azure-docs
azure-docs copied to clipboard
MicrosoftDocs
Restrict access to the Storage Account used for Flow logs
I have received a question from my customer on how to restrict the access to the SA. In this documentation it looks like there is no way to restrict access. I have investigated internally, and I have found an old post where the PG says this: "NSG flow logs supports uploading logs to a storage account where private endpoint is enabled (but Microsoft trusted services are allowed to access). Also, if the communication is happening from the subnet to the storage account it would get recorded by the platform as well in the NSG flow logs"
This means the public documentation is not update, please can you verify if this is the case to update the doc? The customer needs to have official evidence of their decision especially on security concern.
Thanks Ric
[Enter feedback here]
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: c2690676-f133-5fdc-2a49-f8ef1fefbff0
- Version Independent ID: 3de811d4-4f40-a7a7-9129-38674e365c6f
- Content: Manage NSG Flow logs - Azure PowerShell - Azure Network Watcher
- Content Source: articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md
- Service: network-watcher
- GitHub Login: @damendo
- Microsoft Alias: damendo
@ripom Thanks for your feedback! We have assigned the issue to author who will provide further updates.
Thank you for you dedication to our documentation.
Unfortunately, we have been unable to review this issue in a timely manner. We sincerely apologize for the delayed response. We will create an internal tracking work item to address this issue. For now, we are closing this issue. If you have any additional information you would like to provide, please respond to this issue with any additional details.
Please continue to provide feedback about the documentation. We appreciate your contributions to our community.
#please-close
Hi @ripom, Yes, you're right, Network Watcher supports sending NSG flow logs data to a storage account enabled with a private endpoint. I'm updating Network Watcher FAQ. Expect to see the update reflected in the public doc in the next 12-24 hours.