How to enable and configure flow log for network security group

Question

I am unable to enable and configure flow log for network security group, using a storage account in either the NetworkWatcherRG or another existing resource group. I am wondering what I am doing wrong from the sdk, as I can do so from the azure gui easily.

To Reproduce

• retrieve network watchers for network watcher in correct region
• retrieve flow settings for existing network security group in the region
• update flow settings to enable logging and set storage to existing storage account

final PagedList<NetworkWatcher> nws = adapter.getItsAzure().networkWatchers().list();

            NetworkWatcher retval = null;
            for(final NetworkWatcher nw : nws ) {
                if(nw.region().equals(Region.GOV_US_VIRGINIA)) {
                    retval = nw;
                }
            }

            final ResourceGroup rg = adapter.getItsAzure().resourceGroups().getByName(retval.resourceGroupName());
            final StorageAccount sa = adapter.getItsAzure().storageAccounts().define(ResourceNameType.STORAGE_ACCOUNT.randomName("networkwatchersa"))
                .withRegion(Region.GOV_US_VIRGINIA)
                .withExistingResourceGroup(rg)
                .withAccessFromAllNetworks()
                .create();

            final String rgName = "resource-group-38f6628eccb84ec9aa1cd9b3c8f5f815";
            final NetworkSecurityGroup nsg = adapter.getItsAzure().networkSecurityGroups().getByResourceGroup(rgName, "add-network1-nat-securitygroup");

            final FlowLogSettings fls = retval.getFlowLogSettings(nsg.id());

            LOGGER.info("Found fls with enabled {} and storage id {}", fls.enabled(), fls.storageId());

            fls.update()
                .withLogging()
                .withStorageAccount(sa.id())
                .apply();

The client has permission to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' on scope '/subscriptions/{subscription_id}/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_usgovvirginia', however the linked subscription 'resourcegroups' was not found

Note: subscription id was present in the above error, it has just been redacted for posting

Expected behavior Expect to be able to enable flow logs for the nsg in a storage account, or a more elaborate error message, I cannot currently determine what the issue is

Setup:

OS: macOS IDE : Eclipse Version: 2019-06 (4.12.0) Version of the Library used: 1.23

Additional context Call has been attempted with the Service Principal as both a contributor and owner in the subscription. I am trying to understand the error message as the sdk call seems straight forward. I suspect it is a permissions or ownership issue.

Answer 1

I have reproduced this issue from my side. And finally i have worked it out. Just ignore the misleading error message you got.

You need to provide TrafficAnalyticsConfigurationProperties to the FlowLogSettings, even if you do not want to turn it on. So, you need to create a log analytic workspace first. And you can refer the following code to enable and configure flow log for NSG.

    NetworkWatcher nw = azure.networkWatchers().listByResourceGroup("NetworkWatcherRG").get(1);
    NetworkSecurityGroup nsg = azure.networkSecurityGroups().getByResourceGroup("", "");
    StorageAccount sa = azure.storageAccounts().getByResourceGroup("", "");
    FlowLogSettings settings = nw.getFlowLogSettings(nsg.id());
    TrafficAnalyticsConfigurationProperties networkWatcherFlowAnalyticsConfiguration = new TrafficAnalyticsConfigurationProperties();
    networkWatcherFlowAnalyticsConfiguration.withWorkspaceId("").withWorkspaceRegion(Region.ASIA_SOUTHEAST.toString()).withWorkspaceResourceId("").withEnabled(false);
    settings.inner().flowAnalyticsConfiguration()
            .withNetworkWatcherFlowAnalyticsConfiguration(networkWatcherFlowAnalyticsConfiguration);
    settings.update().withLogging().withRetentionPolicyEnabled().withRetentionPolicyDays(30).withStorageAccount(sa.id()).apply();