Enable VNet Flow Logs and Traffic Analytics

[AErmie]

To match the configuration of the Landing Zones in AWS, we need to enable Azure VNet Flow Logs (and potentially Traffic Analytics).

We need to check if there is a built-in Azure Policy that can be used to enable this at scale. If not, we may have to create our own custom policy. If the resource is not configurable through an Azure Policy, we will need to look into adding some additional logic when deploying VNets (especially in Project Set spokes).

Acceptance Criteria

Generated by Zenhub AI

• [ ] Scenario: Enable VNet Flow Logs and Traffic Analytics
  • Given the configuration of the Landing Zones in AWS is matched
  • When Azure VNet Flow Logs and Traffic Analytics are enabled
  • Then the built-in Azure Policy should be used to enable this at scale, or a custom policy created if necessary
  • If the resource cannot be configured through an Azure Policy, additional logic should be added when deploying VNets (especially in Project Set spokes)

[AErmie]

Although there is an Azure Policy to audit and deploy virtual network flow logs, from what we've been able to determine, it seems like VNet Flow Logs are not supported when using vWan (as in, we cannot add it to the underlying vWAN-managed subnet for Azure Firewall). We can enable it on all the spokes connected to the vHub though.

We will need to determine if we need to enable VNet Flow Logs on all spokes, or, since all traffic is routed through the Azure Firewall (both Internet-bound and spoke-to-spoke), if this would even be required.

[AErmie]

Although the Monitoring traffic flows in Azure Firewall using Virtual Network Flow Logs article mentions enabling VNet Flow Logs to enhance the Azure Firewall visibility, it has been confirmed that this feature is not currently supported with Virtual WAN (vWAN).

We could enable VNet Flow Logs on each of the respective spokes attached to the vWAN, however, Microsoft recommends to only enable this if/when it is required for troubleshooting.