This aim of this blog is to explain and demonstrate the ease of configuring the Azure Monitor Private Link Scope (AMPLS) container.
When using Azure Monitor to monitor your workloads, you can bundle a set of PaaS resources together into a logical Azure Monitor Private Link Scope (AMPLS) container which defines the boundaries of your monitoring platform. These PaaS resources are securely linked to your virtual network by using a private endpoint which traverses an Azure Private Link without ever travelling over a public network. This ensures that your monitoring data is only accessed through authorized private networks. This helps prevent exfiltration of your monitoring data.
What is an AMPLS container and how does it work?
An AMPLS container holds all your Azure Monitor focused resources eg Log Analytics Wokspaces, Application Insights instances and AMA data collection endpoints.
These resources are now protected by the AMPLS container since they now fulfil an auditing / monitoring function and can thus not simply be deleted, until they are removed from the AMPLS container.
These resources are however not exclusively owned by one AMPLS.
If you have stand-alone virtual networks that require monitoring, then you will need to create separate DNS zones for each virtual network and AMPLS containers.
These multiple AMPLS container can all share the same resources namely, LAWs, Insights and AMA DCE’s.
Avoid trying to deploy multiple logical AMPLS containers into a single DNS zone, this cannot be done. When virtual networks are peered they will all share the same DNS zone and hence the same single AMPLS container . AMPLS DNS endpoints are global and configuring multiple AMPLS containers inside a DNS zone as the last deployed AMPLS will override the previously deployed scopes. This occurs when the AMPLS overrides the DNS zone entries by mapping the same global/regional endpoints to the newly connected virtual network.
When using a Hub-spoke topology, deploy the AMPLS endpoint into the Hub to ensure centralized single-point connectivity.
If you want to monitor spoke virtual networks separately for some reason, then deploy a separate private DNS zone and AMPLS per spoke virtual network to ensure mutual exclusivity to avoid DNS overrides.
When you have multiple non-peered virtual networks, then follow the same spoke-vnet principle by creating a DNS zone per vnet, each having a dedicated logical AMPLS.
Deployment Plan
The following resources are required for this deployment, namely:
Step 1 - Identify or create a target subnet
Assign a subnet that is dedicated to monitoring private endpoints. It is not recommended to mix other applications with security nor monitoring platforms.
When deploying an AMPLS with private endpoints, 8 private ip address are consumed during provisioning of the various private links. I would not recommend smaller than /28 subnet. Consider future expansion as per your environment.
Step 2 - Create an Azure Monitor Private Link Scope (AMPLS)
Configure the Azure Monitor Private Link Scope container into which you will deploy the resources to be exclusively used for Azure Monitoring.
Configuring an instance of Azure Private Link requires the following steps:
In the Azure portal > search for Azure Monitor Private Link Scope,
Select Create,
Populate the subscription, resource group and select a unique descriptive AMPLS a name,
Instance details > select both modes as Open for now,
If you select Private, then you will prevent any other communication to any other PaaS services via private endpoint from that target vnet besides the resources on the AMPLS. This is designed to prevent data exfiltration. Think of the consequences before going private.
Select Review + create > Create
Step 3 - Connect Azure Monitor resources
The Scope is populated by the PaaS resources that are linked for Azure Monitor ingestion endpoints.
Collect and connect all of your identified endpoint PaaS resources which are going to be used to populate your Azure Monitor, like Log Analytics workspaces, Application Insights components, and Azure Monitor Agent data collection endpoints into your Azure Monitor Private Link Scope (AMPLS).
In your AMPLS > select Azure Monitor Resources > Select Add,
Select the workspace or component > select Apply
Step 4 - Create a private endpoint on your network and connect it to the scope
This is like configuring the “client-side” of the connection. After having provisioned and populated your server-side AMPLS, lets provision the client-side private endpoint on your virtual network.
In the Azure Portal > AMPLS > select Private Endpoint connections > + Private Endpoint,
Populate the subscription, Resource group,
Create a unique pep name,
Create a unique NIC name,
*Your private endpoint MUST be in the same region as your target virtual network,
*Your private endpoint/vnet need not be in the same region as your AMPLS resources but keep in mind that inter-regional egress costs that will be incurred.
On the Resource tab:
Select the target Subscription that contains your Azure Monitor Private Link Scope,
Resource type > select Microsoft.insights/privateLinkScopes,
Select your pre-created Private Link Scope,
Select Virtual Network tab:
Configure your target virtual network and dedicated (monitoring) subnet in which you are going to deploy the AMPLS private endpoint. Try to keep this subnet focused on only monitoring / auditing resources.
Select your dynamic / static ip address selection,
Select whether you are going to use any logical Application Security Group (ASG),
Select DNS tab:
Select whether you are using your existing Windows AD DNS zone or want to use a new private DNS zone,
If you select a new private DNS zone, notice the global/regional endpoints to which you will have private links created. This is why you can only provision one AMPLS per DNS zone.
Select your subscription and resource group,
Next,
Optional Tags tab:
Review & Create,
Create,
Verify
You will now have 6 private endpoints created, pointing to the global endpoints:
If you go to your dedicated subnet, you will find that 8 private ip address have been consumed,
This demonstration will ensure that all your virtual network Azure Monitor traffic will traverse the private link into your AMPLS resources without using the public internet links.
–I hope this blog helped make sense of any questions you may have had in the past—
Can you write more about it? Your articles are always helpful to me. Thank you!
Hello! Do you use Twitter? I’d like to follow you if that would be okay. I’m definitely enjoying your blog and look forward to new updates.
Somеone necessarily assist to make seriously ρosts I miɡht state.
That is the first time I frequented your web page and to this
point? I sᥙrprised with the research yoᥙ
maԁe to makе this particular post incredibⅼe.
Magnificent tаsk!
Can I just say what a relief to search out someone who really knows what theyre speaking about on the internet. You undoubtedly know how to convey an issue to light and make it important. More folks have to learn this and perceive this aspect of the story. I cant consider youre no more common since you undoubtedly have the gift.
My partner and I stumbled over here by a different website and thought I might check things out. I like what I see so i am just following you. Look forward to going over your web page again.
wonderful points altogether, you simply gained a brand new reader. What would you suggest in regards to your post that you made a few days ago? Any positive?
What抯 Happening i am new to this, I stumbled upon this I have found It positively helpful and it has helped me out loads. I hope to give a contribution & help different customers like its helped me. Great job.
I really wanted to make a brief remark in order to thank you for some of the awesome tips and tricks you are placing on this site. My time consuming internet lookup has at the end been compensated with good suggestions to write about with my close friends. I ‘d claim that we website visitors actually are really fortunate to exist in a wonderful network with many wonderful people with insightful guidelines. I feel rather privileged to have encountered the weblog and look forward to some more amazing moments reading here. Thank you once more for all the details.
Wow, incredible weblog layout! How long have you been blogging for? you make running a blog glance easy. The whole glance of your website is magnificent, as well as the content!
Only wanna comment on few general things, The website design and style is perfect, the content is very fantastic : D.