Azure Storage – Restoration of NSG flow logs retention
Published date: 27 November, 2019
The Retention feature on NSG flow logs was recently disabled, the functionality has been restored for general purpose v2 (GPv2) accounts and Blob storage accounts. It will not be restored for general purpose v1 (GPv1) storage accounts.
What has been restored?
NSG flow log retention is now available for users with GPv2 and Blob storage accounts – the flow log data will be deleted as per the retention policy configured earlier. Going forwards, configuring a retention period will create a data lifecycle management policy on the storage account.
Retention won’t be restored for users with GPv1 accounts but flow logs will continue to work as they currently do. Users with v1 storage accounts are recommended to upgrade their storage accounts to v2 for enabling retention. Upgrading to v2 is free of charge and v2 accounts provide more features.
Storage-limitation on GPv2 accounts
On GPv2 accounts, the current mechanism can only support up to 1000 NSGs. If more than 1000 NSGs are being logged, customers will have to start using multiple storage accounts. Why? Storage accounts allow the creation of up to 100 rules. This combined with 10-match prefixes per rule means that we can currently support up to 1000 NSGs per storage account.
What do I have to do?
- Users with GPv2 and Blob storage accounts in NSG flow logs – To restore retention, users must disable then enable flow logs on every NSG.
- Portal: For each NSG – Go to the flow logs settings, toggle status to Off. Click Save. Toggle status to On. Click Save
- Powershell: Use the Set-AzureRmNetworkWatcherConfigFlowLog module. For every NSG, toggle -EnableFlowLog to false. Then toggle it back to true. You can find sample commands in the documentation.
- Azure CLI: Use the az network watcher flow-log module. For every NSG, toggle --enabled to false. Then toggle it back to true. You can find sample commands in the documentation.
This will reconfigure flow logs and restore retention. If this isn’t done, all NSG flow logs users with v2 storage accounts will have their retention restored through a manual migration after 60 days.
- Users with GPv1 storage accounts in NSG flow logs – If you seek to store data permanently, no action is needed. Existing data in the v1 storage account will remain as it currently is and NSG flow logs will continue to work but the data will not be deleted by the retention service. Follow these instructions to upgrade your account to v2 for enabling retention. In case you don’t want to upgrade your storage account, you may use the deletion script provided earlier.
How do I upgrade my account?
To upgrade to v2, follow these instructions.