Create, change, enable, disable, or delete virtual network flow logs

• An Azure account with an active subscription. Create an account for free.

• Insights provider. For more information, see Register Insights provider.

• A virtual network. If you need to create a virtual network, see Create a virtual network using the Azure portal.

• An Azure storage account. If you need to create a storage account, see Create a storage account using the Azure portal.

• An Azure account with an active subscription. Create an account for free.

• Insights provider. For more information, see Register Insights provider.

• A virtual network. If you need to create a virtual network, see Create a virtual network using PowerShell.

• An Azure storage account. If you need to create a storage account, see Create a storage account using PowerShell.

• Azure Cloud Shell or Azure PowerShell.

  The steps in this article run the Azure PowerShell cmdlets interactively in Azure Cloud Shell. To run the cmdlets in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

  You can also install Azure PowerShell locally to run the cmdlets. This article requires the Azure PowerShell version 7.4.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you run PowerShell locally, sign in to Azure using the Connect-AzAccount cmdlet.

• An Azure account with an active subscription. Create an account for free.

• Insights provider. For more information, see Register Insights provider.

• A virtual network. If you need to create a virtual network, see Create a virtual network using the Azure CLI.

• An Azure storage account. If you need to create a storage account, see Create a storage account using the Azure CLI.

• Azure Cloud Shell or Azure CLI.

  The steps in this article run the Azure CLI commands interactively in Azure Cloud Shell. To run the commands in the Cloud Shell, select Open Cloud Shell at the upper-right corner of a code block. Select Copy to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

  You can also install Azure CLI locally to run the commands. This article requires the Azure CLI version 2.39.0 or later. Run az --version command to find the installed version. If you run Azure CLI locally, sign in to Azure using the az login command.

Microsoft.Insights provider must be registered to successfully log traffic flowing through a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, check its status in the Azure portal by following these steps:

1. In the search box at the top of the portal, enter subscriptions. Select Subscriptions from the search results.

   

2. Select the Azure subscription that you want to enable the provider for in Subscriptions.

3. Under Settings, select Resource providers.

4. Enter insight in the filter box.

5. Confirm the status of the provider displayed is Registered. If the status is NotRegistered, select the Microsoft.Insights provider then select Register.

   

Microsoft.Insights provider must be registered to successfully log traffic in a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, use Register-AzResourceProvider to register it.

# Register Microsoft.Insights provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Insights

Microsoft.Insights provider must be registered to successfully log traffic in a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, use az provider register to register it.

# Register Microsoft.Insights provider.
az provider register --namespace Microsoft.Insights

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. In Network Watcher | Flow logs, select + Create or Create flow log blue button.

   

4. On the Basics tab of Create a flow log, enter or select the following values:

   Setting	Value
   Project details
   Subscription	Select the Azure subscription of your virtual network that you want to log.
   Flow log type	Select Virtual network then select + Select target resource (available options are: Virtual network, Subnet, and Network interface). Select the resources that you want to flow log, then select Confirm selection.
   Flow Log Name	Enter a name for the flow log or leave the default name. Azure portal uses {ResourceName}-{ResourceGroupName}-flowlog as a default name for the flow log.
   Instance details
   Subscription	Select the Azure subscription of the storage account.
   Storage accounts	Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
   Retention (days)	Enter a retention time for the logs (this option is only available with Standard general-purpose v2 storage accounts). Enter 0 if you want to retain the flow logs data in the storage account forever (until you manually delete it from the storage account). For information about pricing, see Azure Storage pricing.

   

   Note

   If the storage account is in a different subscription, the resource that you're logging (virtual network, subnet, or network interface) and the storage account must be associated with the same Microsoft Entra tenant. The account you use for each subscription must have the necessary permissions.

5. To enable traffic analytics, select Next: Analytics button, or select the Analytics tab. Enter or select the following values:

   Setting	Value
   Enable traffic analytics	Select the checkbox to enable traffic analytics for your flow log.
   Traffic analytics processing interval	Select the processing interval that you prefer, available options are: Every 1 hour and Every 10 mins. The default processing interval is every one hour. For more information, see Traffic analytics.
   Subscription	Select the Azure subscription of your Log Analytics workspace.
   Log Analytics Workspace	Select your Log Analytics workspace. By default, Azure portal creates DefaultWorkspace-{SubscriptionID}-{Region} Log Analytics workspace in defaultresourcegroup-{Region} resource group.

   

   Note

   To create and select a Log Analytics workspace other than the default one, see Create a Log Analytics workspace

   Caution

   Traffic analytics creates and manages data collection rule and data collection endpoint resources in the same resource group as the workspace, prefixed with NWTA. If you perform any operation on these resources, traffic analytics might not function as expected.

