How does NSG capture flows intra vnet traffic to different snet

Pirko, Kevin J 5

Hey so I have a vnet with two snet. one snet is an app service vnet integrate for outbound traffic and a snet with private endpoints to sql server that host the app service database. While I have confirmed the NSG applied to both snet can deny the DB traffic but the traffic analytics and AzureNetworkAnalytics_CL logs shows none of those flows. Is this by design or am I missing a setting somewhere?

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2023-02-14T13:57:05.38+00:00

Hello @Pirko, Kevin J ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Could you please provide some more details on what exactly you are trying to achieve or which NSG flows you are trying to check in the logs?

According to NSG flow logging considerations,

Traffic across private link - To log traffic while accessing PaaS resources via private link, enable NSG flow logs on a subnet NSG containing the private link. Due to platform limitations, the traffic at all the source VMs only can be captured whereas that at the destination PaaS resource cannot be captured.

Regards,

Gita
GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2023-02-17T10:31:08.98+00:00

@Pirko, Kevin J , Could you please provide an update on this post and share the requested details for further discussion on this issue?
GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2023-03-06T12:20:29.8266667+00:00

@Pirko, Kevin J , Just checking in to see if you had a chance to see the below answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.

And, if you have any further questions do let us know.
Pirko, Kevin J 5 Reputation points

2023-03-30T14:34:43.7166667+00:00

I had a ticket opened and was stated "App services deployed under an Azure App Service plan don't support NSG flow logs. To learn more, see How virtual network integration works." which ok I get that but when the nsg is also on the sql server it still wont pick up any flow either. its like if its tied to a app service all flows are hidden from the network watcher.
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee

2023-03-30T18:58:18.1233333+00:00

@Pirko, Kevin J

Thank you for your response above.

I am checking internally regarding this issue, to see if NSG flow logs are supported for SQL service.
GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2023-04-03T14:01:45.1066667+00:00
@Pirko, Kevin J , I just wanted to understand the following statement "when the NSG is also on the SQL server it still won't pick up any flow either. it's like if it's tied to an app service all flows are hidden from the network watcher."

Initially when you posted this question, you mentioned you have 2 subnets.

One subnet has an app service with Vnet integration for outbound traffic. --> This doesn't support NSG flow logs.

Refer: https://video2.skills-academy.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#incompatible-services

https://video2.skills-academy.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat-and-azure-services#azure-app-services

Another subnet with private endpoints to SQL server that host the app service database. --> This supports NSG flow logs but with below limitations.

As mentioned in the below doc, because of platform limitations, only traffic at the source VMs can be captured. Traffic at the destination PaaS resource can't be captured.

Refer: https://video2.skills-academy.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#traffic-across-a-private-link

Meaning, when you have private endpoint configured, only traffic at the source VMs can be captured but traffic at the destination PaaS resource (SQL server in your case) can't be captured.

Please let me know if you are talking about a separate setup without private endpoints, so that I can check with the Product Group team for further information.

1 answer

GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee

2023-03-02T07:24:41.7133333+00:00

Hello @Pirko, Kevin J ,

I understand that you have a Vnet with two subnets, where one subnet is an app service with Vnet integration and another subnet with private endpoints to SQL server that host the app service database. You have confirmed that the NSGs applied to both subnets can deny the traffic but the traffic analytics and AzureNetworkAnalytics_CL logs doesn't show any of those flows and you would like to know if this is by design.

Yes, this is by design.

According to NSG flow logs document,

Traffic across a private link - To log traffic while accessing platform as a service (PaaS) resources via private link, enable NSG flow logs on the network security group of the subnet that contains the private link. Because of platform limitations, only traffic at the source VMs can be captured. Traffic at the destination PaaS resource can't be captured.

Refer: https://video2.skills-academy.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#traffic-across-a-private-link

Also, App services deployed under an Azure App Service plan don't support NSG flow logs. Because of the nature of how virtual network integration operates, the traffic from virtual network integration doesn't show up in Azure Network Watcher or NSG flow logs.

Refer: https://video2.skills-academy.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#incompatible-services

https://video2.skills-academy.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat-and-azure-services#azure-app-services

In your setup, you have App service and private link with Paas services which do not support/capture NSG flow logs.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

How does NSG capture flows intra vnet traffic to different snet

1 answer