networks**
-	- Click on the Virtual Network containing the Service Endpoints
-	- Select **Service endpoints** under **Settings** from the left pane
-	- Make a note of the subnets where **Microsoft.Storage** is enabled
-
-* Disable service endpoints:
-
-	- Continuing from above, select **Subnets** under **Settings** from the left pane
-	* Click on the subnet containing the Service Endpoints
-	- In the **Service endpoints** section, under **Services**, uncheck **Microsoft.Storage**
-
-You can check the storage logs after a few minutes, you should see an updated TimeStamp or a new JSON file created.
-
-*Option 2: Disable NSG flow logs*
-
-If the Microsoft.Storage service endpoints are a must, you will have to disable NSG Flow Logs.
-
-### How do I disable the  firewall on my storage account?
-
-This issue is resolved by enabling "All networks" to access the storage account:
+To use a Storage account with a firewall or through a Service Endpoints, you have to allow Trusted Microsoft Services to access your storage account:
 
 * Find the name of the storage account by locating the NSG on the [NSG Flow Logs overview page](https://ms.portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/flowLogs)
 * Navigate to the storage account by typing the storage account's name in the global search on the portal
 * Under the **SETTINGS** section, select **Firewalls and virtual networks**
-* Select **All networks** and save it. If it is already selected, no change is needed.  
+* In "Allow access from", select **Selected networks**. Then under **Exceptions**, tick the box next to **"Allow trusted Microsoft services to access this storage account"** 
+* If it is already selected, no change is needed.  
+
+You can check the storage logs after a few minutes, you should see an updated TimeStamp or a new JSON file created.
 
 ### What is the difference between flow logs versions 1 & 2?
 Flow Logs version 2 introduces the concept of *Flow State* & stores information about bytes and packets transmitted. [Read more](https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-overview#log-file).
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md b/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md
@@ -85,14 +85,12 @@ For continuation *C* and end *E* flow states, byte and packet counts are aggrega
 
 The text that follows is an example of a flow log. As you can see, there are multiple records that follow the property list described in the preceding section.
 
-## NSG Flow Logging Considerations
+## NSG flow logging considerations
 
 **Storage account considerations**: 
 
-1. Location: The storage account used must be in the same region as the NSG.
-2. No Firewall: NSG Flow logs is not onboarded as a [trusted Microsoft Service for Azure Storage](https://docs.microsoft.com/azure/storage/common/storage-network-security#trusted-microsoft-services). See [How do I disable the firewall on my storage account?](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#how-do-i-disable-the--firewall-on-my-storage-account) to disable the firewall. 
-3. No Service Endpoints: Due to a current limitation, logs can only be directly emitted to storage accounts and not via service endpoints. See [How do I use NSG Flow Logs with Service Endpoints?](https://docs.microsoft.com/azure/network-watcher/frequently-asked-questions#how-do-i-use-nsg-flow-logs-with-service-endpoints) for help with removing existing Service Endpoints.
-4. Self-manage key rotation: If you change/rotate the access keys to your storage account, NSG Flow Logs will stop working. To fix this issue, you must disable and then re-enable NSG Flow Logs.
+- Location: The storage account used must be in the same region as the NSG.
+- Self-manage key rotation: If you change/rotate the access keys to your storage account, NSG Flow Logs will stop working. To fix this issue, you must disable and then re-enable NSG Flow Logs.
 
 **Enable NSG Flow Logging on all NSGs attached to a resource**: Flow logging in Azure is configured on the NSG resource. A flow will only be associated to one NSG Rule. In scenarios where multiple NSGs are utilized, we recommend that NSG flow logging is enabled on all NSGs applied a resource's subnet or network interface to ensure that all traffic is recorded. For more information see [how traffic is evaluated](../virtual-network/security-overview.md#how-traffic-is-evaluated) in Network Security Groups.
 
