# Azure Flow Logs (VNET) ### Overview NetObserv Flow can receive VNet flow logs from Microsoft Azure. This input collects 'Virtual network flow logs' from Microsoft Azure Network Watcher. VNet flow logs provide information about IP traffic flowing through a virtual network. See [Azure documentation](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview) for more information about their flow log feature. The retrieval of VNet flow logs is event-based, meaning that NetObserv Flow will listen for an event from Azure Event Hub and will then retrieve and ingest all new flow logs since the last event. ![Overview of Azure FLow Log Feature](/files/osCH4yvDiNWLfolJsiYK) * [Azure setup guide](/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md) (for setting configuring Azure to output flow logs) * [Notes about system resources](/flowcoll/installation/requirements.md#memory) for using Azure Flow Logs * [Supported information elements](/flowcoll/supported_ie/supported_ie_azure.md) ### Configuring NetObserv Flow to Receive Azure Flow Logs ### Firewall The following ports must be open for outbound traffic to allow communication between the NetObserv Flow collector and Azure: * **TCP 443**: This is the default port for HTTPS traffic. * **TCP 5671 and 5672**: These are the default ports for AMQP traffic. #### EF\_AZURE\_FLOW\_LOG\_VNET\_ENABLE This enables the feature. * Valid Values * `true`, `false` * Default Value * `false` #### EF\_AZURE\_FLOW\_LOG\_VNET\_CONFIG\_FILE\_PATH The path to the config file for this feature. See below for more details. * Default Value * `"/etc/elastiflow/azure/flowlog_vnet.yml"` ### VNet Consumers Configuration File Here is a minimal example of what this config file will look like ```yml - tenantId: "App registration Directory ID" clientId: "App registration Application ID" clientSecret: "App registration client secret" consumers: - namespace: "Host name of the Event Hubs namespace" name: "Name of the Event Hub" consumerGroup: "$Default" ``` * **tenantId** - This is the "Directory (tenant) Id" displayed from the "[Create an App registration](/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md#create-an-app-registration)" step of the setup guide. This is the tenant ID associated with your Azure subscription. [More information](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) * **clientId** - This is the "Application (client) ID" displayed during that same step. * **clientSecret** - This is the secret displayed from the "[Add a Client Secret](/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md#add-a-client-secret)" step of the setup guide * **consumers**: This is a list of consumer tuples. You must have at least one consumer with namespace and name defined; consumerGroup is optional and defaults to `$Default`. * **namespace**: This is the Event Hub Namespace created or configured during the "[Create an Events Hub namespace](/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md#create-an-events-hub-namespace)" step of the setup guide. Namespace corresponds to a Kafka instance. * **name**: This is the Event Hub created or configured during the "[Create an Event Hub](/additional-resources-reference-articles/guides/configuring-flow-logs-on-devices/setup_azure_flow_logs.md#create-an-event-hub)" step of the setup guide. Name corresponds to a Kafka topic. * **consumerGroup**: This is the consumer group of the above name. The "Basic" tier of the Event Hub Namespace only allows a single $Default consumer group; the "Standard" tier allows multiple consumer groups. Create consumer groups if you want to run multiple independent instances of flowcoll (or other consumers of these events). If you're using the $Default group, you can omit this field, as $Default is its default value. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/flowcoll/configuration/inputs/input_azure_vnet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.