Skip to content

[BUG] Unable to enable and configure flow log for network security group #767

New issue
New issue
Closed
Closed
[BUG] Unable to enable and configure flow log for network security group#767

Description

@paulojohnj

paulojohnj
openedon Jun 24, 2019

Describe the bug
Unable to enable and configure flow log for network security group, using a storage account in either the NetworkWatcherRG or another existing resource group

Exception or Stack Trace
The client has permission to perform action 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' on scope '/subscriptions/{subscription_id}/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_usgovvirginia', however the linked subscription 'resourcegroups' was not found

To Reproduce

  • retrieve network watchers
  • for network watcher in correct region
  • retrieve flow settings for existing network security group in the region
  • update flow settings to enable logging and set storage to existing storage account

Code Snippet

final PagedList<NetworkWatcher> nws = adapter.getItsAzure().networkWatchers().list();
            
            NetworkWatcher retval = null;
            for(final NetworkWatcher nw : nws ) {
                if(nw.region().equals(Region.GOV_US_VIRGINIA)) {
                    retval = nw;
                }
            }
            
            final ResourceGroup rg = adapter.getItsAzure().resourceGroups().getByName(retval.resourceGroupName());
            final StorageAccount sa = adapter.getItsAzure().storageAccounts().define(ResourceNameType.STORAGE_ACCOUNT.randomName("networkwatchersa"))
                .withRegion(Region.GOV_US_VIRGINIA)
                .withExistingResourceGroup(rg)
                .withAccessFromAllNetworks()
                .create();
            
            final String rgName = "resource-group-38f6628eccb84ec9aa1cd9b3c8f5f815";
            final NetworkSecurityGroup nsg = adapter.getItsAzure().networkSecurityGroups().getByResourceGroup(rgName, "add-network1-nat-securitygroup");
            
            final FlowLogSettings fls = retval.getFlowLogSettings(nsg.id());
                
            LOGGER.info("Found fls with enabled {} and storage id {}", fls.enabled(), fls.storageId());
            
            fls.update()
                .withLogging()
                .withStorageAccount(sa.id())
                .apply();

Expected behavior
Expect to be able to enable flow logs for the nsg in a storage account, or a more elaborate error message, I cannot currently determine what the issue is

Setup (please complete the following information):

  • OS: macOS
  • IDE : Eclipse Version: 2019-06 (4.12.0)
  • Version of the Library used: 1.22

Additional context
Call has been attempted with the Service Principal as both a contributor and owner in the subscription. I am trying to understand the error message as the sdk call seems straight forward. I suspect it is a permissions or ownership issue.

Update: confirmed this is still and issue in version 1.23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

MgmtIssues that refer to the management planeNetwork - Network WatcherService Attentioncustomer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions