Azure VNET Flow Logs

The Flowmon Collector is capable of processing and visualizing Azure VNET Flow Logs. Azure VNET Flow Logs (referred to in the remainder of this section as flow logs) are sampled records of the network flow sent from and received by Virtual Machine (VM) instances. Flow logs is a feature provided by the Network Watcher service and dependent on the Microsoft Insights resource provider. The Flowmon Collector periodically connects to the configured Azure Blob Storage containers and downloads newly-added flow logs. The flow logs are subsequently converted to the IPFIX format and can be viewed in Flowmon Monitoring Center (FMC).

Setting Up Azure VNET Flow Logs

Follow the official instructions to enable collecting of flow logs in Azure Blob Storage for your virtual machines.

Setting Up Azure VNET Flow Logs Processing

To start receiving flow logs in the FMC, follow these instructions:

Step 1: Create a new listening port in Configuration Center > Monitoring Center > Listening Ports.

You can choose the name and port number of the new listening port as needed. However, the network protocol must be UDP and the port must only be used for retrieving Azure VNET Flow Logs.

Step 2: Enable processing of the Azure VNET Flow Logs and configure individual subscriptions.

Go to: Configuration Center > Monitoring Center > Flow Logs > Microsoft Azure.

Toggle the Enable button and select the previously created Listening port from the drop-down menu.

Click the New Subscription button, which allows you to configure a list of subscriptions. This list specifies which flow logs will be obtained and processed. For the Flowmon Collector to access the flow logs, it requires the URL of the Shared Access Signature (SAS) created for the Azure Blob Storage container where the flow logs are stored. The SAS URL can be easily obtained using the Storage Explorer. The SAS must provide permissions to Read and List blobs.

Flow logs inside a single Azure Blob Storage container may originate from several Azure Account Subscriptions. Therefore, you must also specify the Subscription ID that determines which flow logs should be processed by the Flowmon Collector. You can process flow logs from multiple Azure Account Subscriptions by adding another subscription in the Configuration Center > Monitoring Center > Microsoft Azure configuration page.

You can (optionally) verify the provided configuration by clicking Verify. This checks if the Flowmon Collector can connect to all Azure Blob Storage containers using the provided SAS URLs and will also attempt to find the correct directory with the flow logs (using the provided subscription ID).

The configuration is verified each time the Save button is clicked.

Save the new configuration by clicking Save. This starts the flow log retrieval process. To stop processing, disable the flow logs and click Save again. The configuration is saved even when processing is disabled, allowing for easy re-enabling.

Viewing Azure VNET Flow Logs in the Monitoring Center

Using Azure VNET Flow Logs creates multiple flow sources. Each source is assigned a unique IP address (from subnet 127.130.0.0/16) and corresponds to a single resource group within the Azure Account Subscription. The source name format is resource_group.subscription_id.

All sources can be found in Monitoring Center > Sources.

Click Create Profile to divide the flow source into a separate channel. Each channel contains flows from a specific Virtual Network and is uniquely identified by its name.

Select all available subnets and click Save.

Flows from the flow logs can be viewed and analyzed like flows from regular data sources.