[Azure] Flow logging for network security groups

Question

[Azure] Flow logging for network security groups

Giang Nguyễn Trọng 20

Hello,

As far as I know,

"Network security group (NSG) flow logs will be retired on September 30, 2027. After June 30, 2025, you'll no longer be able to create new NSG flow logs. We recommend migrating to virtual network flow logs, which address the limitations of NSG flow logs."

When using Virtual Network Flow Logs, how can we check the allow/deny log of a single NSG inside the Virtual Network?

Looking forward to receiving your help.

Thank you so much!

G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-22T19:23:35.9066667+00:00

Hi Giang Nguyễn Trọng

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Giang Nguyễn Trọng 20 Reputation points

2025-08-23T06:04:18.6366667+00:00

As I know, NSG flog low will be saved in ".json" format in storage account. And it is really useful to see the allow/deny log in a period of time, because the log is saved in each file.

Can you share a specific way to display NSG allow/deny log when using Virtual Network flow log?
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-26T22:30:54.43+00:00
Hello Giang Nguyễn Trọng

Apologies for the delay.

You're absolutely right that NSG Flow Logs stored in .json format are very useful for analyzing allow/deny actions over time. With the transition to Virtual Network Flow Logs (VNFL), the logging scope shifts from individual NSGs to the entire virtual network, but you can still filter and analyze traffic related to a specific NSG.

Please check below steps to display Allow/Deny logs for a specific NSG using VNFL

Enable virtual network flow logs.

Go to Network Watcher > Flow Logs.

Select your Virtual Network and enable VNFL v2.

Choose a destination (Storage Account or Log Analytics Workspace).

Enable Traffic Analytics for richer insights.

Access logs in storage account.

Logs are stored in .json format, similar to NSG Flow Logs, each file contains multiple flow records with metadata like:

Source/Destination IP, Ports and Protocols, NSG Rule Name, Action (Allow/Deny)

Filter logs by NSG rule name

You can use tools like Azure Log Analytics or a custom script to parse the logs.

Or use a Python script to parse .json files from your Storage Account and extract allow/deny actions.

You can use Network Watcher and select NSG diagnostics which can simulate traffic to see which NSG rule allows or denies it.

Refer: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal

https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview?tabs=Americas

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-27T21:26:48.2566667+00:00

Hello Giang Nguyễn Trọng

I wanted to follow up and check if you had the opportunity to review the information provided in our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-28T17:43:43.2066667+00:00

Hi Giang Nguyễn Trọng

I am following up to see if you have checked the posted information, Please let me know if you need further assistance.

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

1 answer

Your answer

G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-22T19:23:35.9066667+00:00

Hi Giang Nguyễn Trọng

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.
Giang Nguyễn Trọng 20 Reputation points

2025-08-23T06:04:18.6366667+00:00

As I know, NSG flog low will be saved in ".json" format in storage account. And it is really useful to see the allow/deny log in a period of time, because the log is saved in each file.

Can you share a specific way to display NSG allow/deny log when using Virtual Network flow log?
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-26T22:30:54.43+00:00

Hello Giang Nguyễn Trọng

Apologies for the delay.

You're absolutely right that NSG Flow Logs stored in .json format are very useful for analyzing allow/deny actions over time. With the transition to Virtual Network Flow Logs (VNFL), the logging scope shifts from individual NSGs to the entire virtual network, but you can still filter and analyze traffic related to a specific NSG.

Please check below steps to display Allow/Deny logs for a specific NSG using VNFL

Enable virtual network flow logs.

Go to Network Watcher > Flow Logs.

Select your Virtual Network and enable VNFL v2.

Choose a destination (Storage Account or Log Analytics Workspace).

Enable Traffic Analytics for richer insights.

Access logs in storage account.

Logs are stored in .json format, similar to NSG Flow Logs, each file contains multiple flow records with metadata like:

Source/Destination IP, Ports and Protocols, NSG Rule Name, Action (Allow/Deny)

Filter logs by NSG rule name

You can use tools like Azure Log Analytics or a custom script to parse the logs.

Or use a Python script to parse .json files from your Storage Account and extract allow/deny actions.

You can use Network Watcher and select NSG diagnostics which can simulate traffic to see which NSG rule allows or denies it.

Refer: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal

https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview?tabs=Americas

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-27T21:26:48.2566667+00:00

Hello Giang Nguyễn Trọng

I wanted to follow up and check if you had the opportunity to review the information provided in our previous post.

Kindly let us know if the above helps or you need further assistance on this issue.
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-28T17:43:43.2066667+00:00

Hi Giang Nguyễn Trọng

I am following up to see if you have checked the posted information, Please let me know if you need further assistance.

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

Answer 1

Hello Giang Nguyễn Trọng

It looks like you're looking to check the allow/deny logs for a specific Network Security Group (NSG) within the Virtual Network Flow Logs after migrating from NSG Flow Logs.

Please check the below details:

1.Make sure you have Virtual Network Flow Logs enabled for your Azure Virtual Network. This setup is essential since NSG Flow Logs will be retired in 2027, and you will need to migrate to Virtual Network Flow Logs for logging.

2.You can also use NSG Diagnostics to simulate traffic and see which rule allows or denies it:

Go to Network Watcher > NSG Diagnostics.
Select the target VM or subnet, protocol, direction, and source/destination IP.
Run diagnostics to see which NSG rule is applied and whether traffic is allowed or denied.
Use tools like Azure Log Analytics or storage account CA to query and analyze these logs. You can create queries that filter by the NSG you are interested in.

Refer: https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal

https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview?tabs=Americas

I hope it helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

[Azure] Flow logging for network security groups

1 answer

Your answer