firewall policy/requirements to authorize access of Azure Monitor Agents for on-prem servers

Riadh Zehani 125 Reputation points
2023-10-31T16:43:28.3466667+00:00

I am currently working with a client who has on-premises servers that need to be protected using Defender for Cloud with the Azure Monitor agent. The client wants me to provide a flow matrix to restrict internet access via the firewall. I am feeling confused because there are numerous URLs that need authorization.

Please note that the agent will communicate through a firewall, and there will be traffic restrictions.

Should I put the URL of the log analytic workspace in the destination column, or should it be 'outbound (internet)'?

The source column represents the IP address of the host, whether it's a Microsoft or Linux server.User's image

I used this link:

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-data-collection-endpoint?tabs=PowerShellWindows

or should i use this link :

URL : https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud

and activate all the URLs found there?"

Please guide me.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,037 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
382 questions
0 comments No comments
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 21,251 Reputation points
    2023-11-03T07:53:06.1966667+00:00

    Riadh Zehani, thank you for posting this question on Microsoft Q&A.

    The second link provided in the question is only applicable when you want to be able to access the Azure portal seamlessly. However, I think your main aim here is to be able to monitor these on-prem VMs through Azure Monitor Agent, therefore, the URLs/Post in the first link is applicable, which is:

    Define Azure Monitor Agent network settings

    Regarding your other question - outbound vs destination, I am not sure if I understand the question correctly. Both outbound and destination bound means the same thing - a network connection initiated from the VM/server.

    In this case, the AMA initiates the connection (as mentioned in the table using the Direction=Outbound) with Azure Monitor endpoint, therefore on firewall the connection from the internal network (VM network) should be allowed to listed endpoints. In this case, you will have to put the Destination as the Endpoints, as shown in your table.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more