AZ-500 Microsoft Azure Security Technologies Exam

Analyze NSG Flow Logs and Packet Captures

Network Security Group (NSG) flow logs provide recorded information about IP traffic flowing through an NSG. These logs are written in JSON format and include details such as source and destination IP addresses, ports, protocols, and whether traffic was allowed or denied. By sending these logs to a Log Analytics workspace, you can query and visualize traffic patterns over time. This high-level view helps you spot trends and rule hits across your virtual network.

To enable NSG flow logs, you must link an NSG to a diagnostic setting and choose a destination, such as a storage account or Log Analytics. Once configured, the logs capture:

• Outbound and inbound flows for each NSG rule
• The network interface ID (NIC) that handled the traffic
• Flow status showing allowed or denied traffic

These logs update regularly and can be retained for auditing or compliance purposes. You can also configure log retention and archival in the storage account settings to meet your data retention policies.

Packet capture sessions let you gather raw network traffic directly from a Virtual Machine (VM) or VM scale set for deeper packet-by-packet analysis. To set up packet capture, you need:

• Azure subscription with Network Watcher enabled
• A VM or VM scale set with the Network Watcher agent extension installed
• A storage account or local file location accessible from the VM’s subnet

With these prerequisites in place, you can capture specific traffic flows, inspect protocols, and find hidden anomalies that flow logs alone might miss.

You can start a packet capture using the Azure portal, Azure CLI, or PowerShell. Typical steps include:

• Select Network Watcher > Packet capture > + Add
• Choose the target VM, assign a name, and pick a storage account or local file path
• Define filters like IP address, port, or protocol and set a time limit

After the session runs, the packet capture files (.pcap) are stored in your chosen location. You can download these files and open them in tools like Wireshark for detailed analysis.

By combining NSG flow logs and packet captures, you gain both a macro view and a micro view of your network traffic. Flow logs help detect spikes or unusual rule hits, while packet captures reveal the actual packet contents. Integrate these insights with Azure Monitor or Traffic Analytics for continuous threat detection and faster incident response. This multi-layered approach strengthens your overall network security posture.

Conclusion

In this section, we explored how Azure Network Watcher helps monitor network security through NSG flow logs and packet capture sessions. You learned how to enable and configure flow logs with diagnostic settings and where to store them for querying and visualization. We covered the prerequisites for packet capture, the steps to start a session, and how to analyze the resulting data. Finally, we saw the value of integrating these tools with Azure Monitor or Traffic Analytics to maintain continuous visibility and improve incident response.