Share via

Use Azure Monitor on AD Domain Controller with no internet access

MarcVanderhaegen 241 Reputation points
2024-05-27T20:16:09.9633333+00:00

Hello,

We are currently using the Microsoft Monitoring Agent to send event logs to our log analytics workspace.

With the end of support of the mma, we are looking to migrate the solution. I have already migrated all our 'regular' servers to AMA through the onboarding in Azure Arc.

The problem I am facing now is that our AD Team refuse to give even a restricted internet access to the DCs to onboard them in Arc and then Azure Monitor.

In the Microsoft docs I found that the log analytics gateway could be used with the AMA and serve as a proxy to send data. ( https://learn.microsoft.com/en-us/azure/azure-monitor/agents/gateway )
The problem I see is that it is also stated 'the source and the gateway server must be running the same agent.'; so it means that AMA need also to be installed on the DC but to install AMA you need to onboard into ARC and so you need an internet connection.
How is it possible to set this up then ?
Or is there any other way to configure it ?

Thanks for your help.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,256 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
412 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 23,700 Reputation points MVP
    2024-05-27T21:56:44.3166667+00:00

    This indeed seems to be a poorly designed workaround ;)

    You might want to consider an alternative approach that involves sending logs via a forwarder and leveraging custom log collection - e.g. by using https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. AnuragSingh-MSFT 21,376 Reputation points
    2024-05-28T05:35:23.2066667+00:00

    @MarcVanderhaegen, I understand your scenario and the following are some of the concepts/guides which should help connect such resources to Azure using Azure Monitor Agent.

    1. Onboard the on-premise VMs to Azure Arc using Azure Private link - I am assuming that the DC machines in this case are on-prem machines which needs to send monitoring telemetry to LA workspace (in case they are Azure VM, you can directly skip to second point). This allows you to connect your on-premises or multicloud servers with Azure Arc and send all traffic over an Azure ExpressRoute or site-to-site VPN connection instead of using public networks.
    2. Enable network isolation for Azure Monitor Agent by using Private Link

    In this approach, the Log Analytics gateway will not be required. I will enquire further about this and update this thread with additional information.

    Hope this helps.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.