AMPLS is indeed very complex. I got this issue resolved by adding a network link to my VNet configured with my Az Function. Did the following: Navigate to AMPLS > Private Endpoint > DNS Configurations > Private DNS Zones Go to each private dns zone, navigate to virtual network link and add new network link. In my case, i added link to Vnet-childhub. Did this for the 5 private dns zones and then i was able to see data being ingested into my App insights. Another point to keep in mind is there is a limit of 1000 app insights per AMPLS, if you need more that one, you will have to take a very close look at your network topology. In the lab, I used the default azure dns and that allows for 2 ampls to work, but in a real network with custom dns, it is not straight forward to add more than 1 AMPLS. As Microsoft suggest, for a single DNS environment, stick to a single AMPLS.
Azure Monitor Private Link Scope (AMPLS) in a Peered Vnet not working
I have a set-up where I have 2 virtual networks that are peered.
I have a requirement to disable public access for Azure Monitor services. So I looked at enabling AMPLS, and followed the steps mentioned in here: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure In my set up I have a RG in EastUs2 with the following resources:
- VNet HubVnet (10.1.0.0/16)
Subnet:- sn-default (10.1.0.0/24)
- sn-spp (10.1.2.0/24)
- sn-pe-ampls (10.1.3.0/24)
- VNet ChildHub (10.2.0.0/16)
- Subnet
- sn-default
- sn-app-1
- Subnet
- Azure Function Premium app Configured for public incoming and Vnet injected for Outgoing requests
- Virtual network integration:
- vnet-child-hub-a/sn-app-1
- Has a App Insight resource
- Has a http trigger function
- Virtual network integration:
- AMPLS
- Created an AMPLS object
- Private endpoint for AMPLS, used the HubVnet and subnet: sn-pe-ampls (10.1.3.0/24)
- I have not set up any UDR or NSG
- Ingestion Access Mode and Query access mode is set to Open
- App Insight
Has a workspace associated
Network isolation enabled
Selected the AMPLS object- Accept data ingestion from public networks not connected through a Private Link Scope to NO
- Set Accept queries from public networks not connected through a Private Link Scope to YES
- Same above settings in Log Analytics workspace too and it was also added to AMPLS scope
2 answers
Sort by: Most helpful
-
-
Azure Dev 5 Reputation points
2024-01-17T16:05:49.1833333+00:00 AMPLS is indeed very complex. I got this issue resolved by adding a network link to my VNet configured with my Az Function. Did the following: Navigate to AMPLS > Private Endpoint > DNS Configurations > Private DNS Zones Go to each private dns zone, navigate to virtual network link and add new network link. In my case, i added link to Vnet-childhub. Did this for the 5 private dns zones and then i was able to see data being ingested into my App insights. Another point to keep in mind is there is a limit of 1000 app insights per AMPLS, if you need more that one, you will have to take a very close look at your network topology. In the lab, I used the default azure dns and that allows for 2 ampls to work, but in a real network with custom dns, it is not straight forward to add more than 1 AMPLS. As Microsoft suggest, for a single DNS environment, stick to a single AMPLS.