Povratne informacije Uredi

Enable network isolation for the Azure Monitor agent

  • Članak
  • 2 min. za čitanje

By default, Azure Monitor agent will connect to a public endpoint to connect to your Azure Monitor environment. You can enable network isolation for your agents by creating data collection endpoints and adding them to your Azure Monitor Private Link Scopes (AMPLS).

Create data collection endpoint

To use network isolation, you must create a data collection endpoint for each of your regions for agents to connect instead of the public endpoint. See Create a data collection endpoint for details on create a DCE. An agent can only connect to a DCE in the same region. If you have agents in multiple regions, then you must create a DCE in each one.

With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. An Azure Monitor Private Link connects a private endpoint to a set of Azure Monitor resources, defining the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS). See Configure your Private Link for details on creating and configuring your AMPLS.

Add DCE to AMPLS

Add the data collection endpoints to a new or existing Azure Monitor Private Link Scopes (AMPLS) resource. This adds the DCE endpoints to your private DNS zone (see how to validate) and allows communication via private links. You can do this from either the AMPLS resource or from within an existing DCE resource's 'Network Isolation' tab.

Note

Other Azure Monitor resources like the Log Analytics workspace(s) configured in your data collection rules that you wish to send data to, must be part of this same AMPLS resource.

For your data collection endpoint(s), ensure Accept access from public networks not connected through a Private Link Scope option is set to No under the 'Network Isolation' tab of your endpoint resource in Azure portal, as shown below. This ensures that public internet access is disabled, and network communication only happen via private links.

Screenshot for configuring data collection endpoint network isolation.

Associate the data collection endpoints to the target resources by editing the data collection rule in Azure portal. From the Resources tab, select Enable Data Collection Endpoints and select a DCE for each virtual machine. See Configure data collection for the Azure Monitor agent.

Screenshot for configuring data collection endpoint for an agent.

Next steps