6. Select Review + create.

7. Review the settings, and then select Create.

Use New-AzNetworkWatcherFlowLog cmdlet to create a virtual network flow log.

• Enable virtual network flow logs without traffic analytics

  # Place the virtual network configuration into a variable.
  $vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'
  
  # Place the storage account configuration into a variable.
  $storageAccount = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
  
  # Create a VNet flow log.
  New-AzNetworkWatcherFlowLog -Enabled $true -Name 'myVNetFlowLog' -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2
  

• Enable virtual network flow logs and traffic analytics

  # Place the virtual network configuration into a variable.
  $vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'
  
  # Place the storage account configuration into a variable.
  $storageAccount = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'
  
  # Create a traffic analytics workspace and place its configuration into a variable.
  $workspace = New-AzOperationalInsightsWorkspace -Name 'myWorkspace' -ResourceGroupName 'myResourceGroup' -Location 'EastUS'
  
  # Create a VNet flow log.
  New-AzNetworkWatcherFlowLog -Enabled $true -Name 'myVNetFlowLog' -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2 -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId -TrafficAnalyticsInterval 10
  

  Caution

  Traffic analytics creates and manages data collection rule and data collection endpoint resources in the same resource group as the workspace, prefixed with NWTA. If you perform any operation on these resources, traffic analytics might not function as expected.

Use az network watcher flow-log create command to create a virtual network flow log.

• Enable virtual network flow logs without traffic analytics

  # Create a VNet flow log.
  az network watcher flow-log create --location 'eastus' --resource-group 'myResourceGroup' --name 'myVNetFlowLog' --vnet 'myVNet' --storage-account 'myStorageAccount'
  

  # Create a VNet flow log (storage account is in a different resource group from the virtual network).
  az network watcher flow-log create --location 'eastus' --resource-group 'myResourceGroup' --name 'myVNetFlowLog' --vnet 'myVNet' --storage-account '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/StorageRG/providers/Microsoft.Storage/storageAccounts/myStorageAccount'
  

• Enable virtual network flow logs and traffic analytics

  # Create a traffic analytics workspace.
  az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup' --location 'eastus'
  
  # Create a VNet flow log.
  az network watcher flow-log create --location 'eastus' --name 'myVNetFlowLog' --resource-group 'myResourceGroup' --vnet 'myVNet' --storage-account 'myStorageAccount' --traffic-analytics true --workspace 'myWorkspace' --interval 10
  

  # Create a traffic analytics workspace.
  az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup' --location 'eastus'
  
  # Create a VNet flow log (storage account and traffic analytics workspace are in different resource groups from the virtual network).
  az network watcher flow-log create --location 'eastus' --name 'myVNetFlowLog' --resource-group 'myResourceGroup' --vnet 'myVNet' --storage-account '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/StorageRG/providers/Microsoft.Storage/storageAccounts/myStorageAccount' --traffic-analytics true --workspace '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/WorkspaceRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace' --interval 10
  

  Caution

  Traffic analytics creates and manages data collection rule and data collection endpoint resources in the same resource group as the workspace, prefixed with NWTA. If you perform any operation on these resources, traffic analytics might not function as expected.

To enable traffic analytics for a flow log, follow these steps:

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. In Network Watcher | Flow logs, select the flow log that you want to enable traffic analytics for.

4. In Flow logs settings, under Traffic analytics, check the Enable traffic analytics checkbox.

   

5. Enter or select the following values:

   Setting	Value
   Subscription	Select the Azure subscription of your Log Analytics workspace.
   Log Analytics workspace	Select your Log Analytics workspace. By default, Azure portal creates DefaultWorkspace-{SubscriptionID}-{Region} Log Analytics workspace in defaultresourcegroup-{Region} resource group.
   Traffic logging interval	Select the processing interval that you prefer, available options are: Every 1 hour and Every 10 mins. The default processing interval is every one hour. For more information, see Traffic analytics.

   

6. Select Save to apply the changes.

To disable traffic analytics for a flow log, take the previous steps 1-3, then uncheck the Enable traffic analytics checkbox and select Save.

To enable traffic analytics on a flow log resource, use Set-AzNetworkWatcherFlowLog cmdlet.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'

# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'

# Place the workspace configuration into a variable.
$workspace = Get-AzOperationalInsightsWorkspace -Name 'myWorkspace' -ResourceGroupName 'myResourceGroup'

# Update the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $true -Name 'myVNetFlowLog' -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2 -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId -TrafficAnalyticsInterval 10

To disable traffic analytics on the flow log resource and continue to generate and save virtual network flow logs to storage account, use Set-AzNetworkWatcherFlowLog cmdlet.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'

# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'

# Update the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $true -Name 'myVNetFlowLog' -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -FormatVersion 2

To enable traffic analytics on a flow log resource, use az network watcher flow-log update command.

