In regulated industries and enterprise environments, network security requirements often mandate that monitoring data must not traverse the public internet. Azure Monitor Private Link Scope (AMPLS) addresses this by enabling Log Analytics workspaces and Application Insights resources to receive data exclusively over a private network connection.
This post covers the AMPLS architecture and provides a step-by-step configuration guide.
1. What Is AMPLS and Why Use It
Without AMPLS, Azure Monitor agents on virtual machines send telemetry to Azure Monitor's public endpoints over the internet, even if the VMs themselves are on a private network. AMPLS routes this traffic through a Private Endpoint within the virtual network, ensuring that log ingestion never leaves the private network boundary.
Key scenarios where AMPLS is required:
- Compliance requirements that prohibit data traversal over public networks (e.g., Australian ISM, PCI-DSS)
- Environments where outbound internet access from VMs is blocked by policy
- Hub-and-spoke network architectures where monitoring traffic must flow through a centralised network hub
AMPLS uses two access mode settings that control its behaviour:
- Private Only: the workspace accepts data only from private endpoint connections
- Open: the workspace accepts data from both private endpoints and public endpoints
Start with Open mode during migration to avoid disrupting existing monitoring while private connectivity is being established
2. Creating the Private Link Scope
- Navigate to Azure Monitor > Private Link Scopes
- Select + Create
- Provide a Name and select the Resource group and Region
- Under Azure Monitor Private Link Scope settings, set Data Ingestion access mode to Open for initial configuration
- Select Review + create
Once created, the Private Link Scope is an empty container. Resources must be connected to it before it provides any routing.
3. Connecting Log Analytics Workspaces
- Open the newly created AMPLS resource
- Navigate to Azure Monitor Resources > + Add
- Select the Log Analytics workspace to connect
- Select Apply
Repeat this process for any Application Insights resources that should also route through the private endpoint. A single AMPLS instance can connect up to 50 Log Analytics workspaces and 50 Application Insights resources.
Following is a summary of what AMPLS covers once resources are connected:
| Traffic Type | Routed via AMPLS |
|---|---|
| Log Analytics agent (AMA/MMA) data ingestion | Yes |
| Application Insights SDK telemetry | Yes |
| Log Analytics query API | Yes |
| Azure Diagnostics (VM diagnostic extension) | No (separate configuration required) |
4. Creating the Private Endpoint
The Private Endpoint is the network interface within the virtual network that routes traffic to AMPLS.
- From the AMPLS resource, navigate to Private endpoint connections > + Private endpoint
- Provide a name and select the Subscription, Resource group, and Region
- Under Resource, confirm the target is the AMPLS resource with sub-resource azuremonitor
- Under Virtual Network, select the VNet and subnet where the private endpoint should be placed
- Under DNS, select Yes for private DNS zone integration. This is required for name resolution to work correctly
Azure automatically creates the required private DNS zones (privatelink.monitor.azure.com, privatelink.ods.opinsights.azure.com, and others) when DNS integration is selected.
5. Validating Connectivity
After the private endpoint is provisioned, validate that an Azure Monitor Agent on a VM in the connected VNet can reach the workspace through the private endpoint:
Heartbeat
| where TimeGenerated > ago(1h)
| summarize count() by Computer, SourceSystem
Agents routing through AMPLS report SourceSystem = "OpsManager". Confirm that expected VMs are appearing and that heartbeats are consistent.
Summary
AMPLS provides a clear network path for Azure Monitor telemetry in environments where public endpoint access is not acceptable. The configuration is straightforward: create the scope, connect workspaces, deploy a private endpoint with DNS integration, and validate with a heartbeat query. Starting in Open access mode allows existing agents to continue working while private connectivity is established and tested.
No comments:
Post a Comment