Comparing Azure NSG and VNet Flow Logs
Summary
Azure VNet flow logs significantly improve network observability in Azure. Compared to NSG flow logs, VNet flow logs provide broader traffic visibility, enhanced encryption status monitoring, and simplified logging at the virtual network level enabling advanced traffic analysis and a more comprehensive solution for modern cloud network management.
First introduced in early 2024, Azure Virtual Network (VNet) flow logs expand upon NSG flow logs, improving network visibility in Azure. Before VNet flow logs, NSG flow logs were the primary method to capture network traffic information. However, NSG flow logs lacked visibility of several key resources and were limited in scope and application. VNet flow logs fill in many of these visibility gaps and enhance network observability in Azure virtual networks.
Expanded capabilities
VNet flow logs both simplify and expand on the breadth of traffic monitoring by logging traffic at the virtual network level. This means that network traffic flowing through the workloads in a virtual network is logged, in contrast to NSG flow logs, which capture traffic flowing only through a specific network security group or NSG.
First, VNet flow logs simplify network monitoring by eliminating the need to enable multiple-level flow logging, which is necessary for NSG flow logging. NSG logs require configuring NSGs at both the subnet and network interface levels and skips important information when no NSG is applied.
In contrast, VNet flow logs provide a broader scope of visibility by enabling logging at the virtual network, subnet, or even network interface level, eliminating the need for NSGs to be attached to specific resources at the network security group level only.
Next, VNet flow logs provide more enhanced traffic analysis by identifying traffic allowed or denied by both NSG rules and the Azure Virtual Network Manager security admin rules. NSG flow logs capture information only at the network security group level.
Lastly, VNet flow logs also provide a form of encryption status monitoring, meaning that by using VNet flow logs, we can evaluate the encryption status of network traffic, especially in scenarios utilizing virtual network encryption.
How VNet flow logs work
VNet flow logs operate at Layer 4 and record network flows through a virtual network. They are collected at one-minute intervals and generally do not impact resource performance.
Like NSG flow logs, VNet flow logs are stored in JSON format, which isn’t new for Azure but is an important distinction from other cloud flow records like AWS VPC flow logs. JSON organizes log information into key-value pairs, providing a clear and consistent structure. That uniformity simplifies data parsing and analysis and enables more efficient extraction of relevant information, which is critical for network observability and integration with various third-party tools.
VNet flow logs include information such as source and destination IP, source and destination port, protocol, and the network interface identifier. They also include traffic direction, the flow state, the encryption state, and throughput information, a significant improvement over NSG flow logs.
After flow records are generated, they are sent to Azure Storage, where they can be accessed and exported to visualization tools such as Kentik.
Uses for VNet flow logs
VNet flow logs have several specific uses for monitoring cloud traffic.
First, they’re used for general-purpose network monitoring, meaning they are used to identify unknown or undesired traffic, monitor traffic levels, and understand application behavior over the network.
Beyond that, VNet flow logs are used for usage optimization, such as identifying the top talkers in your cloud network, analyzing cross-region traffic, and forecasting capacity needs. Because VNet flow logs can be enabled at multiple levels, we can use them to monitor various services, such as Azure Firewall, VPN gateways, or ExpressRoute gateways.
(NSG flow logs are limited to monitoring traffic through resources with associated NSGs, which means they provide an incomplete picture of cloud network traffic.)
From a security perspective, these logs are used for compliance, such as ensuring network isolation, verifying encryption standards, and adhering to organizational access rules. In fact, they can also be used for security analysis tasks, such as analyzing network flows from compromised IPs, detecting intrusions, recognizing suspicious traffic patterns, and so on. When used along with an SIEM or IDS tool, VNet flow logs can help provide advanced threat detection.
NSG flow logs don’t provide information regarding the encryption status of network traffic, making this use case unique to VNet flow logs.
Also, from a security perspective, VNet flow logs provide more enhanced traffic analysis by identifying traffic allowed or denied by both NSG rules and the Azure Virtual Network Manager security admin rules. NSG flow logs, on the other hand, capture traffic decisions only based on NSG rules, lacking insights into other security configurations.
Comparing NSG and VNet flow logs side-by-side
Because VNet flow logs fill many of the visibility gaps of NSG flow logs, it’s helpful to compare supported features and visibility side-by-side.
Scope | NSG flow logs | VNet flow logs |
---|---|---|
Identifying virtual network encryption | No | Yes |
Azure Application Gateway | No | Yes |
ExpressRoute Gateway | No | Yes |
VPN Gateway | No | Yes |
Virtual machine scale sets | Yes | Yes |
Bytes and packets in stateless flows | No | Yes |
Azure API management | No | Yes |
Azure Virtual Network Manager | No | Yes |
Kentik provides comprehensive Azure observability
Azure VNet flow logs mark a significant advancement in network observability for Azure environments. They address many of the limitations of NSG Flow Logs and offer a comprehensive solution for monitoring and analyzing network traffic. Kentik leverages VNet flow logs to capture traffic at the virtual network level, extending visibility to a wide range of Azure resources. By using VNet flow logs, Kentik provides unparalleled insight into network behavior and performance.