azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics: Needs to assess Microsoft.Network/networkWatchers/flowLogs/provisioningState

Open jcetina opened this issue 1 year ago • 3 comments

Details of the scenario you tried and the problem that is occurring

Flow logs can fail to provision correctly sometimes (we don't know why - they just do). When provisioning state fails, it is reflected in the JSON representation of the flowLog resource in properties.provisioningState. If this field does not equal Succeeded, then the resource is not correctly provisioned.

Verbose logs showing the problem

This is the only indication of error we get in Activity Logs.

{
  "RoleLocation": "North Central US",
  "Stamp": "FDWorker",
  "ReleaseVersion": "6.2024.46.11+3c79601.release_2024w46",
  "time": "2024-11-22T00:34:09.2141001Z",
  "resourceId": "/SUBSCRIPTIONS/81F81C41-D871-4740-A542-0E7B3D536214/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_WESTUS2/FLOWLOGS/TESTWINVM-VNET-LICHAO127-TEST-WIN-FLOWLOG",
  "operationName": "MICROSOFT.NETWORK/NETWORKWATCHERS/FLOWLOGS/WRITE",
  "category": "Administrative",
  "resultType": "Failure",
  "resultSignature": "Failed.",
  "durationMs": "0",
  "callerIpAddress": "23.96.248.27",
  "correlationId": "14b66339-913b-7aeb-684d-78408020799e",
  "identity": {
    "authorization": {
      "scope": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/resourcegroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2/flowLogs/testwinvm-vnet-lichao127-test-win-flowlog",
      "action": "Microsoft.Network/networkWatchers/flowLogs/write",
      "evidence": {
        "role": "Contributor",
        "roleAssignmentScope": "/providers/Microsoft.Management/managementGroups/MG-GITHUB",
        "roleAssignmentId": "1c7820899fe5eb71bade1e5ad34bbafc",
        "roleDefinitionId": "b24988ac618042a0ab8820f7382dd24c",
        "principalId": "1b81b93d061b41eeb778ac29d4816c4f",
        "principalType": "ServicePrincipal"
      }
    },
    "claims": {
      "aud": "https://management.azure.com/",
      "iss": "https://sts.windows.net/398a6654-997b-47e9-b12b-9515b896b4de/",
      "iat": "1732235208",
      "nbf": "1732235208",
      "exp": "1732321908",
      "aio": "k2BgYJgvvj7ByP3Bns/rC6unmCfNAQA=",
      "appid": "bc6c9426-93d0-447f-95bc-486412ac94c5",
      "appidacr": "2",
      "http://schemas.microsoft.com/identity/claims/identityprovider": "https://sts.windows.net/398a6654-997b-47e9-b12b-9515b896b4de/",
      "idtyp": "app",
      "http://schemas.microsoft.com/identity/claims/objectidentifier": "1b81b93d-061b-41ee-b778-ac29d4816c4f",
      "rh": "1.AUYAVGaKOXuZ6UexK5UVuJa03kZIf3kAutdPukPawfj2MBPxAABGAA.",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1b81b93d-061b-41ee-b778-ac29d4816c4f",
      "http://schemas.microsoft.com/identity/claims/tenantid": "398a6654-997b-47e9-b12b-9515b896b4de",
      "uti": "Izf428L9m0uwtvA38MubAA",
      "ver": "1.0",
      "xms_idrel": "7 24",
      "xms_mirid": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/providers/Microsoft.Authorization/policyAssignments/vnet_fundamentals",
      "xms_tcdt": "1576802647"
    }
  },
  "level": "Error",
  "properties": {
    "statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"InternalServerError\",\"message\":\"An error occurred.\",\"details\":[]}]}}",
    "eventCategory": "Administrative",
    "entity": "/subscriptions/81f81c41-d871-4740-a542-0e7b3d536214/resourcegroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westus2/flowLogs/testwinvm-vnet-lichao127-test-win-flowlog",
    "message": "Microsoft.Network/networkWatchers/flowLogs/write",
    "hierarchy": "398a6654-997b-47e9-b12b-9515b896b4de/MG-GITHUB/MG-GITHUB-NONPROD/81f81c41-d871-4740-a542-0e7b3d536214"
  },
  "tenantId": "398a6654-997b-47e9-b12b-9515b896b4de",
  "jobId": "ResourceLongOperationJob-GRL-NETWORKWATCHERRG-MICROSOFT:2ENETWORK:2FNETWORKWATCHERS:2FNETWORKWATCHER:5FWESTUS2:2FFLOWLOGS:2FTESTWINVM:2DVNET:2DLICHAO127:2DTEST:2DWIN:2DFLOWLOG-WESTUS2-00638678323168934826",
  "jobType": "ResourceLongOperationJob"
}

Suggested solution to the issue

Include the following check in the existinceCondition within the allOf block:

                  {
                    "field": "Microsoft.Network/networkWatchers/flowLogs/provisioningState",
                    "equals": "Succeeded"
                  }

If policy is Guest Configuration - details about target node

jcetina avatar Nov 22 '24 22:11 jcetina

Note: this also applies to Configure virtual network to enable Flow Log and Traffic Analytics

jcetina avatar Nov 22 '24 22:11 jcetina

We have the same issues, no clear indication why provisioning is vailing, might due to parallelism of remediation of multiple virtual networks flowlogs at the same time.

AlexanderRijnbeek avatar Feb 14 '25 07:02 AlexanderRijnbeek

Maybe this helps you: https://learn.microsoft.com/fr-fr/answers/questions/2276132/permission-for-virtual-network-flow-logs-to-enable

I had the issue that the vnet flow log was created, but the provisioning state was "Failed". This helped me.

Tim-herbie avatar Aug 11 '25 09:08 Tim-herbie