Hi, As part of my job, I need to create a custom table and send data to it via Log Ingestion API. The custom table lives in a Log Analytics Workspace. My InfoSec folks told me that the Data Collection Endpoint shouldn't be exposed directrly to internet, so I have to use a Private Enpoint. My questions: ¿Log Analytics and Data Collection Enpoints are supported by Private Endpoints?. Some links I've found: Configure your private link Data collection endpoints in Azure Monitor Regards Jona

Hi, Yes, when you create data collection endpoint you have the option to disable public network access. The data goes trough the endpoint before it is being processed by the data collection rule. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.Update: It is already mentioned in the documentation: "With Azure Private Link , you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. An Azure Monitor private link connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS)." So there is no private endpoint for data collection rule or Log Analytics workspace. You need AMPLS. Also from docs: "Log Analytics endpoints are workspace specific, except for the query endpoint discussed earlier. As a result, adding a specific Log Analytics workspace to the AMPLS will send ingestion requests to this workspace over the private link. Ingestion to other workspaces will continue to use the public endpoints." Data collection rules are created with data collection endpoints. The public access can be restricted on the data collection endpoint and the endpoint is associated to the AMPLS. All this information is available at: Use Azure Private Link to connect networks to Azure Monitor Design your Azure Private Link setup Configure your private link

Data Collection Endpoint and Log Analytics Workspace - Private Endpoint Support

Accepted answer

Stanislav Zhelyazkov 21,256 Reputation points MVP

2024-04-16T05:59:22.5966667+00:00
Hi,

Yes, when you create data collection endpoint you have the option to disable public network access. The data goes trough the endpoint before it is being processed by the data collection rule.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.Update:

It is already mentioned in the documentation:

"With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. An Azure Monitor private link connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS)."

So there is no private endpoint for data collection rule or Log Analytics workspace. You need AMPLS. Also from docs:

"Log Analytics endpoints are workspace specific, except for the query endpoint discussed earlier. As a result, adding a specific Log Analytics workspace to the AMPLS will send ingestion requests to this workspace over the private link. Ingestion to other workspaces will continue to use the public endpoints."

Data collection rules are created with data collection endpoints. The public access can be restricted on the data collection endpoint and the endpoint is associated to the AMPLS.

All this information is available at:

Use Azure Private Link to connect networks to Azure Monitor

Design your Azure Private Link setup

Configure your private link
Please sign in to rate this answer.

1 person found this answer helpful.
Jona 335 Reputation points

2024-04-16T12:22:53.4766667+00:00

Sorry my ignorance ... ¿If I disable public network access, a private endpoint is created?

and what about Log Analytics support for private endpoints?

Regards

Stanislav Zhelyazkov 21,256 Reputation points MVP

2024-04-17T10:23:18.3266667+00:00

Can you clarify you question and elaborate? Private endpoints are supported for Azure Monitor and the links you have posted describe exactly how it is done so I am not sure what more are you looking for or what is not clear from the docs.

Jona 335 Reputation points

2024-04-18T03:21:35.9866667+00:00

Yes of course, thanks for answering.

Context:

I need to sent telemetry to a custom table in Log Analytics WS via Log Ingestion API. To do so, I need to create firstly a Data Collection Endpoint

In order to comply InfoSec requirements of my company, DCE and Log analytics should not be exposed publicly to internet. As far I've read, both DCE and Log analytics should live in vnet or some kind of network isolation (AMPLS??). To understand all of this, I've helping my self with udemy:

Here, a new component appears: an Azure Monitor Private Link Scope. Let's omit all the grafana and prometheus stuff.

I don't know where the Vnet is placed here, since DCE and log analytics are privately exposed via AMPLS.

I'm just asuming many things, and I need some guidance. I could not see any private endpoint configuration to create one on log analytics neither on DCE, and figured out that to make private both resources, I need to attach them to an AMPLS...

It's quite overwheelming. Any guidance will help.

regards

Stanislav Zhelyazkov 21,256 Reputation points MVP

2024-04-18T07:21:13.35+00:00

It is already mentioned in the documentation:

"With Azure Private Link, you can securely link Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. An Azure Monitor private link connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. That set is called an Azure Monitor Private Link Scope (AMPLS)."

So there is no private endpoint for data collection rule or Log Analytics workspace. You need AMPLS. Also from docs:

"Log Analytics endpoints are workspace specific, except for the query endpoint discussed earlier. As a result, adding a specific Log Analytics workspace to the AMPLS will send ingestion requests to this workspace over the private link. Ingestion to other workspaces will continue to use the public endpoints."

Data collection rules are created with data collection endpoints. The public access can be restricted on the data collection endpoint and the endpoint is associated to the AMPLS.

All this information is available at:

Use Azure Private Link to connect networks to Azure Monitor

Design your Azure Private Link setup

Configure your private link

Jona 335 Reputation points

2024-04-18T13:34:26.9+00:00

pls convert your comment to an answer, to mark it as as acceptable

Regards

Stanislav Zhelyazkov 21,256 Reputation points MVP

2024-04-18T13:43:42.93+00:00

Updated original answer with last comment.
Sign in to comment

Data Collection Endpoint and Log Analytics Workspace - Private Endpoint Support

0 additional answers