search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.28k stars 21.47k forks source link

Can I enable NSG flow log through ARM template? #30578

Closed CharmanderJieniJieni closed 5 years ago

CharmanderJieniJieni commented 5 years ago

We are looking into possibility to programmably enable NSG flow Log. Is this able to be enabled through ARM?

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

TravisCragg-MSFT commented 5 years ago

@Charmendar This is possible. NSG Flow Logs are enabled by adding the NSG to the flow log for a region.

You can find examples for Azure Powershell, Azure CLI, and Rest API Here. Select the drop down at the top to switch between the 3.

Here is an example of creating a Network Watcher with a template.

For template edits to add the NSGs, I always find Resources.Azure.Com helpful to view your existing enabled Network Watcher. This will let you view a working JSON configuration which help when creating new templates. The easiest way to view this is to navigate to your subscription -> Resource Providers -> Microsoft.Network -> NetworkWatchers

Here is a JSON Example of an enabled NSG:

{
      "name": "NetworkWatcher_westus2",
      "id": "/subscriptions/<subID>/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2",
      "etag": "W/\"df4d9d4c-2330-4925-a447-d31198e15582\"",
      "type": "Microsoft.Network/networkWatchers",
      "location": "westus2",
      "properties": {
        "provisioningState": "Succeeded",
        "flowLogs": [
          {
            "name": "Microsoft.NetworkTravLB-<RGname>-VM-nsg",
            "id": "/subscriptions/<subID>/resourceGroups/TravLB-RG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2/FlowLogs/Microsoft.NetworkTravLB-RGTravLB-VM-nsg",
            "etag": "W/\"df4d9d4c-2330-4925-a447-d31198e15582\"",
            "properties": {
              "provisioningState": "Succeeded",
              "targetResourceId": "/subscriptions/<subID>/resourceGroups/TravLB-RG/providers/Microsoft.Network/networkSecurityGroups/TravLB-VM-nsg",
              "targetResourceGuid": "ca6677df-7a76-4b0f-9c1d-c878eee2bea0",
              "storageId": "/subscriptions/<subID>/resourceGroups/<RGname>/Microsoft.Storage/storageAccounts/<SA_name>",
              "enabled": true,
              "flowAnalyticsConfiguration": {
                "networkWatcherFlowAnalyticsConfiguration": {
                  "enabled": false,
                  "workspaceId": "",
                  "trafficAnalyticsInterval": 0
                }
              },
              "retentionPolicy": {
                "days": 1,
                "enabled": true
              },
              "format": {
                "type": "JSON",
                "version": 0
              }
            },
            "type": "Microsoft.Network/networkWatchers/FlowLogs"
          }
        ],
        "runningOperationIds": []
      }
    },
CharmanderJieniJieni commented 5 years ago

Thank you very much! I will test this one. In the mean time could you please update this ARM template reference? https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2018-11-01/networkwatchers#NetworkWatcherPropertiesFormat

Looks like the link to NetworkWatcherPropertiesFormat object is broken so I am not able to see what is expected in the property

CharmanderJieniJieni commented 5 years ago

I have tried the above template and when I trigger the deployment I got following error: "error": { "code": "InvalidRequestContent", "message": "The request content was invalid and could not be deserialized: 'Cannot deserialize the current JSON object (e.g. {\"name\":\"value\"}) into type 'Microsoft.WindowsAzure.ResourceStack.Frontdoor.Templates.Schema.TemplateResource[]' because the type requires a JSON array (e.g. [1,2,3]) to deserialize correctly.\r\nTo fix this error either change the JSON to a JSON array (e.g. [1,2,3]) or change the deserialized type so that it is a normal .NET type (e.g. not a primitive type like integer, not a collection type like an array or List) that can be deserialized from a JSON object. JsonObjectAttribute can also be added to the type to force it to deserialize from a JSON object.\r\nPath 'properties.template.resources.name', line 1, position 187.'." }

This is the ARM section I created for the nsg log deployment { "type": "Microsoft.Resources/deployments", "apiVersion": "2018-05-01", "name": "nsgFlowLogDeployment", "resourceGroup": "[variables('resourceGroup').name]", "dependsOn": [ "nsgDeployment" ], "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": { "name": "[parameters('log').networkWatcherName]", "type": "Microsoft.Network/networkWatchers", "apiVersion": "2018-11-01", "location": "[variables('resourceGroup').location]", "properties": { "flowLogs": [ { "name": "mytest", "properties": { "targetResourceId": "/subscriptions/{subscription}/resourceGroups/{rg}/providers/Microsoft.Network/networkSecurityGroups/mynsg", "storageId": "/subscriptions/{subscription}/resourceGroups/vdc-storage-rg/providers/Microsoft.Storage/storageAccounts/mytesttest", "enabled": true, "flowAnalyticsConfiguration": { "networkWatcherFlowAnalyticsConfiguration": { "enabled": false, "workspaceId": "", "trafficAnalyticsInterval": 0 } }, "retentionPolicy": { "days": 1, "enabled": true }, "format": { "type": "JSON", "version": 0 } }, "type": "Microsoft.Network/networkWatchers/FlowLogs" } ] } } } } }

zkoncir commented 5 years ago

I was able to trigger a deployment with the following code:

