TravisCragg-MSFT
commented
4 years ago As is discussed in this document, ALL traffic that flows over a NSG will be logged. Service Endpoints uses routes to direct traffic internally to the destination, but any NSGs that are on the NICs or Subnets that send traffic out to Service Endpoints should be logged as an outbound flow.
For your APIM scenario, any traffic which crosses a NSG should be logged. If you have a NSG on the subnet that the APIM private IP address, it should log flows to the APIM.
It is recommended to use NSG flow logs on all associated NSGs, as the flows will only be recorded on one of the NSGs. You will need to filter and analyze all associated NSGs together to get an accurate picture of the flows.
For Service Endpoints, it can be difficult, as the traffic does not go to a destination inside the Virtual Network. You should be able to capture the outbound flows coming from VMs in your Virtual Network by NSGs on the NICs or subnets that the VM is in.
It is possible that NSG Flow logs does not properly capture the information that you need for your scenario at this time. I would highly recommend requesting the features that you need for your scenario on feedback.azure.com.
Please let me know if you have any additional questions.
Below is feedback that was documentation related but posted on the UserVoice forums. Replicating here as it is the right channel for such issues.
Original post: https://feedback.azure.com/forums/217313/suggestions/40751776
I have noticed that NSG Flow log documentation is not clear . I have couple of questions but didn't find clear documentation about the same.
I have integrated Service Endpoints to a Subnet , whether subnet NSG will log all these traffic into a flow log and I think the answer is "NO"based on my practical experience. But no documentation for that. If I have storage which is integrated to VNET , whether NSG flow log @ subnet level record the traffic . If I have an Internal APIM instance which is integrated to a VNET , whether NSG flow log @Subnet level will record the traffic ?. I agree that NSG Denying the traffic will log it into flow logs which is fine, but it is NOT the last NSG allowing traffic is recording the log into the flow logs. I just found that while sending the packets from source to destination , VM NIC associated NSG at source side is recording the logs even though subnet NSG exist I have enabled service endpoints and several PaaS resources such as Storage , APIM , Web -App ,etc .. which all are integrated to a VNET . if I have subnet level NSG whether it will log all the traffic passing over the subnet into flow log ?. We need to know how we can monitor all the traffic passing over the subnets , Could you please publish what all the service are supported NSG flow logging ?!. Regards Hari Rajan
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.