This article provides answers to the most frequently asked questions about traffic analytics capability of Azure Network Watcher.
How can I check if I have the required roles?
To learn how to check roles assigned to a user for a subscription, see List Azure role assignments using the Azure portal. If you can't see the role assignments, contact the respective subscription admin.
Can I enable flow logs for network security groups that are in different regions than my workspace region?
Yes, network security groups can be in different regions than your Log Analytics workspace region.
Can multiple network security groups be configured within a single workspace?
Yes.
Are Classic network security groups supported?
No, traffic analytics doesn't support classic network security groups.
Why doesn't traffic analytics display data for my traffic analytics enabled network security groups?
In the resource selection dropdown in the traffic analytics dashboard, the resource group of the Virtual Network resource must be selected, not the resource group of the virtual machine or network security group.
Can I use an existing workspace?
Yes. If you select an existing workspace, make sure that it has been migrated to the new query language. If you don't want to upgrade the workspace, you need to create a new one. For more information about Kusto Query Language (KQL), see Log queries in Azure Monitor.
Can my Azure storage account be in one subscription and my Log Analytics workspace be in a different subscription?
Yes, your Azure storage account can be in one subscription, and your Log Analytics workspace can be in a different subscription.
Can I store raw logs in a different subscription than the subscription used for network security groups or virtual networks?
Yes. You can configure flow logs to be sent to a storage account located in a different subscription, provided you have the appropriate privileges, and that the storage account is located in the same region as the network security group (network security group flow logs) or virtual network (virtual network flow logs). The destination storage account must share the same Microsoft Entra tenant of the network security group or virtual network.
Can my flow log resources and storage accounts be in different tenants?
No. All resources must be in the same tenant including network security groups (network security group flow logs), virtual networks (virtual network flow logs), flow logs, storage accounts and Log Analytics workspaces (if traffic analytics is enabled).
Can I configure a different retention policy for the storage account than Log Analytics workspace?
Yes.
Will I lose the data stored in Log Analytics workspace if I delete the storage account used for flow logging?
No. If you delete the storage account that is used for flow logs, the data stored in Log Analytics workspace won't be affected. You can still view historic data in Log Analytics workspace (some metrics will be impacted) but traffic analytics will no longer process any new additional flow logs until you update the flow logs to use a different storage account.
What if I can't configure a network security group for traffic analytics due to a "Not found" error?
Select a supported region. If you select a non-supported region, you receive a "Not found" error. For more information, see Traffic analytics supported regions.
What if I'm getting the status: “Failed to load” in the flow logs page?
The Microsoft.Insights provider must be registered for flow logging to work properly. If you aren't sure whether the Microsoft.Insights provider is registered for your subscription, see Azure portal, PowerShell, or Azure CLI instructions on how to register it.
I configured the solution. Why am I not seeing anything on the dashboard?
The dashboard might take up to 30 minutes to show reports for the first time. The solution must first aggregate enough data for it to derive meaningful insights, then it generates reports.
What if I get this message: “We could not find any data in this workspace for selected time interval. Try changing the time interval or select a different workspace.”?
Try the following options:
- Change the time interval in the upper bar.
- Select a different Log Analytics workspace in the upper bar.
- Try accessing traffic analytics after 30 minutes, if it was recently enabled.
If problems persist, raise concerns in Microsoft Q&A.
What if I get this message: "Analyzing your NSG flow logs for the first time. This process may take 20-30 minutes to complete. Check back after some time."?
You might see this message because:
- Traffic analytics was recently enabled, and might not yet have aggregated enough data for it to derive meaningful insights.
- You're using the free version of the Log Analytics workspace, and it exceeded the quota limits. You might need to use a workspace with a larger capacity.
Try the suggested solutions for the previous question. If problems persist, raise concerns in Microsoft Q&A.
What if I get this message: “Looks like we have resources data (Topology) and no flows information. For more information, click here to see resources data and refer to FAQ.”?
You're seeing the resources information on the dashboard; however, no flow-related statistics are present. Data might not be present because of no communication flows between the resources. Wait for 60 minutes, and recheck status. If the problem persists, and you're sure that communication flows among resources exist, raise concerns in Microsoft Q&A.
