Azure Arc Private Link scope and AMA logs

Sadik Karadag 21 Reputation points
2022-08-19T01:10:49.427+00:00

Hello everyone,

We are currently trying out the Azure Arc + Sentinel setup. We have successfully onboarded couple of test machines to Azure Arc using a private link scope. Documentation for Azure Arc states that any extension that is installed would use the same connectivity as the Azure Arc (private link scope). However, when we have deployed the AMA extension using Sentinel DCR,  it seems that the AMA connectivity is trying to hit public IP's rather than private IPs.

My question is, did we do a wrong configuration somewhere or this is not a feasible scenario? do we need to setup an Azure Monitor Private Link to have the AMA log connections go over private IP or is Azure Arc Private link scope suppose to work?

Thanks!

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
423 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
509 questions
{count} votes

Accepted answer
  1. Maxim Sergeev 6,571 Reputation points Microsoft Employee
    2022-08-19T03:15:57.983+00:00

    Hi @Sadik Karadag ,

    May I ask you where did you get the information that "any extension that is installed would use the same connectivity as the Azure Arc (private link scope)?"
    It shouldn't by default. Due to Azure Monitoring Agent is a part of Azure Monitor, referring the following article, for Azure Monitor you need to enable the private link scope manually:

    https://learn.microsoft.com/en-us/azure/azure-arc/servers/private-link-security#planning-your-private-link-setup

    Optionally, deploy private endpoints for other Azure services your machine or server is managed by, such as:

    Azure Monitor
    Azure Automation
    Azure Blob storage
    Azure Key Vault


1 additional answer

Sort by: Most helpful
  1. David Broggy 5,816 Reputation points MVP
    2022-08-19T03:29:09.913+00:00

    If that's true you may have found a bug.
    I'm not aware of any other options to for the extensions to not use the public connection.
    I'd suggest re-posting in the Azure Arc section:
    AzureArc


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.