Closed cogran closed 5 years ago
@cogran , Thanks for your feedback. We are looking into this query and will update you as soon as possible.
@cogran , Please refer this GitHub issue #29446 . Ensure that the storage account should have "All Networks" enabled and the same is mentioned in this Doc We are closing this issue for now.If there are further questions regarding this matter, please reply and we will gladly continue the discussion.
@SubhashVasarapu-MSFT Virtual Network Service Endpoints are different from the Azure Storage Account Firewall . Each of them independently can impact the functionality of NSG flow logs.
I know this has been closed for nearly two months but I thought we had re-opened and addressed both issues. Unfortunately, only the increasing the visibility of ALL Networks was addressed in #30788. This is still a very common issue and the VNET Service Endpoint limitation needs to be more clearly addressed in the context of NSG Flow logs.
It is not always practical that we use either service endpoint or disable the flow logs. Microsoft has acknowledge the issue via support ticket and the fix is expected to be implemented by the end of July 2019. I haven't received an update that the fix is implemented yet but when I checked in early July, the product team had confirmed that the fix is still on track to be implemented. Sometimes, disabling and enabling the flows help fix the issue but then it reappears after a couple of days, but this does not seem to work always @SubhashVasarapu-MSFT - I can confirm the the storage account where the logs are being written have the 'All Networks' enabled but we are still not able to capture the logs.
FYI: NSG Flow Logs are now compatible with Secured/Firewalled storage accounts. With this update, Service Endpoints for Microsoft storage are also supported for NSG Flow Logs.
The “Allow trusted Microsoft services to access this storage account” toggle on the Storage account must be enabled for this to work.
From: https://feedback.azure.com/forums/217313/suggestions/33684529
There is no indication that NSG flow logs cannot be used with Storage service endpoints at this time. However, when enabling NSG Flow logs on a NSG in a subnet with storage service endpoints, flow logs can discontinue logging to the storage account. The only workaround is to disable flow logs or the service endpoint. The documentation here should be updated to accurately reflect the current limitations of NSG flow logging (or the requirement that storage service endpoints be disabled).
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.