Application Insights - Network Isolation - Blocking public Access blocks queries but not data ingestion

Question

We're trying to utilize Application Insights Network Isolation and Azure Monitor Private Link Scopes, but we're not getting the expected behaviour.

When 'Accept data ingestion from public networks...' is set to no, it appears that data is still submitted. However, if we set 'Accept queries from public networks...' to no, access to the data is blocked. I'm using the Metrics graph as my test scenario. We're using private DNS and neither a computer on a peered VNET nor an on-prem computer can view the data. Private DNS entries look good for the Private Endpoint. The VNets are peered and other Private Links on the same VNet are accessible. It seems like the computers don't know to use the private IP addresses for this data. How do I resolve this?

I can see traffic on the private link by using Monitor - Network - Private Link . The application insight object is included within the Azure Monitor Private Link Scope.

Answer 1

Hi,

From your statement, it looks like the from the source, packets are routed to a public endpoint not via the private endpoint. So, can you make sure that the Private DNS Zone which you have created is linked with the VNET of source ?

Lets say the source is a VM in a VNET named VNET1, then you will need to make sure that the Private DNS Zone is linked to a VNET1. Only then the DNS resolution happens to the Private Endpoint.

Regards,
Karthik Srinivas