Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,616 questions
Virtual Network Flow Logs not saving to Storage Account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 28.000000000000004%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGC%3C/text%3E%3C/svg%3E)
Grant Crofton
0
Reputation points
Hi, I'm trying to get some network logs to help diagnose an issue I'm having but they don't seem to be saving.
I have a Power Automate Cloud Flow which calls various Azure resources over a Virtual Network (KV, Storage Account, Open AI, etc.). These resources all have network restrictions and Private Endpoints. Power Automate has Virtual Network support enabled via an Enterprise Policy. There are no NSGs. By and large this all works.
I've enabled Flow Logs on the Network Watcher in Portal following these instructions: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal
I've specified an existing Storage Account as the place to save them to. It appears to have worked, in that there were no error messages and I can see the configured flow logs. However no network logs have appeared in the Storage Account (where I understand they should be in a new container in blob storage).
I also have Traffic Analysis enabled, but as you would expect there's nothing to see there.
I've done some troubleshooting and checked various things, including:
SA has key access enabled
SA keys have not been changed
SA has no network restrictions
SA is Standard tier
The flow logs are enabled (I've tried disabling & enabling again)
Everything is in the same subscription & RG
The microsoft.insights provider is registered on the Subscription
Retention is set to 365 days
I read that Private Endpoint traffic itself doesn't get logged, but I believe traffic into & out of the vNet should be logged regardless.
Any ideas?
{count} votes
-
Chiugo Okpala 75 Reputation points MVP2025-01-31T15:33:12.49+00:00 You can try the following below:
- Check Storage Account Permissions: Ensure that the Network Watcher service has the necessary permissions to write logs to the storage account. You can verify this by checking the access policies on the storage account.
- Verify Flow Log Configuration: Double-check the flow log configuration in the Network Watcher portal to ensure that everything is set up correctly. Sometimes, a small misconfiguration can cause issues.
- Check for Network Isolation: If your storage account or any of the resources have network isolation enabled, it might prevent logs from being saved. Ensure that network isolation is disabled or properly configured to allow traffic.
- Review Network Watcher Logs: Look at the Network Watcher logs for any errors or warnings that might give you more insight into why the logs aren't being saved.
- Enable Diagnostic Settings: Make sure that diagnostic settings are enabled for the storage account and that they are configured to capture flow logs.
- Consult Azure Support: If you've tried all the above steps and still can't resolve the issue, it might be helpful to reach out to Azure Support for further assistance.
See Microsoft Azure documentation: https://learn.microsoft.com/en-us/answers/questions/2150872/logs-are-not-sent-to-log-workspace-when-network-se
-
Grant Crofton 0 Reputation points
2025-02-03T10:38:18.2966667+00:00 Thanks for your help but I'm coming to the conclusion this just doesn't work in my scenario. As I understand it the logs are collected at the NICs of different resources, but in my example the traffic comes from Power Automate to a Private Endpoint, neither of which I think support gathering of flow logs - although I can't find anything in the documentation about what services are supported.
It's written that traffic isn't collected from Private Endpoints here: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#private-endpoint-traffic
It says there the traffic should be collected from the source VM, but I'm not using VMs.
It also says here that vNet Flow Logs are not supported for most SaaS services, only VMs: https://learn.microsoft.com/en-us/answers/questions/2119278/virtual-network-flow-logs-for-azure-sql-managed-in
I'm not sure how true that is as it's not clearly stated in the documentation, but the only examples I've seen online use VMs (e.g. https://www.youtube.com/watch?v=UQvV5CrG0N4), so maybe this is the case.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 265 Reputation points Microsoft Vendor2025-02-03T17:34:15.9633333+00:00 Hello Grant Crofton
Greetings!
Thank you for your response.
Regrettably, private endpoints are not supported for Flow logs. We are only able to capture flow logs at VMs/VMSS instances.Check the link for more understanding: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#private-endpoint-traffic
For NSG and VNET flow logs, the only Incompatible services are mentioned below:
Currently, these Azure services don't support VNET and NSG flow logs.
- Azure Container Instances
- Azure Logic Apps
- Azure Functions
- Azure DNS Private Resolver
- App Service
- Azure Database for MariaDB
- Azure Database for MySQL
- Azure Database for PostgreSQL
- NSG's associated to Application gateway v2
- App services deployed under an Azure App Service plan
Reference link: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview#incompatible-services
Note: Additionally, the list of incompatible services mentioned for NSG flow logs currently applies to VNet flow logs as well.
These details regarding 'Vnet flow logs' will soon be included in the public documentation.
I hope this has been helpful!
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
-
Grant Crofton 0 Reputation points
2025-02-04T09:11:12.1133333+00:00 OK thanks for confirming @Praveen Bandaru . I did see the NSG incompatible services but I wasn't sure if that applied to vNets - also in my case the traffic is coming from Power Automate which isn't listed as an incompatible service. I'll see if I can find another way to diagnose my issue.
Regards,
Grant
-
Praveen Bandaru 265 Reputation points Microsoft Vendor
2025-02-04T13:16:13.0233333+00:00 Hello Grant Crofton
Greetings!
Thank you for your response.The list of incompatible services previously mentioned for NSG flow logs also applies to VNet flow logs. Information regarding 'VNet flow logs' will be added to the public documentation soon.
Additionally, you mentioned using a private endpoint for Power Automate. Please note that private endpoints are not supported for flow logs, which is why you are not receiving the logs.
Sign in to comment
Sign in to answer