Send Azure monitor alerts to Dynatrace webhook with Logic Apps

Marcia Pelaez 1 Reputation point
2023-05-23T01:31:22.9466667+00:00

Hello,

I'm trying to setup a standard logic Apps (terraform) to send Azure monitor alerts to Dynatrace using a Dynatrace webhook. The Active Gate Dynatrace IaaS servers are in Azure and traffic needs to use private endpoints. The following document says that a thrid party (MoogSoft) application has to be used, but we need a native Azure alternative

https://learn.microsoft.com/en-us/answers/questions/672417/azure-monitor-alert-action-webhook-over-private-ne

Would it be possible if I just turn on private endpoints? The whole network is secured by private link

Thank you

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,214 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,097 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
503 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Luis Arias 6,621 Reputation points
    2023-11-14T21:29:41.05+00:00

    Hello Marcia,

    There are many considerations on this implementation let me start responding your Azure network question, Yes you can private private link to Azure monitor services (https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security) however the traffic that you want to securize is originated from Azure monitor like below escenaries:

    • Escenarie 1: Alerts call webhook of Dynatrace Activegate server.

    Azure monitor ---Send Alert(Outbound)--> Activegate

    https://docs.dynatrace.com/docs/setup-and-configuration/setup-on-cloud-platforms/microsoft-azure-services/azure-integrations/azure-monitoring-guide/set-up-integration-with-azure-alerts#step-3

    • Escenarie 2: Alerts trigger logic apps and logic apps send to Activegate server.

    Azure monitor --Trigger(Outbound)-->Logic Apps workflow

    https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-logic-apps?tabs=send-email

    Private Link is primarily designed for inbound traffic, meaning it allows Azure resources to securely access Azure PaaS services over a private IP address within your virtual network1.

    So from the network perspective you can focus to securize the incoming traffic to Activegate Server from Azure monitor :

    Activegate server <-- Receive Alerts(Incomming) -- Azure monitor

    To securize this communication you can add an NSG (if it isn't deployed yet) and only add a network rule for your Activegate server:

    # Variables (replace with your actual values)
    resourceGroup="<resource-group-name>"
    nsgName="<nsg-name>"
    ruleName="<rule-name>"
    
    # Create the inbound rule
    az network nsg rule create --resource-group $resourceGroup --nsg-name $nsgName --name $ruleName --protocol Tcp --direction Inbound --priority 100 --source-address-prefixes "AzureMonitor" --source-port-ranges "*" --destination-address-prefixes "<activegateserver-ip>" --destination-port-ranges "*" --access Allow
    
    

    On the other hand the private link service for Azure monitor will help you to securize another part of your cloud architecture for example: (https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure)

    Virtual Machine -- Diagnostic setting (Outbound)-- Azure monitor (Trough Private link service)

    So definetevely this will help to hardening your cloud environment.

    Cheers,

    Luis Arias


    If the information helped address your question, please Accept the answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.