Hi.
I'm building CLI code to create our network as code, using cli as our default.
Now, I have been struggeling all day to get it to work.
This is, we have a centralized storage and log analytics workspace in a separate subscription that we want to use for every NSG on the network.
Tis article from 2018 states that it is possible, it is if done using the portal.
https://azure.microsoft.com/es-es/blog/new-azure-network-watcher-integrations-and-network-security-group-flow-logging-updates/
But, using CLI and az network watcher flow-log create
it is not possible.
Now I finally got this:
(FlowLogTargetResourceIsInDifferentSubscription) Target resource /subscriptions/123e3418-XXXXXXXXXX--XXXX-a1d9a0dc/resourceGroups/rg-dev-infra/providers/Microsoft.Network/networkSecurityGroups/nsg-vn-devtest-sn-internal-default should be in the same subscription as flow log resource d52ec4e6-XXXX-XXXXXXXXXX-cf3.
Code: FlowLogTargetResourceIsInDifferentSubscription
Message: Target resource /subscriptions/123e3418-XXXXXXXXXX--XXXX-a1d9a0dc/resourceGroups/rg-dev-infra/providers/Microsoft.Network/networkSecurityGroups/nsg-vn-devtest-sn-internal-default should be in the same subscription as flow log resource d52ec4e6-3349-XXXX-XXXXXXXXXX-cf3.
This totally contradicts what the article says and also what can be done using the portal.
The code I use:
NSG_ID=$(az network nsg show --resource-group $RESOURCE_GROUP --name $NSG --query "id" --output tsv)
FLOWLOG_STORAGE_ID=$(az storage account show --subscription $FLOWLOG_SUBSCRIPTION --resource-group $FLOWLOG_RESOURCE_GROUP --name $FLOWLOG_STORAGE --query "id" --output tsv)
WORKSPACE_ID=$(az monitor log-analytics workspace show --subscription $FLOWLOG_SUBSCRIPTION --resource-group $FLOWLOG_RESOURCE_GROUP --workspace-name $FLOWLOG_WORKSPACE --query "id" --output tsv)
az network watcher flow-log create
--location $LOCATION
--name ${NSG}-flowlog
--nsg $NSG_ID
--subscription $FLOWLOG_SUBSCRIPTION
--storage-account $FLOWLOG_STORAGE_ID
--workspace $WORKSPACE_ID
--log-version 2
--retention 30
Thanks
// Thomas
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi.
I'm building CLI code to create our network as code, using cli as our default.
Now, I have been struggeling all day to get it to work.
This is, we have a centralized storage and log analytics workspace in a separate subscription that we want to use for every NSG on the network.
Tis article from 2018 states that it is possible, it is if done using the portal.
https://azure.microsoft.com/es-es/blog/new-azure-network-watcher-integrations-and-network-security-group-flow-logging-updates/
But, using CLI and az network watcher flow-log create
it is not possible.
Now I finally got this:
(FlowLogTargetResourceIsInDifferentSubscription) Target resource /subscriptions/123e3418-XXXXXXXXXX--XXXX-a1d9a0dc/resourceGroups/rg-dev-infra/providers/Microsoft.Network/networkSecurityGroups/nsg-vn-devtest-sn-internal-default should be in the same subscription as flow log resource d52ec4e6-XXXX-XXXXXXXXXX-cf3.
Code: FlowLogTargetResourceIsInDifferentSubscription
Message: Target resource /subscriptions/123e3418-XXXXXXXXXX--XXXX-a1d9a0dc/resourceGroups/rg-dev-infra/providers/Microsoft.Network/networkSecurityGroups/nsg-vn-devtest-sn-internal-default should be in the same subscription as flow log resource d52ec4e6-3349-XXXX-XXXXXXXXXX-cf3.
This totally contradicts what the article says and also what can be done using the portal.
The code I use:
NSG_ID=$(az network nsg show --resource-group $RESOURCE_GROUP --name $NSG --query "id" --output tsv)
FLOWLOG_STORAGE_ID=$(az storage account show --subscription $FLOWLOG_SUBSCRIPTION --resource-group $FLOWLOG_RESOURCE_GROUP --name $FLOWLOG_STORAGE --query "id" --output tsv)
WORKSPACE_ID=$(az monitor log-analytics workspace show --subscription $FLOWLOG_SUBSCRIPTION --resource-group $FLOWLOG_RESOURCE_GROUP --workspace-name $FLOWLOG_WORKSPACE --query "id" --output tsv)
az network watcher flow-log create
--location $LOCATION
--name ${NSG}-flowlog
--nsg $NSG_ID
--subscription $FLOWLOG_SUBSCRIPTION
--storage-account $FLOWLOG_STORAGE_ID
--workspace $WORKSPACE_ID
--log-version 2
--retention 30
Thanks
// Thomas
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.