Configure Hit Counters

Storage retention via diagnostic settings is being deprecated and new rules can no longer be configured. Microsoft recommends to maintain your existing retention rules please migrate to Azure Storage Lifecycle Management by September 30, 2025.

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. Microsoft recommends migrating to virtual network (VNet) flow logs.

Permissions needed for the roles

  • General role: Reader to view existing Azure resources

  • Storage role: Storage Blob Data Reader

  • Storage Account: Reader and Data Access

  • Microsoft.Storage/storageAccounts/listKeys/action

To learn about adding custom roles to the Azure app registration, review this Microsoft documentation:

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Enable Diagnostic Settings

  1. Log on to Microsoft Azure portal.

  2. In the search box, type “network security groups” and select Network security groups from the search results.

  3. Select the VNet that you want to enable logging.

  4. In Monitoring, select Diagnostic settings.

  5. Click Add diagnostic setting:

    1. Enter a Name for the diagnostic setting (e.g., “myNsgDiagnostic”).

    2. For Logs, select either allLogs or select individual categories of logs (such as Event and Rule counter).

    3. In Destination details, select Archive to a storage account.

    4. Configure the storage account where you want to store the logs.

    5. Click Save.

Create a VNet flow log

Microsoft offers three options to create a VNet flow log, each with their own set of prerequisites.

  • Portal

  • PowerShell

  • AzureCLI

Learn more

To learn about how to create a VNet flow log, review this Microsoft documentation:

https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-manage?tabs=portal