# Setting up Azure Flow Logs

### Introduction

Virtual network flow logs are a feature of Azure Network Watcher. You can use them to log information about IP traffic flowing through a virtual network. See [Azure documentation](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview) for more information.

This guide will walk you through the process of configuring Azure: enabling flow logs for a virtual network, subnet, or network interface, and then forwarding the flow log events to an Azure Event Hub.

### Prerequisites

* An Azure account with an active subscription.
* *Microsoft.Insights* provider must be registered to successfully log traffic flowing through a virtual network ([guide](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal#register-insights-provider)).
* A virtual network, subnet, or network interface for which you want to collect flow logs.

### Create a Flow Log

See Microsoft documentation for how to [Create a Flow Log](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-portal#create-a-flow-log)

### Forward Flow Log events to an Event Hub

The following steps create the necessary resources to push events from the storage account holding the VNet Flow Logs to a real-time data streaming platform (Event Hubs). This will allow flowcoll to listen to new events on the configured Event Hub and collect the appropriate Azure VNet Flow Logs from the storage account.

#### Create an Events Hub namespace

See Microsoft documentation for how to [Create an Events Hub namespace](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-create#create-an-event-hubs-namespace)

#### Create an Event Hub

See Microsoft documentation for how to [Create an Event Hub](https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-create#create-an-event-hub)

#### Create an Event Grid subscription

1. Navigate to the storage account for the Flow Logs you want to collect.
2. In the left menu, select **Events** > **+ Event Subscription**.

![Adding Event Subscription in Azure](/files/udVD33rliE0JTMNXhv2W)

3. In the **Create Event Subscription** window within the **Basic** tab, provide the following values:

<table><thead><tr><th width="249" align="center">Setting</th><th width="248.88671875" align="center">Required value</th><th align="center">Field description</th></tr></thead><tbody><tr><td align="center">Event Schema</td><td align="center"><em>Cloud Event Schema v1.0</em></td><td align="center">The schema that should be used for the Event Grid. <strong>Only Cloud Event Schema v1.0 is supported.</strong></td></tr><tr><td align="center">Filter to Event Types</td><td align="center"><em>Blob Created</em></td><td align="center">Which specific events to get notified for. <strong>Only BlobCreated events are supported.</strong></td></tr></tbody></table>

| Setting |     Suggested value    |                         Field description                        |
| :-----: | :--------------------: | :--------------------------------------------------------------: |
|   Name  | *test-grid-connection* | The name of the Event Grid subscription that you want to create. |

|      Setting      | Automatically populated value |                                                                   Field description                                                                  |
| :---------------: | :---------------------------: | :--------------------------------------------------------------------------------------------------------------------------------------------------: |
|     Topic Type    |       *Storage account*       |                                                             The type of Event Grid topic.                                                            |
|  Source Resource  |       *gridteststorage1*      |                                                           The name of your storage account.                                                          |
| System Topic Name |     *gridteststorage1...*     | The system topic where Azure Storage publishes events. This system topic then forwards the event to a subscriber that receives and processes events. |

{% hint style="info" %}
Note that ***Event Schema*** is required to be ***Cloud Event Schema v1.0***, and ***Filter to Event Types*** is required to be ***Blob Created.***

***Topic Type***, ***Source Resource***, and ***System Topic Name*** are automatically populated.

***Name*** is the only field you have any choice over.
{% endhint %}

4. Under **ENDPOINT DETAILS**, take the following steps:
   1. Select **Event Hubs**.
   2. Click **Configure an endpoint** and select the Event Hub created in the previous section.
5. Select **Create**.

At this point if you navigate to the **Overview** page for the Event Hub created in the previous section, you should see requests coming in from the storage account through the Event Grid subscription.

### Register an Application with Role Assignments

The following steps register an App with the appropriate role assignments that will allow flowcoll to collect Azure VNet Flow Logs from the storage account created earlier.

#### Create an App registration

See Microsoft documentation for how to [Create an App registration](https://learn.microsoft.com/en-us/power-apps/developer/data-platform/walkthrough-register-app-azure-active-directory#create-the-app-registration)

Make sure to record the Application (client) ID, which uniquely identifies your application and is needed to properly configure flowcoll.

#### Add a Client Secret

1. In the Microsoft Entra admin center, in **App registrations**, select your application.
2. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
3. Add a description for your client secret.
4. Select an expiration for the secret or specify a custom lifetime.
5. Select **Add**.
6. Record the secret's value as it is needed to properly configure flowcoll. This secret value is *never displayed again* after you leave this page.

#### Assign Role Assignments

1. Assign the **Storage Blob Data Reader** to the above App registration for the storage account previously created.
   1. Navigate to the storage account for the Flow Logs you want to collect.
   2. Select **Access Control (IAM)** > **+ Add** > **Add role assignment**.
   3. Find and select the **Storage Blob Data Reader** role.
   4. Select **Next**.
   5. Select **+ Select members** and select the App registration created in the previous section.
   6. Select **Review + assign**.
2. Assign **Azure Event Hubs Data Receiver** to the above App registration for the Event Hubs namespace created earlier.
   1. Navigate to the Event Hubs namespace created earlier.
   2. Select **Access Control (IAM)** > **+ Add** > **Add role assignment**.
   3. Find and select the **Azure Event Hubs Data Receiver** role.
   4. Select **Next**.
   5. Select **+ Select members** and select the App registration created in the previous section.
   6. Select **Review + assign**.

### Configure flowcoll

For configuring flowcoll and your firewall, see our [configuration page](/flowcoll/configuration/inputs/input_azure_vnet.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.