How can we improve Azure Networking?

Network Security Group logging capabilities to show dropped packets

Enable Network Security Group logging capabilities to show dropped packets.

Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.

500 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

17 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Hassan commented  ·   ·  Flag as inappropriate

    Looks like this was just released in preview as part of the new Network Watcher service:

    NSG flow logs
    Flow data is a critical component for diagnosing and validating your Network Security Group configurations. You can now enable logging of NSG flow data that is allowed or denied per Network Security Group setting to help meet these needs. The NSG flow information includes timestamp, source IP, destination IP, source port, destination port and protocol, the Network Security Group and the security rule. This data can be ingested and visualized by Microsoft tools such as Power BI, as well as security information and event management tools provided by 3rd party partners and open source tools.

  • Ralf Todenhagen commented  ·   ·  Flag as inappropriate

    Is considered an important feature on our side - it is a standard feature in (on prem) firewall and security logging/monitoring. Might prevent us from implementing additional third party security VMs.

  • Hassan commented  ·   ·  Flag as inappropriate

    Please, please can we get an update to this, it's really not that hard for the a product manager to keep an eye on there own feedback items..

  • Asier commented  ·   ·  Flag as inappropriate

    This is an important feature to have visibility about the deny and allow rules.

  • Michael Meaney commented  ·   ·  Flag as inappropriate

    Hello,

    Are there any further updates regarding this feature? It's quite a crucial capability we need for assurance, and a current blocker for our use of Azure.

    Regards.

  • Marc DEVIN commented  ·   ·  Flag as inappropriate

    Hello Azure Team,

    More than a year after announcing this quite essential feature as "planned", it is still in "planned" state... Is it still in the Azure roadmap ? Do you have any update about the ETA?

    Regards,

  • Anonymous commented  ·   ·  Flag as inappropriate

    Event logging (specific source IP, destination IP, port/service) needs to be enhanced for troubleshooting and security investigations.

  • Pedram Sanayei commented  ·   ·  Flag as inappropriate

    Can we include enabling Diagnostics through the resource group templates used to define the NSG (this in fact covers every resource that implements diagnostics)? Unfortunately the only way it seems possible to enable diagnostics is via the console, which is a problem for us as we only perform write actions through the use of a template.

  • Anitha commented  ·   ·  Flag as inappropriate

    Thanks for the feedback. We are working on this feature. It will be available in second half of CY16.

  • Bryan Fuehrer commented  ·   ·  Flag as inappropriate

    How can you not provide logs for a firewall!?

    As much as I love so many of the other features of Azure, this is a production road block for any troubleshooting.

  • Eric van Aken commented  ·   ·  Flag as inappropriate

    Would like to have this option, building NSG's but can't seem to find out why the application is not working.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I think this is extremely important as rules without visibility to see their impact is dangerous and likely not to be used. NSG logging should be released soon.

Feedback and Knowledge Base