# Update the VNet flow log.
az network watcher flow-log update --location 'eastus' --name 'myVNetFlowLog' --resource-group 'myResourceGroup' --vnet 'myVNet' --storage-account 'myStorageAccount' --traffic-analytics true --workspace 'myWorkspace' --interval 10

To disable traffic analytics on the flow log resource and continue to generate and save virtual network flow logs to a storage account, use az network watcher flow-log update command.

# Update the VNet flow log.
az network watcher flow-log update --location 'eastus' --name 'myVNetFlowLog' --resource-group 'myResourceGroup' --vnet 'myVNet' --storage-account 'myStorageAccount' --traffic-analytics false

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. Select Subscription equals filter to choose one or more of your subscriptions. You can apply other filters like Location equals to list all the flow logs in a region.

   

Use Get-AzNetworkWatcherFlowLog cmdlet to list all flow log resources in a particular region in your subscription.

# Get all flow logs in East US region.
Get-AzNetworkWatcherFlowLog -Location 'eastus' | format-table

Use az network watcher flow-log list command to list all flow log resources in a particular region in your subscription.

# Get all flow logs in East US region.
az network watcher flow-log list --location 'eastus' --out table

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. In Network Watcher | Flow logs, select the flow log that you want to see.

4. In Flow logs settings, you can view the settings of the flow log resource.

   

5. Select Cancel to close the settings page without making changes.

Use Get-AzNetworkWatcherFlowLog cmdlet to see details of a flow log resource.

# Get the flow log details.
Get-AzNetworkWatcherFlowLog -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -Name 'myVNetFlowLog'

Use az network watcher flow-log show to see details of a flow log resource.

# Get the flow log details.
az network watcher flow-log show --name 'myVNetFlowLog' --resource-group 'NetworkWatcherRG' --location 'eastus'

1. In the search box at the top of the portal, enter storage accounts. Select Storage accounts from the search results.

2. Select the storage account you used to store the logs.

3. Under Data storage, select Containers.

4. Select the insights-logs-flowlogflowevent container.

5. In insights-logs-flowlogflowevent, navigate the folder hierarchy until you get to the PT1H.json file that you want to download. Virtual network flow log files follow the following path:

   https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/{subscriptionID}_NETWORKWATCHERRG/NETWORKWATCHER_{Region}_{ResourceName}-{ResourceGroupName}-FLOWLOGS/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
   

6. Select the ellipsis ... to the right of the PT1H.json file, then select Download.

   

To download virtual network flow logs from your storage account, use Get-AzStorageBlobContent cmdlet. For more information, see Download a blob.

Virtual network flow log files are saved to the storage account at the following path:

https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_{Region}/FLOWLOGS/{FlowlogResourceName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

To download virtual network flow logs from your storage account, use the az storage blob download command. For more information, see Download a blob.

Virtual network flow log files are saved to the storage account at the following path:

https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_{Region}/FLOWLOGS/{FlowlogResourceName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to disable.

4. Select Disable.

   

Use Set-AzNetworkWatcherFlowLog cmdlet to disable a flow log.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroup'

# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name 'myStorageAccount' -ResourceGroupName 'myResourceGroup'

# Disable the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $false -Name 'myVNetFlowLog' -NetworkWatcherName 'NetworkWatcher_eastus' -ResourceGroupName 'NetworkWatcherRG' -StorageId $storageAccount.Id -TargetResourceId $vnet.Id

Use az network watcher flow-log update command to disable a flow log.

# Update the VNet flow log.
az network watcher flow-log update --enabled false --location 'eastus' --name 'myVNetFlowLog' --resource-group 'myResourceGroup' --vnet 'myVNet' --storage-account 'myStorageAccount'

1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

2. Under Logs, select Flow logs.

3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to delete.

4. Select Delete.

   

To delete a virtual network flow log resource, use Remove-AzNetworkWatcherFlowLog cmdlet.

# Delete the VNet flow log.
Remove-AzNetworkWatcherFlowLog -Name 'myVNetFlowLog' -Location 'eastus'

To delete a virtual network flow log resource, use az network watcher flow-log delete command.

# Delete the VNet flow log.
az network watcher flow-log delete --name 'myVNetFlowLog' --location 'eastus'