TPavanBalaji
commented
1 month ago @jikuja Thanks for your feedback! We will investigate and update as appropriate.
Closed jikuja closed 1 week ago
TPavanBalaji
commented
1 month ago @jikuja Thanks for your feedback! We will investigate and update as appropriate.
ManoharLakkoju-MSFT
commented
1 month ago Hi @jikuja Thank you for bringing this to my attention. The information provided on the page you mentioned is not entirely accurate. While it is true that changing or rotating the access keys to your storage account can cause virtual network flow logs to stop working, it is not necessary to disable and re-enable the logs to fix the issue. Instead, you can simply update the storage account key in the Network Watcher configuration to the new key.
Regarding your related findings, you are correct that the microsoft.network/networkwatchers/flowlogs resource accepts a storage account ID, and the SAS token is not automatically fetched and injected. However, you can manually provide the SAS token in the storageAccountId property of the microsoft.network/networkwatchers/flowlogs resource.
Additionally, you are correct that storage accounts support Network Watcher as a trusted resource. This allows you to restrict access to your storage account to only traffic from trusted Network Watcher resources.
I will make sure to pass along this feedback to the appropriate team to see if we can update the documentation to provide more accurate and clear information. Let me know if you have any other questions or concerns.
ManoharLakkoju-MSFT
commented
1 month ago @halkazwini Can you please check and add your comments on this doc update request as applicable.
jikuja
commented
1 month ago Instead, you can simply update the storage account key in the Network Watcher configuration to the new key.
Regarding your related findings, you are correct that the microsoft.network/networkwatchers/flowlogs resource accepts a storage account ID, and the SAS token is not automatically fetched and injected. However, you can manually provide the SAS token in the storageAccountId property of the microsoft.network/networkwatchers/flowlogs resource.
How to " you can simply update the storage account key in the Network Watcher configuration to the new key"?
The major warning gives a hint that storage account account key is required for network watcher to work. At least that was my first impression from the note.
I personally would like to disable account key on all storage accounts. The note is kind if misleading if there is an undocumented way to add storage account with SAS token but "nobody" is actually using that kind of configuration.
Documentation should clearly state if storage account account key is required for Network watcher to work. Storage account documentation gives a hint that access is being granted as soon as exception is turned on.
ManoharLakkoju-MSFT
commented
1 month ago @jikuja Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly
halkazwini
commented
1 week ago Hi @jikuja Thank you for your feedback! I'm closing this GitHub issue and creating an internal tracking work item to address it. If you have any additional information you would like to provide, please respond to this issue with any additional details.
Please continue to provide feedback about Azure documentation. We appreciate your contributions to our community. #please-close
The page provides following information:
Is that information correct? Documentation should clearly indicate if storage account target must have account key enabled.
Related findings
microsoft.network/networkwatchers/flowlogsresource accepts storage account id. Template created by portal does not featch and inject SAS token. (Not sure if resource provider does that)Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.