I am currently working with a client who has on-premises servers that need to be protected using Defender for Cloud with the Azure Monitor agent. The client wants me to provide a flow matrix to restrict internet access via the firewall. I am feeling confused because there are numerous URLs that need authorization. Please note that the agent will communicate through a firewall, and there will be traffic restrictions. Should I put the URL of the log analytic workspace in the destination column, or should it be 'outbound (internet)'? The source column represents the IP address of the host, whether it's a Microsoft or Linux server. I used this link: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-data-collection-endpoint?tabs=PowerShellWindows or should i use this link : URL : <a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fazure-portal%2Fazure-portal-safelist-urls%3Ftabs%3Dpublic-cloud&data=05%7C01%7CRiadh.Zehani%40tn.ey.com%7Ccf37634117a140366ca008dbdaae8f92%7C5b973f9977df4bebb27daa0c70b8482c%7C0%7C0%7C638344215769421254%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KInMHQgx5NZ6ZjXbYUdF5xx2yTdhBUj1viADB7eTOx4%3D&reserved=0" rel="ugc nofollow">https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud and activate all the URLs found there?" Please guide me.

Riadh Zehani , thank you for posting this question on Microsoft Q&A. The second link provided in the question is only applicable when you want to be able to access the Azure portal seamlessly. However, I think your main aim here is to be able to monitor these on-prem VMs through Azure Monitor Agent, therefore, the URLs/Post in the first link is applicable, which is: Define Azure Monitor Agent network settings Regarding your other question - outbound vs destination, I am not sure if I understand the question correctly. Both outbound and destination bound means the same thing - a network connection initiated from the VM/server. In this case, the AMA initiates the connection (as mentioned in the table using the Direction=Outbound) with Azure Monitor endpoint, therefore on firewall the connection from the internal network (VM network) should be allowed to listed endpoints . In this case, you will have to put the Destination as the Endpoints, as shown in your table. Hope this helps. If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

firewall policy/requirements to authorize access of Azure Monitor Agents for on-prem servers

Accepted answer

AnuragSingh-MSFT 21,251 Reputation points

2023-11-03T07:53:06.1966667+00:00

Riadh Zehani, thank you for posting this question on Microsoft Q&A.

The second link provided in the question is only applicable when you want to be able to access the Azure portal seamlessly. However, I think your main aim here is to be able to monitor these on-prem VMs through Azure Monitor Agent, therefore, the URLs/Post in the first link is applicable, which is:

Define Azure Monitor Agent network settings

Regarding your other question - outbound vs destination, I am not sure if I understand the question correctly. Both outbound and destination bound means the same thing - a network connection initiated from the VM/server.

In this case, the AMA initiates the connection (as mentioned in the table using the Direction=Outbound) with Azure Monitor endpoint, therefore on firewall the connection from the internal network (VM network) should be allowed to listed endpoints. In this case, you will have to put the Destination as the Endpoints, as shown in your table.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Please sign in to rate this answer.

1 person found this answer helpful.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Riadh Zehani 125 Reputation points

2023-11-04T05:59:16.72+00:00

Hello @AnuragSingh-MSFT ,

I would like to express my gratitude for your support regarding this question.

The client wants to receive the table of matrices detailing the connections initiated from the AMA agent installed on the on-premises servers to the Azure endpoints in the cloud, facilitated through rules and policies on the firewall.

I kindly request your confirmation on whether the provided matrix table is accurate or if it requires an update. Specifically, I need to know if I should only use the following URL: <log-analytics-workspace-id>.ods.opinsights.azure.com, as the agent is directly connected to the Log Analytics workspace. Alternatively, are there other URLs that I should configure on the firewall rules to ensure the agent can connect seamlessly to the Log Analytics workspace? I am currently confused about the URLs that should be added to the firewall rules for the agent to establish a secure connection to the Log Analytics workspace.

Here is the matrix table (please confirm it) :

Source Destination

Windows/Linux Server <log-analytics-workspace-id>.ods.opinsights.azure.com

<log-analytics-workspace-id>.ods.opinsights.azure.com Windows/Linux Server

AnuragSingh-MSFT 21,251 Reputation points

2023-11-07T06:43:54.14+00:00

Riadh Zehani, thank you for the reply.

All the URLs mentioned in the table "Firewall requirements". are required. The corresponding purpose column mentions the requirement for these URLs.

In your last reply, I see that you are trying to add bidirectional rules on firewall which are not required. Only the first scenario is required - Windows/Linux Server ----> Log-analytics URL.

The following is a high-level overview of how the outbound TCP connection happens through firewall.

Suppose you added an outbound rule on firewall to let connection go from VM to Azure.

When VM makes a connection to Azure via firewall, the detail of this connection is also tracked in firewall and in network packets being sent out. When the reply comes from Azure, the firewall will not block it.

Therefore, even though the communication happens in 2-way fashion, you don't have to add 2 way rule on firewall. For more detail, see the discussion below:

How does a firewall know not to block response packets?

In the list of URLs mentioned for AMA, you only will have to create outbound rule for the connection to be established from VM side.

Furthermore, there is another way to add these rules on firewall using Virtual network service tags. If you just add these tags on Azure firewall, the required settings are automatically done and considered for connection related to AMA. For details, see Virtual network service tags.

Hope this helps. If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.
Sign in to comment

Share via

firewall policy/requirements to authorize access of Azure Monitor Agents for on-prem servers

2 additional answers

Source	Destination
Windows/Linux Server	<log-analytics-workspace-id>.ods.opinsights.azure.com
<log-analytics-workspace-id>.ods.opinsights.azure.com	Windows/Linux Server