Manage NSG flow logs using Azure Policy

Important

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. We recommend migrating to virtual network flow logs, which overcome the limitations of NSG flow logs. After the retirement date, traffic analytics enabled with NSG flow logs will no longer be supported, and existing NSG flow logs resources in your subscriptions will be deleted. However, NSG flow logs records won't be deleted and will continue to follow their respective retention policies. For more information, see the official announcement.

Azure Policy helps you enforce organizational standards and assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. To learn more about Azure policy, see What is Azure Policy? and Quickstart: Create a policy assignment to identify non-compliant resources.

In this article, you learn how to use two built-in policies to manage your setup of network security group (NSG) flow logs. The first policy flags any network security group that doesn't have flow logs enabled. The second policy automatically deploys NSG flow logs that don't have flow logs enabled.

Audit network security groups using a built-in policy

The Flow logs should be configured for every network security group policy audits all existing network security groups in a scope by checking all Azure Resource Manager objects of type Microsoft.Network/networkSecurityGroups. This policy then checks for linked flow logs via the flow logs property of the network security group, and it flags any network security group that doesn't have flow logs enabled.

To audit your flow logs using the built-in policy, follow these steps:

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter policy. Select Policy from the search results.

    Screenshot of searching for Azure Policy in the Azure portal.

  3. Select Assignments, and then select Assign policy.

    Screenshot of selecting the button for assigning a policy in the Azure portal.

  4. Select the ellipsis (...) next to Scope to choose your Azure subscription that has the network security groups that you want the policy to audit. You can also choose the resource group that has the network security groups. After you make your selections, choose the Select button.

    Screenshot of selecting the scope of the policy in the Azure portal.

  5. Select the ellipsis (...) next to Policy definition to choose the built-in policy that you want to assign. Enter flow log in the search box, and then select the Built-in filter. From the search results, select Flow logs should be configured for every network security group, and then select Add.

    Screenshot of selecting the audit policy in the Azure portal.

  6. Enter a name in Assignment name, and enter your name in Assigned by.

    This policy doesn't require any parameters. It also doesn't contain any role definitions, so you don't need to create role assignments for the managed identity on the Remediation tab.

  7. Select Review + create, and then select Create.

    Screenshot of the Basics tab to assign an audit policy in the Azure portal.

  8. Select Compliance. Search for the name of your assignment, and then select it.

    Screenshot of the Compliance page that shows noncompliant resources based on the audit policy.

  9. Select Resource compliance to get a list of all non-compliant network security groups.

    Screenshot of the Policy compliance page that shows the noncompliant resources based on the audit policy.

Deploy and configure NSG flow logs using a built-in policy

The Deploy a flow log resource with target network security group policy checks all existing network security groups in a scope by checking all Azure Resource Manager objects of type Microsoft.Network/networkSecurityGroups. It then checks for linked flow logs via the flow logs property of the network security group. If the property doesn't exist, the policy deploys a flow log.

To assign the deployIfNotExists policy:

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter policy. Select Policy from the search results.

    Screenshot of searching for Azure Policy in the Azure portal.

  3. Select Assignments, and then select Assign policy.

    Screenshot of selecting the button for assigning a policy in the Azure portal.

  4. Select the ellipsis (...) next to Scope to choose your Azure subscription that has the network security groups that you want the policy to audit. You can also choose the resource group that has the network security groups. After you make your selections, choose the Select button.

    Screenshot of selecting the scope of the policy in the Azure portal.

  5. Select the ellipsis (...) next to Policy definition to choose the built-in policy that you want to assign. Enter flow log in the search box, and then select the Built-in filter. From the search results, select Deploy a flow log resource with target network security group, and then select Add.

    Screenshot of selecting the deployment policy in the Azure portal.

  6. Enter a name in Assignment name, and enter your name in Assigned by.

    Screenshot of Basics tab to assign a deployment policy in the Azure portal.

  7. Select Next button twice, or select the Parameters tab. Then enter or select the following values:

    Setting Value
    NSG Region Select the region of your network security group that you're targeting with the policy.
    Storage id Enter the full resource ID of the storage account. The storage account must be in the same region as the network security group. The format of storage resource ID is /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<StorageAccountName>.
    Network Watchers RG Select the resource group of your Azure Network Watcher instance.
    Network Watcher name Enter the name of your Network Watcher instance.

    Screenshot of the Parameters tab for assigning a deployment policy in the Azure portal.

  8. Select Next or the Remediation tab. Enter or select the following values:

    Setting Value
    Create a remediation task Select the checkbox if you want the policy to affect existing resources.
    Create a Managed Identity Select the checkbox.
    Type of Managed Identity Select the type of managed identity that you want to use.
    System assigned identity location Select the region of your system assigned identity.
    Scope Select the scope of your user-assigned identity.
    Existing user assigned identities Select your user-assigned identity.

    Note

    You need Contributor or Owner permission to use this policy.

    Screenshot of the Remediation tab for assigning a deployment policy in the Azure portal.

  9. Select Review + create, and then select Create.

  10. Select Compliance. Search for the name of your assignment, and then select it.

    Screenshot of the Compliance page that shows noncompliant resources based on the deployment policy.

  11. Select Resource compliance to get a list of all non-compliant network security groups.

    Screenshot of the Policy compliance page that shows the noncompliant resources.

  12. Leave the policy runs to evaluate and deploy flow logs for all non-compliant network security groups. Then select Resource compliance again to check the status of network security groups (you don't see noncompliant network security groups if the policy completed its remediation).

    Screenshot of the Policy compliance page that shows all resources are compliant.