Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Unable to create VNET flow logs, deployment fails with status "Bad Gateway"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 65%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Saraswat, Aarushi
0
Reputation points
As Azure is going to retire the NSG flow logs, we are supposed to create VNET flow logs directly for virtual networks. By following the company guidelines I have created a storage account in SIEM subscription. Now while creating flow logs the last stage of the deployment fails showing status as "Bad Gateway". Here goes the error message,
{
"status": "Failed",
"error": {
"code": "AuthorizationFailed",
"message": "The client '731xxx-xxx-xxxxx' with object id '731xxxx-xxxx-xxxx-xxxx-xxxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/4921b8a8-af0a-474f-/resourceGroups/VNET-SIEM/providers/Microsoft.Storage/storageAccounts/cmoxxxxxxxdinc' or the scope is invalid. If access was recently granted, please refresh your credentials.",
"details": []
}
}
What's the actual issue here?
Azure Virtual Network
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pranitha Maddi 475 Reputation points Microsoft External Staff Moderator2025-08-29T13:27:53.9833333+00:00 Thanks for your question on the Microsoft Q&A portal!
You're trying to create VNET flow logs that send logs to a storage account in a different subscription (SIEM subscription). However, your deployment fails at the last stage with status "Bad Gateway" and an Authorization Failed error. The error message means:
- The user or service principal you're using does not have the required permissions to read the storage account where the logs should be stored.
- This permission is essential because Azure Network Watcher needs to access the storage account to write the flow logs.
- If you recently granted permissions, you might need to refresh authentication tokens or retry after some time.
Here are the few steps to fix the issue:
1.Grant Storage Account Permissions
- Go to the Azure portal, navigate to the Storage Account in the SIEM subscription.
- Select Access control (IAM) > Role assignments.
- Add a role assignment for the Network Watcher service principal or the user/service principal doing the deployment.
2.Assign the correct role:
- Assign the Storage Blob Data Contributor role or higher to allow reading and writing blobs.
- Optionally, assign Storage Account Contributor if broader management rights are necessary.
3.Confirm the scope:
- Make sure you assign the role at the storage account scope, not just at subscription or resource group level.
4.Refresh credentials if needed:
- If roles were assigned recently, sign out and back into the Azure portal or refresh your authentication tools (CLI/PowerShell). This ensures tokens are updated.
5.Verify network setup:
- Ensure the Storage Account allows access from the Network Watcher's virtual network or set networking to Allow trusted Microsoft services if private endpoints or firewall rules are used.
6.Retry creating flow logs:
- Once permissions are set, retry the flow log deployment.
Here are the few additional things to check:
- Storage account must be in the same Azure region as the virtual network for flow logs.
- There must be an active Network Watcher instance in the region.
- Flow logs require a properly configured Network Watcher role assignment.
Useful documents:
- Manage virtual network flow logs:https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal
- Role-based access control (RBAC) for Storage Accounts:https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
- Network Watcher RBAC permissions:https://learn.microsoft.com/en-us/azure/network-watcher/required-rbac-permissions
- https://learn.microsoft.com/en-us/azure/role-based-access-control/
The root cause is missing or insufficient storage account permissions for the Network Watcher to write flow logs. Assign Storage Blob Data Contributor role at the storage account level to the Network Watcher service principal or your deployment user. Refresh your credentials and retry the deployment.
If you follow these steps, your VNET flow logs deployment should succeed.
I hope this helps you resolve the issue. If you have any further quires, I am happy to assist
Thank you.
Pranitha
Sign in to comment
Sign in to answer