Azure Network Security Group (NSG) Flow Logs are the closest thing Azure provides to NetFlow for cloud-native workloads. When properly configured and analyzed, they give you visibility into network conversations in your Azure environment — which VMs are talking to which, which connections are being allowed or denied, and what volumes of traffic are flowing across your virtual network.
But NSG Flow Logs have quirks that aren't obvious from the documentation, and getting them working correctly requires navigating several configuration decisions. This guide covers the practical details.
What NSG Flow Logs Actually Capture
NSG Flow Logs record flow data at the NSG evaluation point — when a packet is evaluated against an NSG rule. Each record indicates:
- Source and destination IP
- Source and destination port
- Protocol (TCP or UDP)
- Traffic direction (Inbound or Outbound)
- Traffic decision (Allow or Deny)
- Flow state (flow beginning, continuing, or ending)
- Byte and packet counts (version 2 only)
Version 2 is strongly recommended. Version 1 flow logs don't include byte and packet counts, which makes them significantly less useful for anomaly detection and capacity analysis. Always enable version 2.
Where NSGs Live and What They See
Understanding NSG placement is critical to understanding what flow logs will capture.
NSGs can be attached to:
- Subnets: The NSG evaluates all traffic entering or leaving the subnet. This is the most common placement.
- Network Interface Cards (NICs): The NSG evaluates all traffic to or from the specific VM NIC.
Traffic between VMs in the same subnet, protected by a subnet-level NSG, may not generate flow log entries depending on traffic direction and NSG rule configuration. Traffic evaluation happens at the subnet boundary — if both source and destination are in the same subnet, the traffic may not cross an NSG attachment point.
This is the most significant blind spot in NSG-based monitoring: intra-subnet east-west traffic is not visible in NSG Flow Logs if no NIC-level NSGs are deployed.
Enabling NSG Flow Logs at Scale
For production deployments, configure NSG Flow Logs using Azure Policy to ensure all NSGs — current and future — have flow logs enabled automatically:
# Create a Policy assignment to enable NSG flow logs
az policy assignment create \
--name "nsg-flow-logs-enabled" \
--display-name "NSG Flow Logs Should Be Enabled" \
--policy "/providers/Microsoft.Authorization/policyDefinitions/POLICY_DEFINITION_ID" \
--params '{
"storageAccountId": {
"value": "/subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/STORAGE_ACCOUNT"
},
"workspaceId": {
"value": "/subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.OperationalInsights/workspaces/WORKSPACE"
},
"retentionDays": {
"value": 90
}
}'For manual enablement or scripted deployment:
# Enable flow logs for a specific NSG
az network watcher flow-log create \
--resource-group NetworkWatcherRG \
--nsg /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Network/networkSecurityGroups/NSG_NAME \
--location eastus \
--storage-account /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/STORAGE_ACCOUNT \
--workspace /subscriptions/SUB_ID/resourceGroups/RG/providers/Microsoft.OperationalInsights/workspaces/WORKSPACE \
--enabled true \
--format JSON \
--log-version 2 \
--retention 90 \
--traffic-analytics true \
--traffic-analytics-interval 10Storage and Delivery Architecture
NSG Flow Logs are stored in Azure Blob Storage as JSON files, organized by subscription, region, NSG, and time. The file path structure is:
insights-logs-networksecuritygroupflowevent/
resourceId=/SUBSCRIPTIONS/SUB_ID/
RESOURCEGROUPS/RG/
PROVIDERS/MICROSOFT.NETWORK/
NETWORKSECURITYGROUPS/NSG_NAME/
y=2026/m=03/d=22/h=14/m=00/
macAddress=MACADDRESS/PT1H.json
Files are written hourly. This means NSG Flow Log data has up to 60 minutes of delivery latency — a significant difference from on-premises NetFlow with 60-second active timeouts.
Traffic Analytics
Azure Traffic Analytics (enabled via the --traffic-analytics true flag above) processes NSG Flow Logs through Log Analytics and provides:
- Aggregated flow data in a queryable Kusto format
- Topology visualization in Azure Monitor
- Top talkers, denied connections, and traffic distribution metrics
Traffic Analytics is the practical way to query NSG Flow Logs — querying the raw Blob Storage files directly is operationally painful at scale.
Sample Kusto query to find top source IPs by byte volume:
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where SubType_s == "FlowLog"
| summarize TotalBytes = sum(InboundBytes_d + OutboundBytes_d) by SrcIP_s
| top 20 by TotalBytesInterpreting NSG Flow Log Records
A sample NSG Flow Log entry (version 2, JSON):
{
"time": "2026-03-22T14:35:00.0000000Z",
"systemId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"category": "NetworkSecurityGroupFlowEvent",
"resourceId": "/SUBSCRIPTIONS/.../NETWORKSECURITYGROUPS/MY-NSG",
"operationName": "NetworkSecurityGroupFlowEvents",
"properties": {
"Version": 2,
"flows": [{
"rule": "DefaultRule_AllowVnetInBound",
"flows": [{
"mac": "000D3A123456",
"flowTuples": [
"1742654100,10.0.1.5,10.0.2.12,55231,443,T,I,A,B,4096,10,3276,8"
]
}]
}]
}
}The flow tuple fields, in order:
- Unix timestamp
- Source IP
- Destination IP
- Source port
- Destination port
- Protocol (T=TCP, U=UDP)
- Traffic direction (I=Inbound, O=Outbound)
- Traffic decision (A=Allow, D=Deny)
- Flow state (B=Begin, C=Continue, E=End)
- Source-to-dest byte count
- Source-to-dest packet count
- Dest-to-source byte count
- Dest-to-source packet count
Integration with External Flow Collectors
For organizations that want to normalize Azure NSG Flow Logs alongside on-premises NetFlow into a unified monitoring platform, the standard architecture is:
- NSG Flow Logs → Blob Storage
- Azure Event Hub (for streaming delivery)
- External flow collector or SIEM
The Event Hub integration provides near-real-time delivery rather than waiting for the hourly Blob file write, reducing latency from up to 60 minutes to closer to 5-10 minutes.
FlowSight ingests NSG Flow Logs alongside on-premises NetFlow and IPFIX, normalizing both into a common schema for unified analysis. IP addresses are enriched with Azure VM metadata (resource group, VM name, tags) to produce topology-aware flow records that remain meaningful even as Azure IPs change. The result is a single visibility layer for hybrid environments — no separate tool for cloud, no separate tool for on-premises.