Azure network security perimeter for log analytic workspace

Question

Azure network security perimeter for log analytic workspace

Nana Poku 325

What is the best way to add inbound rule to network security perimeter for log analytic workspace. To help change both ingestion and query access to secure by perimeter.

2 answers

Your answer

Answer 1

Hi @ **Nana Poku,

**It sounds like you're looking to enhance the security of your Log Analytics Workspace by adding inbound rules to the network security perimeter. Here’s how you can approach this:

Define Your Security Perimeter: Start by accessing the Azure portal and navigating to the Network Security Perimeter menu. Here, you can create a new network security perimeter profile if you don't already have one.
Inbound Access Rules: Add inbound rules to specify which resources or IP ranges (like your VMs) can connect to your Log Analytics Workspace. For instance, you may want to include specific private IPs that will be making requests to your workspace.
Outbound Access Rules: While you're focusing on inbound rules, it’s also important to configure outbound rules that allow resources within the perimeter to access necessary services, like Azure Storage or Event Hubs, by specifying their Fully Qualified Domain Names (FQDNs).
Data Collection Endpoint: Ensure that your Data Collection Endpoint (DCE) and Log Analytics Workspace are linked properly under your Azure Monitor resources within the AMPLS (Azure Monitor Private Link Scope). This is essential for secure log ingestion.
Disable Public Network Access: Once your DCE is configured to work with AMPLS, make sure to disable public access to enhance security further.
DNS Configuration: Verify that the names for your API endpoints resolve to private IPs, ensuring that the traffic is routed securely. If they are resolving to public IPs, you may need to update your DNS settings accordingly.
Testing: After configuring everything, you should test querying your logs to ensure that the setup works as expected without any errors indicating public network access.

You can find more detailed steps in the following documentation:

Hope this helps you secure your Log Analytics Workspace effectively! If you have any more questions or need further assistance, feel free to ask!

Answer 2

Marcin Policht 67,980 MVP Volunteer Moderator

Begin by opening the Log Analytics workspace in the Azure portal and switching both ingestion and query access modes to “perimeter only.” This links or creates the perimeter that governs access. Once secure access is active, you navigate to the Network Security Perimeter resource. Inside the perimeter configuration, you add inbound rules that define which sources may send data to the workspace or query it. A rule specifies a source such as a virtual network, subnet, private endpoint, virtual machine, AKS cluster or other Azure resource, and identifies the workspace as the destination. It also specifies whether the access granted is for ingestion, for query, or for both. By doing this, you explicitly allow only those sources that should legitimately interact with the workspace, while the workspace blocks all access from outside the perimeter.

For stronger isolation, consider using Private Link by creating a Log Analytics Private Link Scope and associating the workspace. Placing the private endpoints inside your virtual network and then allowing that network through the perimeter gives you a fully private, controlled path for both ingestion and querying. This reduces exposure and ensures that no access occurs over public endpoints. Note that some Azure-originated pipelines, such as certain diagnostic settings, require resource-based onboarding rather than network-based access, so the inbound rules must reflect this by granting access to the originating resource’s identity rather than a subnet. Once all required rules are in place, switch ingestion and query to “perimeter only”.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Nana Poku 325 Reputation points

2025-12-03T08:28:40.66+00:00

Do i need to create the private endpoint or private link as suggested if I my inbound source type will be subscription?
Marcin Policht 67,980 Reputation points MVP Volunteer Moderator

2025-12-03T11:47:14.4233333+00:00

You do not need to create a private endpoint or Private Link if your inbound source type in the Network Security Perimeter will be a subscription. When you use a subscription as the inbound source, Azure treats every resource within that subscription as an allowed source for ingestion and query traffic to the Log Analytics workspace, regardless of whether they send data over public endpoints. In this model the perimeter rule itself provides the access control, and the workspace will accept traffic from those resources without requiring a private network path.

However, using a subscription-level rule does not give you network isolation. Traffic still flows over the public ingestion and query endpoints, even though access is restricted by the perimeter. If your goal is simply to control which resources can reach the workspace, then the subscription-level perimeter rule is enough and no private endpoint is required. If your goal also includes ensuring that all traffic stays inside your private network boundary, preventing exposure to the public internet, then a private endpoint or Private Link Scope becomes necessary. Without Private Link, the workspace remains reachable only to permitted resources but still through public service IPs rather than private network routes.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Nana Poku 325 Reputation points

2025-12-05T18:09:03.8633333+00:00

Hi @Marcin Policht Thanks for the detailed analysis of the subscription inbound rule for NSP. I’ve configured only inbound access rules for both ingestion and query access. The ingestion access is working as expected after enabling "Secured by Perimeter," but I’m getting an error when running a query, which appears to be related to query logs. Do I need to create outbound access rules for this to work?
Marcin Policht 67,980 Reputation points MVP Volunteer Moderator

2025-12-05T20:10:50.0033333+00:00

You might want to verify that the query traffic actually originates from a source that is represented by your inbound rules. User-driven querying through the Azure Portal, CLI, or a local client does not come from a resource inside your subscription and would not qualify as an allowed source.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Nana Poku 325 Reputation points

2025-12-05T23:04:08.28+00:00

Thanks for this, so user-driven querying through the Azure Portal, which does not come from a resource inside your subscription and would not qualify as an allowed source. How to I approach this to resolve the query error? allow FQDN's?
Marcin Policht 67,980 Reputation points MVP Volunteer Moderator

2025-12-05T23:46:31.2133333+00:00

AFAIK, allowing FQDNs will not solve the problem because the perimeter does not evaluate domain names; it evaluates whether the query request originates from an allowed Azure resource or private network. Since portal-based querying comes from Microsoft-hosted infrastructure rather than anything in your subscription, you'd need to create a controlled path from inside your own environment and then point your query traffic through it. You should be able to accomplish this by creating a Private Link Scope for the Log Analytics workspace, deploy a private endpoint into a virtual network you control, and then add that virtual network or the specific private endpoint as an inbound source in the perimeter. Once this is in place, you access the workspace through that private endpoint rather than the public portal endpoint, which means all query requests originate from the allowed private network.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Azure network security perimeter for log analytic workspace

2 answers

Your answer