Azure Monitor Private Link Scope

The purpose of this blog is to explain and demonstrate how easy it is to configure the Azure Monitor Private Link Scope (AMPLS) container.

With Azure Monitor, you can group your PaaS resources into a logical AMPLS container, defining the boundaries of your monitoring platform. These PaaS resources are securely linked to your virtual network using private endpoints that traverse Azure Private Links without ever passing over a public network. This setup ensures that your monitoring data is accessed only through authorized private networks, preventing data exfiltration and enhancing security.

What is an AMPLS Container and How Does it Work?

An Azure Monitor Private Link Scope (AMPLS) container holds all your Azure Monitor-focused resources, such as Log Analytics Workspaces (LAWs), Application Insights instances, and Azure Monitor Agent (AMA) data collection endpoints. These resources are protected by the AMPLS container due to their critical auditing and monitoring functions, ensuring they cannot be deleted until removed from the container. However, these resources are not exclusively owned by a single AMPLS.

For stand-alone virtual networks that require monitoring, you need to create separate DNS zones for each virtual network and their corresponding AMPLS containers. Multiple AMPLS containers can share the same resources, such as LAWs, Application Insights, and AMA data collection endpoints.

Important Considerations:

• Avoid deploying multiple logical AMPLS containers into a single DNS zone, as this cannot be done. Peered virtual networks will share the same DNS zone and, therefore, the same single AMPLS container.
• AMPLS DNS endpoints are global. Configuring multiple AMPLS containers inside a DNS zone will result in the last deployed AMPLS overriding the previously deployed scopes, as the AMPLS overrides DNS zone entries by mapping the same global/regional endpoints to the newly connected virtual network.
• In a hub-and-spoke topology, deploy the AMPLS endpoint into the hub to ensure centralized single-point connectivity.
• If you need to monitor spoke virtual networks separately, deploy a separate private DNS zone and AMPLS for each spoke virtual network to ensure mutual exclusivity and avoid DNS overrides.
• For multiple non-peered virtual networks, follow the same spoke-virtual network principle by creating a DNS zone per virtual network, each with a dedicated logical AMPLS.

Deployment Plan

The following resources are required for this deployment, namely:

Step 1 - Identify or create a target subnet        

Assign a subnet that is dedicated to monitoring private endpoints. It is not recommended to mix other applications with security nor monitoring platforms.

When deploying an AMPLS with private endpoints, 8 private ip address are consumed during provisioning of the various private links. I would not recommend smaller than /28 subnet. Consider future expansion as per your environment.

Step 2  - Create an Azure Monitor Private Link Scope (AMPLS)         

Configure the Azure Monitor Private Link Scope container into which you will deploy the resources to be exclusively used for Azure Monitoring.

Configuring an instance of Azure Private Link requires the following steps:

In the Azure portal > search for Azure Monitor Private Link Scope, Select Create, Populate the subscription, resource group and select a unique descriptive AMPLS a name, Instance details > select both modes as Open for now, If you select Private, then you will prevent any other communication to any other PaaS services via private endpoint from that target vnet besides the resources on the AMPLS. This is designed to prevent data exfiltration. Think of the consequences before going private. Select Review + create > Create

Step 3 - Connect Azure Monitor resources        

The Scope is populated by the PaaS resources that are linked for Azure Monitor ingestion endpoints.

Collect and connect all of your identified endpoint PaaS resources which are going to be used to populate your Azure Monitor, like Log Analytics workspaces, Application Insights components, and Azure Monitor Agent data collection endpoints into your Azure Monitor Private Link Scope (AMPLS).

In your AMPLS > select Azure Monitor Resources > Select Add,

Select the workspace or component > select Apply

Step 4 - Create a private endpoint on your network and connect it to the scope        

This is like configuring the “client-side” of the connection. After having provisioned and populated your server-side AMPLS, lets provision the client-side private endpoint on your virtual network.

In the Azure Portal > AMPLS > select Private Endpoint connections > + Private Endpoint,

Populate the subscription, Resource group,

Create a unique pep name,

Create a unique NIC name,

Your private endpoint MUST be in the same region as your target virtual network, Your private endpoint/vnet need not be in the same region as your AMPLS resources but keep in mind that inter-regional egress costs that will be incurred.

On the Resource tab:

Select the target Subscription that contains your Azure Monitor Private Link Scope,

Resource type > select Microsoft.insights/privateLinkScopes,

Select your pre-created Private Link Scope,

Select? Virtual Network tab:

Configure your target virtual network and dedicated (monitoring) subnet in which you are going to deploy the AMPLS private endpoint. Try to keep this subnet focused on only monitoring / auditing resources.

Select your dynamic / static ip address selection,

Select whether you are going to use any logical Application Security Group (ASG),

Select? DNS tab:

Select whether you are using your existing Windows AD DNS zone or want to use a new private DNS zone,

If you select a new private DNS zone, notice the global/regional endpoints to which you will have private links created. This is why you can only provision one AMPLS per DNS zone.

Select your subscription and resource group,

Next,

Optional Tags tab:

Review & Create,

Create,

Verify

You will now have 6 private endpoints created, pointing to the global endpoints:

If you go to your dedicated subnet, you will find that 8 private ip address have been consumed,

This demonstration ensures that all your virtual network's Azure Monitor traffic routes through the private link to your AMPLS resources, avoiding public internet links.

I hope this blog has clarified any questions you may have had.