Azure Arc Private Link scope and AMA logs

Sadik Karadag 21 Reputation points

Hello everyone,

We are currently trying out the Azure Arc + Sentinel setup. We have successfully onboarded couple of test machines to Azure Arc using a private link scope. Documentation for Azure Arc states that any extension that is installed would use the same connectivity as the Azure Arc (private link scope). However, when we have deployed the AMA extension using Sentinel DCR,  it seems that the AMA connectivity is trying to hit public IP's rather than private IPs.

My question is, did we do a wrong configuration somewhere or this is not a feasible scenario? do we need to setup an Azure Monitor Private Link to have the AMA log connections go over private IP or is Azure Arc Private link scope suppose to work?


Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
318 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions
{count} votes

Accepted answer
  1. Maxim Sergeev 6,566 Reputation points Microsoft Employee

    Hi @Sadik Karadag ,

    May I ask you where did you get the information that "any extension that is installed would use the same connectivity as the Azure Arc (private link scope)?"
    It shouldn't by default. Due to Azure Monitoring Agent is a part of Azure Monitor, referring the following article, for Azure Monitor you need to enable the private link scope manually:

    Optionally, deploy private endpoints for other Azure services your machine or server is managed by, such as:

    Azure Monitor
    Azure Automation
    Azure Blob storage
    Azure Key Vault

1 additional answer

Sort by: Most helpful
  1. David Broggy 5,681 Reputation points MVP

    If that's true you may have found a bug.
    I'm not aware of any other options to for the extensions to not use the public connection.
    I'd suggest re-posting in the Azure Arc section: