Azure Arc Private Link scope and AMA logs

Sadik Karadag 21

Hello everyone,

We are currently trying out the Azure Arc + Sentinel setup. We have successfully onboarded couple of test machines to Azure Arc using a private link scope. Documentation for Azure Arc states that any extension that is installed would use the same connectivity as the Azure Arc (private link scope). However, when we have deployed the AMA extension using Sentinel DCR, it seems that the AMA connectivity is trying to hit public IP's rather than private IPs.

My question is, did we do a wrong configuration somewhere or this is not a feasible scenario? do we need to setup an Azure Monitor Private Link to have the AMA log connections go over private IP or is Azure Arc Private link scope suppose to work?

Thanks!

KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2022-08-19T12:56:21.837+00:00
Hi @Sadik Karadag ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are setting up your Azure Arc and testing private endpoint connectivity.

I would like to understand the following,

Can you please share the docs you were following to set this up?

Can you please share the docs stating "any extension that is installed would use the same connectivity as the Azure Arc (private link scope)?"

Per @Maxim Sergeev 's answer, Monitoring Agent is a separate service and has a private link setup of its own.

Cheers,
Kapil.
Sadik Karadag 21 Reputation points

2022-08-19T14:33:32.8+00:00

Hi anonymous user-MSFT

I was following this documentation here private-link-security

On the Advantages tab, it says the following

Ensure data from the Azure Arc-enabled machine or server is only accessed through authorized private networks. This also includes data from VM extensions installed on the machine or server that provide post-deployment management and monitoring support.

We don't mind creating an AMPLS, which we are at the moment but I thought the documentation might be bit misleading, or maybe it's just me :)
Sadik Karadag 21 Reputation points

2022-08-19T14:37:45.187+00:00

To extend on this, we are hoping to replace our current SIEM / AV solution with Sentinel / Defender for Cloud (which has defender for servers p2). We were also hoping we could forward the Defender traffic through secure channels rather than going over public networks. Defender collects so much data / telemetry, although it's HTTPS traffic, it would still be more ideal to have something like private link scope setup.
KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee

2022-08-22T05:09:20.69+00:00

Hi @Sadik Karadag ,

I believe we should create Private Links for each of the services.

From the same document, https://learn.microsoft.com/en-us/azure/azure-arc/servers/private-link-security
Under, "How it works"

Feel free to let me know if you require more information.

Cheers,
Kapil

Accepted answer

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-08-19T03:15:57.983+00:00

Hi @Sadik Karadag ,

May I ask you where did you get the information that "any extension that is installed would use the same connectivity as the Azure Arc (private link scope)?"
It shouldn't by default. Due to Azure Monitoring Agent is a part of Azure Monitor, referring the following article, for Azure Monitor you need to enable the private link scope manually:

https://learn.microsoft.com/en-us/azure/azure-arc/servers/private-link-security#planning-your-private-link-setup

Optionally, deploy private endpoints for other Azure services your machine or server is managed by, such as:

Azure Monitor
Azure Automation
Azure Blob storage
Azure Key Vault
Please sign in to rate this answer.
Sadik Karadag 21 Reputation points

2022-08-19T14:34:31.977+00:00

Hi @Maxim Sergeev

I was following this documentation here private-link-security

On the Advantages tab, it says the following

Ensure data from the Azure Arc-enabled machine or server is only accessed through authorized private networks. This also includes data from VM extensions installed on the machine or server that provide post-deployment management and monitoring support.

We don't mind creating an AMPLS, which we are at the moment but I thought the documentation might be bit misleading, or maybe it's just me :)

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-08-19T16:06:39.777+00:00

@ SadikKaradag-8816,

Ensure data from the Azure Arc-enabled machine or server is only accessed through authorized private networks.
This also includes data from VM extensions installed on the machine or server that provide post-deployment management and monitoring support

Imho, these states, that you need configure AMPLS as well :)
Sign in to comment

1 additional answer

David Broggy 5,681 Reputation points MVP

2022-08-19T03:29:09.913+00:00

If that's true you may have found a bug.
I'm not aware of any other options to for the extensions to not use the public connection.
I'd suggest re-posting in the Azure Arc section:
AzureArc
Please sign in to rate this answer.
Sadik Karadag 21 Reputation points

2022-08-19T14:40:10.617+00:00

Talking about bugs, changing the config mode setting on Arc agent removes the proxy configuration :). After installation is complete, we would put the Arc agent on monitor mode to disable any script executions from Azure, then we realized the connection is broken. run azcmagent config list, shows proxy setting was removed.

Maxim Sergeev 6,566 Reputation points Microsoft Employee

2022-08-19T16:09:32.807+00:00

If you think this is a bug, please open a support ticket.

Sadik Karadag 21 Reputation points

2022-08-24T14:25:19.123+00:00

Already done and they did confirm it is a bug, replicated on their end easily.
Sign in to comment