Share via


Microsoft.Network networkWatchers/flowLogs 2025-01-01

Bicep resource definition

The networkWatchers/flowLogs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/flowLogs resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/networkWatchers/flowLogs@2025-01-01' = {
  parent: resourceSymbolicName
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  ___location: 'string'
  name: 'string'
  properties: {
    enabled: bool
    enabledFilteringCriteria: 'string'
    flowAnalyticsConfiguration: {
      networkWatcherFlowAnalyticsConfiguration: {
        enabled: bool
        trafficAnalyticsInterval: int
        workspaceId: 'string'
        workspaceRegion: 'string'
        workspaceResourceId: 'string'
      }
    }
    format: {
      type: 'string'
      version: int
    }
    retentionPolicy: {
      days: int
      enabled: bool
    }
    storageId: 'string'
    targetResourceId: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.Network/networkWatchers/flowLogs

Name Description Value
identity FlowLog resource Managed Identity ManagedServiceIdentity
___location Resource ___location. string
name The resource name string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: networkWatchers
properties Properties of the flow log. FlowLogPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

FlowLogFormatParameters

Name Description Value
type The file type of flow log. 'JSON'
version The version (revision) of the flow log. int

FlowLogPropertiesFormat

Name Description Value
enabled Flag to enable/disable flow logging. bool
enabledFilteringCriteria Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged. string
flowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsProperties
format Parameters that define the flow log format. FlowLogFormatParameters
retentionPolicy Parameters that define the retention policy for flow log. RetentionPolicyParameters
storageId ID of the storage account which is used to store the flow log. string (required)
targetResourceId ID of network security group to which flow log will be applied. string (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

ResourceTags

Name Description Value

RetentionPolicyParameters

Name Description Value
days Number of days to retain flow log records. int
enabled Flag to enable/disable retention. bool

TrafficAnalyticsConfigurationProperties

Name Description Value
enabled Flag to enable/disable traffic analytics. bool
trafficAnalyticsInterval The interval in minutes which would decide how frequently TA service should do flow analytics. int
workspaceId The resource guid of the attached workspace. string
workspaceRegion The ___location of the attached workspace. string
workspaceResourceId Resource Id of the attached workspace. string

TrafficAnalyticsProperties

Name Description Value
networkWatcherFlowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsConfigurationProperties

Usage Examples

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File Description
Enable NSG Flow Logs This template create an NSG Flow Logs resource
NSG Flow Logs with traffic analytics This template creates a NSG Flow log on an existing NSG with traffic analytics

ARM template resource definition

The networkWatchers/flowLogs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/flowLogs resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/networkWatchers/flowLogs",
  "apiVersion": "2025-01-01",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "___location": "string",
  "properties": {
    "enabled": "bool",
    "enabledFilteringCriteria": "string",
    "flowAnalyticsConfiguration": {
      "networkWatcherFlowAnalyticsConfiguration": {
        "enabled": "bool",
        "trafficAnalyticsInterval": "int",
        "workspaceId": "string",
        "workspaceRegion": "string",
        "workspaceResourceId": "string"
      }
    },
    "format": {
      "type": "string",
      "version": "int"
    },
    "retentionPolicy": {
      "days": "int",
      "enabled": "bool"
    },
    "storageId": "string",
    "targetResourceId": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.Network/networkWatchers/flowLogs

Name Description Value
apiVersion The api version '2025-01-01'
identity FlowLog resource Managed Identity ManagedServiceIdentity
___location Resource ___location. string
name The resource name string (required)
properties Properties of the flow log. FlowLogPropertiesFormat
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/networkWatchers/flowLogs'

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

FlowLogFormatParameters

Name Description Value
type The file type of flow log. 'JSON'
version The version (revision) of the flow log. int

FlowLogPropertiesFormat

Name Description Value
enabled Flag to enable/disable flow logging. bool
enabledFilteringCriteria Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged. string
flowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsProperties
format Parameters that define the flow log format. FlowLogFormatParameters
retentionPolicy Parameters that define the retention policy for flow log. RetentionPolicyParameters
storageId ID of the storage account which is used to store the flow log. string (required)
targetResourceId ID of network security group to which flow log will be applied. string (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

ResourceTags

Name Description Value

RetentionPolicyParameters

Name Description Value
days Number of days to retain flow log records. int
enabled Flag to enable/disable retention. bool

TrafficAnalyticsConfigurationProperties

Name Description Value
enabled Flag to enable/disable traffic analytics. bool
trafficAnalyticsInterval The interval in minutes which would decide how frequently TA service should do flow analytics. int
workspaceId The resource guid of the attached workspace. string
workspaceRegion The ___location of the attached workspace. string
workspaceResourceId Resource Id of the attached workspace. string

TrafficAnalyticsProperties

Name Description Value
networkWatcherFlowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsConfigurationProperties

