Azure Monitor Private Link

By Ronnie Quan

Overview

Why we care about Azure monitor private link

  • Connect privately to Azure Monitor without opening up any public network access

It’s not endpoint per resource

Azure monitor private link seems complicated, it’s not similar to other Azure PaaS services, there are at least ten Azure endpoints involved, and some of them are global.

When configure private endpoint target resource, instead of using existing application insight or log analytics workspace, Azure monitor private link scope has to be created as the target resource.

Furthermore, DNS configuration is also challenging, there is an issue called DNS override.

I read MS doc https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security, did a lab in order to better understand product feature.

Feature Assessment

Lab Environment

  • Connect activity log to a log analytics workspace for injection test

Working Scenario — All In

In this test, assume all application insight and all log analytics works are converted to private endpoint at same time, network isolation is configured to deny public injection and public query.

Follow MS Doc https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security#example-connection

From a public network device (e.g my home PC), I lost the access to both the application insight and log analytics workspace, but from the Azure VM running from the vnet, all works.

Log Analytics Workspace Only Scenario

Given the all or nothing challenge of application insight, I experimented the Azure monitor private link for log analytics only.

When configure DNS records for Azure monitor private endpoint, I omit *.monitor.azure.com, only configure workspace FQDN.

Allow public network access for application insights

The network isolation for log analytics workspace denies public network access.

From my private network, I’m not able to query log analytics any more from Azure portal. Even though application insight has workspace specific FQDN, it still relies on the global Azure monitor endpoint.

> api.loganalytics.io
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: azmon-prod-eus-0-ingress-draft.eastus.cloudapp.azure.com
Address: 20.49.109.80
Aliases: api.loganalytics.io
api.monitor.azure.com
api.privatelink.monitor.azure.com
draftprodoms.trafficmanager.net

Is log analytics workspace injection still working via private link? Now let’s allow query from public network, so we can validate if recent log is captured.

Now from my Azure VM, I’m able to query the log from workspace, and it shows most recent log entries.

Allow public network access to application insight works fine.

Conclusion

Application Insight, All or Nothing

As MS document says, once turned on Azure monitor private link, it’s all or nothing for application insight, since both query and injection endpoint are global.
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security#azure-monitor-private-link-applies-to-all-azure-monitor-resources---its-all-or-nothing

Log Analytics Workspace, Partially All or Nothing

Given the all or nothing challenge of application insight, can we turn on Azure monitor private link for just log analytics and leave application insight for future phases?

When workspace specific FQDN points to private IP, and leave *.monitor.azure.com FQDN unchanged as public, Azure portal log analytics query stops working, since query depends on Azure monitor global FQDN, e.g api.loganalytics.io (Part of CNAME chain api.monitor.azure.com)

Log analytics workspace query works with compromise when Allow public network access for queries in log analytics workspace network isolation blade.

AMPLS Limits and DNS Override

Azure monitor component has to be connected to AMPLS in order to access via private link, but one AMPLS can only connect to maximum 50 resources.

Each VNet can only connect to one AMPLS.

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security#consider-limits

Not sure these limits are hard limit or soft limit. If we design based on the documented limit, when have hundreds or thousands of workspace or app insights, we will need multiple Azure monitor private endpoint and multiple private link scope.

That means following global FQDNs, each one will need to be resolved to different private IP, depends on the specific VNet.
api.monitor.azure.com
global.in.ai.monitor.azure.com
profiler.monitor.azure.com
live.monitor.azure.com
snapshot.monitor.azure.com
eastus2–0.in.ai.monitor.azure.com

Now we are facing DNS override issue https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security#the-issue-of-dns-overrides

For a pure Azure cloud environment, this can be resolved by linking VNet to a specific zone and separate the networks at the DNS level. However in corporate environment, it’s hybrid cloud environment, there are private cloud and multiple public cloud adoptions, seems to me it’s an impossible mission to make Azure monitor private link work, just think about the coordination among multiple teams, this task is already a big deal.

Appendix

https://github.com/MicrosoftDocs/azure-docs/issues/74327

https://github.com/MicrosoftDocs/azure-docs/issues/74339