Share via

Azure Monitor Private Link Scope (AMPLS) in a Peered Vnet not working

Azure Dev 5 Reputation points
2024-01-13T18:32:18.21+00:00

I have a set-up where I have 2 virtual networks that are peered.

I have a requirement to disable public access for Azure Monitor services. So I looked at enabling AMPLS, and followed the steps mentioned in here: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure In my set up I have a RG in EastUs2 with the following resources:

  • VNet HubVnet (10.1.0.0/16)
    Subnet:
    • sn-default (10.1.0.0/24)
    • sn-spp (10.1.2.0/24)
    • sn-pe-ampls (10.1.3.0/24)
  • VNet ChildHub (10.2.0.0/16)
    • Subnet
      • sn-default
      • sn-app-1
  • Azure Function Premium app Configured for public incoming and Vnet injected for Outgoing requests
    • Virtual network integration:
      • vnet-child-hub-a/sn-app-1
    • Has a App Insight resource
    • Has a http trigger function
  • AMPLS
    • Created an AMPLS object
    • Private endpoint for AMPLS, used the HubVnet and subnet: sn-pe-ampls (10.1.3.0/24)
      • I have not set up any UDR or NSG
    • Ingestion Access Mode and Query access mode is set to Open
  • App Insight
    Has a workspace associated
    Network isolation enabled
    Selected the AMPLS object
    • Accept data ingestion from public networks not connected through a Private Link Scope to NO
    • Set Accept queries from public networks not connected through a Private Link Scope to YES
    • Same above settings in Log Analytics workspace too and it was also added to AMPLS scope
    When I trigger the az function app, I don't see anything in my App insights. It is totally blank
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,858 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
603 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,361 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,197 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
471 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azure Dev 5 Reputation points
    2024-01-17T16:03:15.49+00:00

    AMPLS is indeed very complex. I got this issue resolved by adding a network link to my VNet configured with my Az Function. Did the following: Navigate to AMPLS > Private Endpoint > DNS Configurations > Private DNS Zones Go to each private dns zone, navigate to virtual network link and add new network link. In my case, i added link to Vnet-childhub. Did this for the 5 private dns zones and then i was able to see data being ingested into my App insights. Another point to keep in mind is there is a limit of 1000 app insights per AMPLS, if you need more that one, you will have to take a very close look at your network topology. In the lab, I used the default azure dns and that allows for 2 ampls to work, but in a real network with custom dns, it is not straight forward to add more than 1 AMPLS. As Microsoft suggest, for a single DNS environment, stick to a single AMPLS.

    0 comments
  2. Azure Dev 5 Reputation points
    2024-01-17T16:05:49.1833333+00:00

    AMPLS is indeed very complex. I got this issue resolved by adding a network link to my VNet configured with my Az Function. Did the following: Navigate to AMPLS > Private Endpoint > DNS Configurations > Private DNS Zones Go to each private dns zone, navigate to virtual network link and add new network link. In my case, i added link to Vnet-childhub. Did this for the 5 private dns zones and then i was able to see data being ingested into my App insights. Another point to keep in mind is there is a limit of 1000 app insights per AMPLS, if you need more that one, you will have to take a very close look at your network topology. In the lab, I used the default azure dns and that allows for 2 ampls to work, but in a real network with custom dns, it is not straight forward to add more than 1 AMPLS. As Microsoft suggest, for a single DNS environment, stick to a single AMPLS.

    0 comments