Rediger

Manage NSG flow logs using Azure Policy

Important

Network security group (NSG) flow logs will be retired on September 30, 2027. After June 30, 2025, you'll no longer be able to create new NSG flow logs. We recommend migrating to virtual network flow logs, which address the limitations of NSG flow logs. After the retirement date, traffic analytics enabled for NSG flow logs will no longer be supported, and existing NSG flow log resources in your subscriptions will be deleted. However, existing NSG flow log records won't be deleted from Azure Storage and will continue to follow their configured retention policies. For more information, see the official announcement.

Azure Policy helps you enforce organizational standards and assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. To learn more about Azure Policy, see What is Azure Policy? and Quickstart: Create a policy assignment to identify noncompliant resources.

In this article, you learn how to use built-in policies to audit your setup of network security group (NSG) flow logs.

Audit network security groups using a built-in policy

The Flow logs should be configured for every network security group policy audits all existing network security groups in a scope by checking all Azure Resource Manager objects of type Microsoft.Network/networkSecurityGroups. This policy then checks for linked flow logs through the flow logs property of the network security group, and it flags any network security group that doesn't have flow logs enabled.

To audit your flow logs using the built-in policy, follow these steps:

  1. Sign in to the Azure portal.

  2. In the search box at the top of the portal, enter policy. Select Policy from the search results.

    Screenshot that shows how to search for Azure Policy in the Azure portal.

  3. Select Assignments, and then select Assign policy.

    Screenshot of selecting the button for assigning a policy in the Azure portal.

  4. Select the ellipsis (...) next to Scope to choose your Azure subscription that has the network security groups you want the policy to audit. You can also choose the resource group that has the network security groups. After you make your selections, choose the Select button.

    Screenshot of selecting the scope of the policy in the Azure portal.

  5. Select the ellipsis (...) next to Policy definition to choose the built-in policy that you want to assign. Enter flow log in the search box, and then select the Built-in filter. From the search results, select Flow logs should be configured for every network security group, and then select Add.

    Screenshot of selecting the audit policy in the Azure portal.

  6. Enter a name in Assignment name, and enter your name in Assigned by.

    This policy doesn't require any parameters. It also doesn't contain any role definitions, so you don't need to create role assignments for the managed identity on the Remediation tab.

  7. Select Review + create, and then select Create.

    Screenshot of the Basics tab to assign an audit policy in the Azure portal.

  8. Select Compliance. Search for the name of your assignment, and then select it.

    Screenshot of the Compliance page that shows noncompliant resources based on the audit policy.

  9. Select Resource compliance to get a list of all noncompliant network security groups.

    Screenshot of the Policy compliance page that shows the noncompliant resources based on the audit policy.

Related content

  • Last updated on