Can I configure traffic analytics using PowerShell?
You can configure traffic analytics using Windows PowerShell version 6.2.1 and higher. To configure flow logging and traffic analytics for a specific network security group using PowerShell, see Enable network security group flow logs and traffic analytics.
Can I configure traffic analytics using an Azure Resource Manager template or a Bicep file?
Yes, you can use an Azure Resource Manager template or a Bicep file to configure traffic analytics. For more information, see Configure NSG flow logs using an Azure Resource Manager (ARM) template and Configure NSG flow logs using a Bicep file.
How is traffic analytics priced?
Traffic analytics is metered. The metering is based on processing of raw flow log data by the service. For more information, see Network Watcher pricing.
Enhanced logs ingested in Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if Microsoft Sentinel is enabled on the workspace). For more information, see Azure Monitor pricing.
How frequently does traffic analytics process data?
Default processing interval of traffic analytics is 60 minutes, however, you can select accelerated processing at 10 minutes intervals. For more information, see Data aggregation in traffic analytics.
How does traffic analytics decide that an IP is malicious?
Traffic analytics relies on Microsoft internal threat intelligence systems to deem an IP as malicious. These systems use diverse telemetry sources like Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds and build intelligence on top of it. Some of this data is Microsoft Internal. If a known IP is getting flagged as malicious, raise a support ticket to know the details.
How can I set alerts on traffic analytics data?
Traffic analytics doesn't have built-in support for alerts. However, since traffic analytics data is stored in Log Analytics, you can write custom queries and set alerts on them. Follow these steps:
- You can use Log Analytics link in traffic analytics.
- Use the traffic analytics schema to write your queries.
- Select New alert rule to create the alert.
- See Create a new alert rule to create the alert.
How do I check which virtual machines are receiving most on-premises traffic?
Use the following query:
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
| where <Scoping condition>
| mvexpand vm = pack_array(VM1_s, VM2_s) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime_t from datetime(<time>) to datetime(<time>) step 1 m by vm
| render timechart
For IPs, use the following query:
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand IP = pack_array(SrcIP_s, DestIP_s) to typeof(string)
| where isnotempty(IP)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| make-series TotalTraffic = sum(traffic) default = 0 on FlowStartTime_t from datetime(<time>) to datetime(<time>) step 1 m by IP
| render timechart
For time, use format: yyyy-mm-dd 00:00:00
How do I check standard deviation in traffic received by my virtual machines from on-premises machines?
Use the following query:
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand vm = pack_array(VM1_s, VM2_s) to typeof(string)
| where isnotempty(vm)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + utboundBytes_d
| summarize deviation = stdev(traffic) by vm
For IPs:
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and FlowType_s == "S2S"
//| where <Scoping condition>
| mvexpand IP = pack_array(SrcIP_s, DestIP_s) to typeof(string)
| where isnotempty(IP)
| extend traffic = AllowedInFlows_d + DeniedInFlows_d + AllowedOutFlows_d + DeniedOutFlows_d // For bytes use: | extend traffic = InboundBytes_d + OutboundBytes_d
| summarize deviation = stdev(traffic) by IP
How do I check which ports are reachable (or blocked) between IP pairs with NSG rules?
Use the following query:
AzureNetworkAnalytics_CL
| where SubType_s == "FlowLog" and TimeGenerated between (startTime .. endTime)
| extend sourceIPs = iif(isempty(SrcIP_s), split(SrcPublicIPs_s," "), pack_array(SrcIP_s)),
destIPs = iif(isempty(DestIP_s), split(DestPublicIPs_s," "), pack_array(DestIP_s))
| mvexpand SourceIp = sourceIPs to typeof(string)
| mvexpand DestIp = destIPs to typeof(string)
| project SourceIp = tostring(split(SourceIp, "|")[0]), DestIp = tostring(split(DestIp, "|")[0]), NSGList_s, NSGRule_s, DestPort_d, L4Protocol_s, FlowStatus_s
| summarize DestPorts= makeset(DestPort_d) by SourceIp, DestIp, NSGList_s, NSGRule_s, L4Protocol_s, FlowStatus_s