I managed to setup NSG Flow Logs in Azure for one of my NSG's using the MS documentation: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview
I can download the JSON files from the storage account and inspect them. I also can use the PowerBI dashboard and view the information generated from the flow logs. I used the modified PowerBI dashboard from Sameeraman:
https://sameeraman.wordpress.com/2018/11/15/azure-network-troubleshooting-using-nsg-flow-logs-and-powerbi-part-2/
Now I want to modify the PowerBI dashboard in such a way that I can view the amount of bytes sent and received from or to hosts. I am able to do this, however, when setting it up, I noticed that not all traffic seems to be logged.
I used 2 methods to generate traffic from my local machine to the azure VM through the internet as test. I copied several large files via RDP and have created a linked server on my local SQL Server instance to the SQL Server instance on the Azure VM and inserted a bunch of data into tables on a test database there. Now, I don't see the traffic in the NSG logs as I would expect. I would expect that there were a lot of entries or at least 1 entry that states a lot of bytes have been transferred, but none of that. I only see a single entry in the NSG log, but without any bytes sent.
As an example: "1641291993,x.x.x.x,10.0.2.4,54955,1433,T,I,A,B,,,,"
The above is flow state 'Begin' and there is no 'C' for 'Continue' or 'E' for 'End' to be found in any log following up this one. So I was thinking that the session might still be open and then it probably would log one entry again with the 'End' flow state, mentioning the amount of bytes sent in total for that session (since the bytes sent are accumalative, refer to docs), when I closed my SQL Server Management Studio for example. This did not seem to work. There were no subsequent log entries from the particular source IP. Nothing at all.
So to summarize, i created an NSG Flow Log for a particular NSG that is applied to the subnet of a specific VM. I then generated network traffic by copying large files to the VM and inserted data via SQL Server in a table in a database on that VM from my local workstation. Then I looked at the NSG flow log entries, but found only 1 entry for every action (e.g. the sql inserts), even when i closed my session (e.g. SSMS) to the VM.
To be sure, I also created a separate rule in the NSG for in and outbound to allow traffic to and from this Azure VM on that particular port. This way the packets I send from my local machine should be matched to and logged under that rule.
So Iam wondering if Iam doing something wrong here or does the logging work different from my expectations?
Edit 20220107: In the mean time I also setup Traffic Analysis in Azure. It shows me exactly the same. The amount of traffic does not correspond with the traffic I have send or extracted from the Azure machine to my local computer.
Also, it seems that the traffic measured is only between the Azure VM and a couple of Azure public IPs, so that is kind of strange. For some reason it looks like the traffic between the VM and my home pc is not shown or measured.