{
      "apiVersion": "2018-12-01",
      "type": "Microsoft.Network/networkWatchers",
      "name": "[variables('resourceNames').networkWatcher]",
      "location": "[parameters('location')]",
      "properties": {
        "flowLogs": [
          {
            "name": "[concat(variables('resourceNames').networkSecurityGroup,'-flowlogs')]",
            "type": "Microsoft.Network/networkWatchers/FlowLogs",
            "properties": {
              "targetResourceId": "[resourceId('Microsoft.Network/networkSecurityGroups',variables('resourceNames').networkSecurityGroup)]",
              "storageId": "[parameters('complianceStorageId')]",
              "enabled": true,
              "retentionPolicy": {
                "days": 365,
                "enabled": true
              },
              "format": {
                "type": "JSON",
                "version": 0
              }
            }
          }
        ]
      }
    }

But if I run it when a network watcher is already enabled, it fails with the following error: Azure Error: InvalidTemplateDeployment Message: The template deployment 'lob-vnet-nsg' is not valid according to the validation procedure. The tracking id is '2683f05c-8264-4e41-9636-c6482ef9e808'. See inner errors for details. Please see https://aka.ms/arm-deploy for usage details. Exception Details: Error Code: ResourceCountExceedsLimitDueToTemplate Message: Subscription d3a932d0-2e8e-4a32-95ff-1f658bc48c0a has a quota of 1 for resources of type NetworkWatcher with sku SkuNotSpecified. Subscription currently has 1 resources and the template contains 1 new resources of the this type which exceeds the quota. Please contact support to increase the quota for resource type NetworkWatcher

TravisCragg-MSFT commented 5 years ago

@Charmendar are you able to add more than 1 using the portal?

You should be able to use resources.azure.com to get what the template should look like. I was not able to find the correct page for the Network Watcher Properties, it might not be fully documented yet. Also, check your version! I am only able to find information on Network Watcher using apiversion "2018-12-01"

zkoncir commented 5 years ago

@TravisCragg-MSFT it appears this is still unsupported for now. I used a template export after enabling Flow Logs for one of my NSG's, cleaned up the unused stuff that ARM gives you when you export, and tried running it against the same NSG after turning off flow logs through the console. Still showed as disabled. Hopefully this will be added soon, for now we will have to use the CLI.

TravisCragg-MSFT commented 5 years ago

@zkoncir No matter how you perform an operation in Azure, it all gets converted to JSON and sent to the REST API. You can packet capture what JSON the CLI is sending, and compare it to your template to see if there is any difference.

petr-stupka commented 5 years ago

@TravisCragg-MSFT is there any ETA for NSG Flow Logs being able to configure using ARM? According to folowing Docs it is not supported and having tested ARM as you suggested above, but the changes are not applied to NetworkWatcher resource. https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#can-i-configure-traffic-analytics-using-powershell-or-an-azure-resource-manager-template-or-client

TravisCragg-MSFT commented 5 years ago

@petr-stupka Thank you for finding that! Let me follow up to see if or when this will be changed.

TravisCragg-MSFT commented 5 years ago

@petr-stupka Unfortunately I am unable to give an ETA on this change, and it is not currently on short term plans.

If you would like us to prioritize this feature, please leave your feedback Here.

We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

petr-stupka commented 5 years ago

Feedback link: https://feedback.azure.com/forums/217313-networking/suggestions/37713784-arm-template-support-for-nsg-flow-logs

damendo commented 4 years ago

NSG Flow Logs are now an ARM object and can be deployed via templates.

We will soon be adding a built-in policy for the Azure Governance too.

Mitaric commented 4 years ago

Interesting results when deploying NSG Flow Logs via ARM. Currently experiencing 2 issues.

  1. Even with the version set to '2', it always deploys as Version 1 of the NSG Flow Logs. I have tried values of '0' and '1' as well, but the result is always Version 1.

"format": { "type": "JSON", "version": 2 },

  1. When trying to configure NSG Flow Logs in a single template for NSG in multiple regions, the deployment only succeeds for the NSGs in one region. The other region errors out saying that it cannot find the NSG specified in the targetResourceId field.

Most of it works!

damendo commented 4 years ago

@Mitaric

  1. We have found a UI bug where the Flow Log is created successfully (and with the correct version), however the UI just shows version too. We are fixing this

  2. Did you change the change the name of the Network watcher resource for every region? The default name is of the format "Networkwatch_region_name"

Mitaric commented 4 years ago

@damendo - Thanks for the response!

  1. For clarity, it is showing Version 1 in the portal, even though it is configured as Version1?

  2. I did change the name of the Network Watcher resource for both regions. The template enables NSG Flow Logs for all regions within one template. The error being produced is:

Deployment failed. Correlation ID: a3833949-7d35-40ac-bdd8-41afff59be3f. { "error": { "code": "NetworkSecurityGroupNotFoundForFlowLog",

It very well could end up being a syntax error, but after a pretty lengthy review, I'm getting the same result.

damendo commented 4 years ago

Hello everyone.

Two built-in policies for Flow logs are available on the portal: one audit policy and one deploy-if-not-enabled policy. You can find them by searching for "Flow logs" when creating an creating your policy initiative.

We have a step-by-step tutorial for using the built-in policies for NSG Flow Logs. Link to tutorial: https://docs.microsoft.com/azure/network-watcher/nsg-flow-logs-policy-portal