This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 52%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
I had a task to disable public access to log analytics workspace and app insights. I have read microsft documentation and I have made private endpoint and private link scope. Now I can access the app insights logs on machine on vnet which has private endpoint to private link scope but, what I want is to have access to those logs on my pc in azure portal which is obviously outside of the vnet. How to do this? I have tried network security perimeter with log analytics workspace as associated resource and adding ip to inbound rules but it does not help.
I'd set up a hybrid DNS setup that allows resolution of the private endpoint from your local machine (via VPN or ExpressRoute), that requires:
VPN Gateway / ExpressRoute to your on-prem network
DNS forwarders to Azure DNS to resolve private link zones
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 17%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hello Matthew
I understand that you need to disable public access to log analytics workspace and app insights. You are on the right track with private endpoints and Azure Monitor private link scope, so any access (including from the Azure portal on your PC) must go through a private path.
Since your PC is outside the VNet, accessing logs using Azure portal is not possible as you disabled the public access.
Here are few options to allow access:
1.Use a VPN (Site-to-Site or Point-to-Site)
Connecting your local machine to the Azure VNet via VPN will make it part of the virtual network:
• Set up a Point-to-Site VPN on the Azure Virtual Network Gateway.
• Connect from your PC using the VPN client.
• Once connected, you’ll be able to access logs through the Azure Portal
2.Access via Bastion
Deploy a VM within the VNet (or a peered one) that can access the private endpoint.
You can then:
• Use Azure Bastion to securely RDP or SSH into the VM.
• Open the Azure Portal from a browser on that VM, and access Log Analytics or Application Insights.
Since the traffic originates from within the VNet, private endpoint access will work as expected.
3.Temporarily Enable Public Access (IP-Restricted)
If VPN or Bastion isn’t feasible and you need temporary access:
• Go to the Log Analytics Workspace > Networking section.
• Set Public Network Access to “Enabled from selected networks.”
• Add your PC’s public IP address to the firewall rule list. This allows you to access the workspace from your current machine, while still restricting exposure to known IPs.
Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.
Hello Matthew
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Hello Matthew
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back