Search code examples
azureazure-virtual-networkazure-monitoringazure-private-linkazure-virtual-network-gateway

Accessing Azure Log Analytics from Portal via AMPLS

I'm trying to restrict access to our Azure Monitor resources (Log Analytics Workspace and Application Insights) with an Azure Monitor Private Link Scope that has both "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No", while still being able to access them the Azure Portal while connected to an Azure VPN peered with the main virtual network.

In the main resource group, I have the following:

  • Virtual Network
  • Subnet with "Private endpoint network policy" set to "Network security groups" and linked to NSG
  • NSG with Inbound Service Tag rules for AzurePortal, AzureResourceManager, AzureFrontDoor.FirstParty and AzureFrontDoor.Frontend:
    • Source port ranges: *
    • Destination: Any
    • Service: HTTPS
  • Log Analytics Workspace with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
  • Application Insights with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
  • Azure Monitor Private Link Scope with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
  • AMPLS Private Endpoint
  • App Service connected to Application Insights and Log Analytics for HTTP request logging
  • App Service Private Endpoint

In the VPN resource group, I have the following:

  • Virtual Network with one-way peering to main Virtual Network
  • Virtual Network Gateway
  • Public IP

On my own computer, I have the DNS records for the Private Endpoints in the Windows hosts file.

What I've tried:

  • Connect to VPN
  • Open Azure Portal
  • Go to App Service > Logs tab
  • Run the following query for the last 24 hours: 
    AppServiceHTTPLogs
| where UserAgent != 'AlwaysOn'
  • Go to Application Insights > Transaction search
  • Click "See all data for the last 24 hours"
  • Create a Container Instance in the Virtual Network and send a request to the same https://api.loganalytics.io endpoint used by the Logs query

What happened:

  • The Logs query returned no results
  • The Application Insights search displayed "Error retrieving data"
  • The request from the Container Instance returned the expected results

What I want to be able to do:

  • I want to be able to access logs and other data from the Azure Portal while connected to the VPN (on my own computer)
Solution

  • I don't know if there's a better solution, but manually adding hosts file entries for api.loganalytics.io and api.applicationinsights.azure.com pointing to the same private IP as api.monitor.azure.com allowed me to access Log Analytics and Application Insights from the Azure Portal over the VPN.

    I also removed the NSG and "Private endpoint network policy" for the subnet.