Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,315 questions
Application Insights - AMPLS DNS Resolution
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 31%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Robert Lehmann
0
Reputation points
I have an anomaly when using AMPLS and Application Insights. I have a standard hybrid setup consists of:
- On-premises DCs
- Azure DCs
- Hub Spoke Vnet
- Azure Private DNS Zones
If I provide Application insights via AMPLS, the connection string copied from the portal without any changes are not working.
InstrumentationKey=XXXXXXXXXXXXXXXXXXXXXXXXXXXX;IngestionEndpoint=https://germanywestcentral1.in.applicationinsights.azure.com/;LiveEndpoint=https://germanywestcentral.livediagnostics.monitor.azure.com/;ApplicationId=XXXXXXXXXXXXXXXXXXXXXXXXXXXX
The Record germanywestcentral-1.in.applicationinsights.azure.com cannot be resolved internally, there is no conditional forwarder / Azure Private DNS Zone for this zone. In this documation I found the public global Endpoint https://learn.microsoft.com/en-us/azure/azure-monitor/ip-addresses for the Ingestion. I changed the record to the global endpoint dc.applicationinsights.azure.com. It seams to be there is an internal Azure resolution from dc.applicationinsights.azure.com to CNAME global.in.ai.privatelink.monitor.azure.com. As the result the connection string works fine. In this case, who hosts the applicationinsights.azure.com zone and the CNAME within it?
When I ask Azure DNS directly I will receive the same information. So I guess that's where the magic happens.
germanywestcentral1.in.applicationinsights.azure.com --> Non-existent domain
dc.applicationinsights.azure.com --> CNAME privatelink.monitor.azure.com --> AMPLS Private Endpoint IP
When I read the private Endpoint DNS Zones followed by this documentation, in the past was here a conditional forwarder for applicationinsights.azure.com, but now there isn´t.
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
Means the table I need a additional Conditional Forwarder on my DCs for the Zones services.visualstudio.com and applicationinsights.azure.com to 168.63.129.16?
Private link resource typeSubresourcePrivate DNS zone namePublic DNS zone forwardersmAzure Monitor (Microsoft.Insights/privateLinkScopes)azuremonitorprivatelink.monitor.azure.com privatelink.oms.opinsights.azure.com privatelink.ods.opinsights.azure.com privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.netmonitor.azure.com oms.opinsights.azure.com ods.opinsights.azure.com agentsvc.azure-automation.net blob.core.windows.net services.visualstudio.com applicationinsights.azure.comThe Zones applicationinsights.azure.com and services.visualstudio.com are not part of any documentation about AMPLS. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure
How does the magic happends and why it only works with the global Ingestion Endpoint and not with the regional? Can anyone confirm the configuration and how it works in their environment?
Thanks.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Pranay Reddy Madireddy 440 Reputation points Microsoft Vendor2024-09-26T02:20:09.1466667+00:00 Hii Robert Lehmann
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
When using Azure Private Link, it's important for your DNS to work correctly. Regional endpoints like "southcentralus.in.applicationinsights.azure.com" are meant for public use, but they might not resolve properly in a hybrid setup. This can cause connection problems. To avoid this, using a global endpoint instead can help, as it usually connects reliably within Azure's network.
Azure has a private DNS zone called privatelink.monitor.azure.com for connecting to private endpoints. If applicationinsights.azure.com isn't resolving correctly, you need to check and set up the right DNS entries. This will help your applications connect to Azure services properly.
Switching to "dc.applicationinsights.azure.com" lets your instrumentation work because it connects to a global address that points to the right private endpoint. This avoids problems with the regional endpoint and provides a more reliable connection, especially if the regional one has DNS or network issues.
Set up your on-premises DNS to forward requests for applicationinsights.azure.com and services.visualstudio.com to 168.63.129.16. This will improve DNS resolution. Also, if the global endpoint (dc.applicationinsights.azure.com) works well for you, keep using it until you fix any problems with the regional endpoint.
If you have any further queries, do let us know.
If the answer is helpful, please click "Accept Answer" and "Upvote it".
-
Pranay Reddy Madireddy 440 Reputation points Microsoft Vendor
2024-10-01T20:19:48.25+00:00 Hii Robert Lehmann
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...! -
Pranay Reddy Madireddy 440 Reputation points Microsoft Vendor
2024-10-03T17:52:37.76+00:00 Robert Lehmann - If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Sign in to comment
Sign in to answer