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template Description
Enable NSG Flow Logs

Deploy to Azure
This template create an NSG Flow Logs resource
NSG Flow Logs with traffic analytics

Deploy to Azure
This template creates a NSG Flow log on an existing NSG with traffic analytics

Terraform (AzAPI provider) resource definition

The networkWatchers/flowLogs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/networkWatchers/flowLogs resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/networkWatchers/flowLogs@2025-01-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  ___location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      enabled = bool
      enabledFilteringCriteria = "string"
      flowAnalyticsConfiguration = {
        networkWatcherFlowAnalyticsConfiguration = {
          enabled = bool
          trafficAnalyticsInterval = int
          workspaceId = "string"
          workspaceRegion = "string"
          workspaceResourceId = "string"
        }
      }
      format = {
        type = "string"
        version = int
      }
      retentionPolicy = {
        days = int
        enabled = bool
      }
      storageId = "string"
      targetResourceId = "string"
    }
  }
}

Property Values

Microsoft.Network/networkWatchers/flowLogs

Name Description Value
identity FlowLog resource Managed Identity ManagedServiceIdentity
___location Resource ___location. string
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: networkWatchers
properties Properties of the flow log. FlowLogPropertiesFormat
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/networkWatchers/flowLogs@2025-01-01"

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

FlowLogFormatParameters

Name Description Value
type The file type of flow log. 'JSON'
version The version (revision) of the flow log. int

FlowLogPropertiesFormat

Name Description Value
enabled Flag to enable/disable flow logging. bool
enabledFilteringCriteria Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged. string
flowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsProperties
format Parameters that define the flow log format. FlowLogFormatParameters
retentionPolicy Parameters that define the retention policy for flow log. RetentionPolicyParameters
storageId ID of the storage account which is used to store the flow log. string (required)
targetResourceId ID of network security group to which flow log will be applied. string (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

ResourceTags

Name Description Value

RetentionPolicyParameters

Name Description Value
days Number of days to retain flow log records. int
enabled Flag to enable/disable retention. bool

TrafficAnalyticsConfigurationProperties

Name Description Value
enabled Flag to enable/disable traffic analytics. bool
trafficAnalyticsInterval The interval in minutes which would decide how frequently TA service should do flow analytics. int
workspaceId The resource guid of the attached workspace. string
workspaceRegion The ___location of the attached workspace. string
workspaceResourceId Resource Id of the attached workspace. string

TrafficAnalyticsProperties

Name Description Value
networkWatcherFlowAnalyticsConfiguration Parameters that define the configuration of traffic analytics. TrafficAnalyticsConfigurationProperties

Usage Examples

Terraform Samples

A basic example of deploying Network Watcher Flow Log.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "___location" {
  type    = string
  default = "eastus2"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}

resource "azapi_resource" "virtualNetwork" {
  type      = "Microsoft.Network/virtualNetworks@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      addressSpace = {
        addressPrefixes = [
          "10.0.0.0/16",
        ]
      }
      dhcpOptions = {
        dnsServers = [
        ]
      }
      subnets = [
      ]
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  lifecycle {
    ignore_changes = [body.properties.subnets]
  }
}

resource "azapi_resource" "networkWatchers" {
  type      = "Microsoft.Network/networkWatchers@2023-11-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "storageAccount" {
  type      = "Microsoft.Storage/storageAccounts@2021-09-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    kind = "StorageV2"
    properties = {
      accessTier                   = "Hot"
      allowBlobPublicAccess        = true
      allowCrossTenantReplication  = true
      allowSharedKeyAccess         = true
      defaultToOAuthAuthentication = false
      encryption = {
        keySource = "Microsoft.Storage"
        services = {
          queue = {
            keyType = "Service"
          }
          table = {
            keyType = "Service"
          }
        }
      }
      isHnsEnabled      = false
      isNfsV3Enabled    = false
      isSftpEnabled     = false
      minimumTlsVersion = "TLS1_2"
      networkAcls = {
        defaultAction = "Allow"
      }
      publicNetworkAccess      = "Enabled"
      supportsHttpsTrafficOnly = true
    }
    sku = {
      name = "Standard_LRS"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "flowLog" {
  type      = "Microsoft.Network/networkWatchers/flowLogs@2023-11-01"
  name      = var.resource_name
  ___location  = var.___location
  parent_id = azapi_resource.networkWatchers.id

  body = {
    properties = {
      enabled = true
      flowAnalyticsConfiguration = {
        networkWatcherFlowAnalyticsConfiguration = {
          enabled = false
        }
      }
      format = {
        type    = "JSON"
        version = 2
      }
      retentionPolicy = {
        days    = 7
        enabled = true
      }
      storageId        = azapi_resource.storageAccount.id
      targetResourceId = azapi_resource.virtualNetwork.id
    }
  }
}