Ensure Flow-Logs are Enabled on NSG

Ensure to enable Flow-Logs on NSG in order to keep track of network activities and be alerted on suspicious/malicious network operations in your Azure account.

Risk Level: Low
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.59
Covered by Spectral: No
Category: Networking & Content Delivery


NetworkSecurityGroup should have nsgFlowLog.properties.enabled=true


With Azure CLI:
az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location


Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset