Skip to content

Add Network Watcher resource to fix NSG flow logs deployment failures #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Network Watcher resource to fix NSG flow logs deployment failures #141

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

Deployments were failing when Azure Policy attempted to create NSG flow logs without the parent Network Watcher resource existing. The error manifested as ParentResourceNotFound for networkWatchers/flowLogs resources.

Changes

  • New module: shared/bicep/modules/network-watcher/v1/network-watcher.bicep

    • Creates Network Watcher with standard Azure naming: NetworkWatcher_<location>

  • Updated infrastructure files:

    • infrastructure/afd-apim-pe/main.bicep
    • infrastructure/appgw-apim-pe/main.bicep
    • infrastructure/appgw-apim/main.bicep

    Each now deploys Network Watcher before NSG resources with explicit dependency:

// 3. Network Watcher (required for NSG flow logs)
module networkWatcherModule '../../shared/bicep/modules/network-watcher/v1/network-watcher.bicep' = {
  name: 'networkWatcherModule'
  params: {
    location: location
  }
}

// 4. Virtual Network and Subnets
resource nsg 'Microsoft.Network/networkSecurityGroups@2025-01-01' = {
  name: 'nsg-default'
  location: location
  dependsOn: [
    networkWatcherModule
  ]
}

This ensures Network Watcher exists before any NSG flow log creation is attempted.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • aka.ms
    • Triggering command: /usr/local/bin/bicep bicep build main.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/afd-apim-pe/main.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/appgw-apim/main.bicep (dns block)
  • eastus.data.mcr.microsoft.com
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/appgw-apim/main.bicep (dns block)
    • Triggering command: /usr/local/bin/bicep bicep build infrastructure/appgw-apim-pe/main.bicep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

I am seeing deployment errors for the nsg flow logs. It looks like Network watcher is not yet in place.

{
"code": "DeploymentFailed",
"target": "/subscriptions/5fb73327-9152-4f64-bf8a-90dc0cc4ad8f/resourceGroups/apim-infra-afd-apim-pe-1/providers/Microsoft.Resources/deployments/nsgFlowLogsApimModule",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "ParentResourceNotFound",
"message": "Failed to perform 'write' on resource(s) of type 'networkWatchers/flowLogs', because the parent resource '/subscriptions/5fb73327-9152-4f64-bf8a-90dc0cc4ad8f/resourceGroups/apim-infra-afd-apim-pe-1/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2' could not be found."
}
]
}

{
"code": "DeploymentFailed",
"target": "/subscriptions/5fb73327-9152-4f64-bf8a-90dc0cc4ad8f/resourceGroups/apim-infra-afd-apim-pe-1/providers/Microsoft.Resources/deployments/nsgFlowLogsAcaModule",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
"details": [
{
"code": "ParentResourceNotFound",
"message": "Failed to perform 'write' on resource(s) of type 'networkWatchers/flowLogs', because the parent resource '/subscriptions/5fb73327-9152-4f64-bf8a-90dc0cc4ad8f/resourceGroups/apim-infra-afd-apim-pe-1/providers/Microsoft.Network/networkWatchers/NetworkWatcher_eastus2' could not be found."
}
]
}

The user has attached the following file paths as relevant context:

  • .github\copilot-instructions.md

Created from VS Code.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@simonkurtz-MSFT
Add Network Watcher module and update infrastructure files
43ef819 
- Created shared Network Watcher bicep module
- Added Network Watcher deployment to afd-apim-pe, appgw-apim, and appgw-apim-pe
- Added dependsOn for NSG resources to ensure Network Watcher is created first
- Updated section numbering in infrastructure files

Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix deployment issues for NSG flow logs Add Network Watcher resource to fix NSG flow logs deployment failures Feb 3, 2026
Copilot AI requested a review from simonkurtz-MSFT February 3, 2026 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simonkurtz-MSFT simonkurtz-MSFT Awaiting requested review from simonkurtz-MSFT

Assignees

@simonkurtz-MSFT simonkurtz-MSFT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simonkurtz-MSFT