I'm currently migrating our Azure infrastructure to a Hub-and-Spoke setup and tightening our Network Security Groups (NSGs). Each subnet has an NSG with default Microsoft rules, and I've enabled VNet flow logs for all of them.
When I run queries in Log Analytics, I get traffic logs from my subnets, but the corresponding ACL rules mostly show up as "platformrule" or other Microsoft defaults like "allowvnetinbound". Even the NSG rules I added seem to display as "inboundrule-100" instead of their custom names like "AllowHTTPSInBound". Some rules don't seem to apply at all and still reflect the Microsoft rules.
I've noticed that the NsgRule field in my queries is always empty. What could I be doing wrong? Is there a simpler way to visualize this traffic? I've also checked the network analytics feature, but I only see stats like the "Top 20 IPs" rather than detailed traffic logs. Any help would be appreciated!
3 Answers
Make sure you’re actually using VNet flow logs and not NSG flow logs. The latter is being phased out, and some default searches might confuse you. Look for Log Analytics queries tailored for VNet flow logs; they often work better with the data you're seeing.
The empty NsgRule field is a big hint. If you're mostly seeing platformrules and other defaults, you might be querying from VNet flow logs instead of NSG flow logs. Double-check which type of log you've enabled; they handle data attribution differently.
Good point! I think many people get mixed up because the naming can be similar but the functionalities are quite different. Just ensure you’re correctly set up for your logs!
It sounds like you're running into some limitations with VNet flow logs, especially regarding private endpoint traffic. Currently, only the source VM IPs are fully captured, and it's expected to improve soon. You might want to keep an eye on updates from Microsoft regarding this feature.
Yeah, it's frustrating! It really complicates network design when such essential features aren't fully supported. Let's hope they roll out improvements without further delays.
Right, NSG flow logs aren’t available for new setups anymore, and they’ll be fully phased out by 2027. Your setup should solely rely on VNet flow logs now.