Enable private link with Container insights
This article describes how to configure Container insights to use Azure Private Link for your AKS cluster.
Cluster using managed identity authentication
Prerequisites
- The template must be deployed in the same resource group as the cluster.
Download and install template
Download ARM template and parameter file:
AKS cluster
- Template file: https://aka.ms/aks-enable-monitoring-msi-onboarding-template-file
- Parameter file: https://aka.ms/aks-enable-monitoring-msi-onboarding-template-parameter-file
Arc-enabled Kubernetes cluster
- Template file: https://aka.ms/arc-k8s-azmon-extension-msi-arm-template
- Parameter file: https://aka.ms/arc-k8s-azmon-extension-msi-arm-template-params
Edit the following values in the parameter file. Retrieve the resource ID of the resources from the JSON View of their Overview page.
Parameter Description AKS: aksResourceId
Arc:clusterResourceId
Resource ID of the cluster. AKS: aksResourceLocation
Arc:clusterRegion
Azure Region of the cluster. AKS: workspaceResourceId
Arc:workspaceResourceId
Resource ID of the Log Analytics workspace. AKS: workspaceRegion
Arc:workspaceRegion
Region of the Log Analytics workspace. Arc: workspaceDomain
Domain of the Log Analytics workspace: opinsights.azure.com
for Azure public cloudopinsights.azure.us
for Azure US Governmentopinsights.azure.cn
for Azure China CloudAKS: resourceTagValues
Tag values specified for the existing Container insights extension data collection rule (DCR) of the cluster and the name of the DCR. The name will be MSCI-<clusterName>-<clusterRegion>, and this resource created in an AKS clusters resource group. For first time onboarding, you can set arbitrary tag values. AKS: useAzureMonitorPrivateLinkScope
Arc:useAzureMonitorPrivateLinkScope
Boolean flag to indicate whether Azure Monitor link scope is used or not. AKS: azureMonitorPrivateLinkScopeResourceId
Arc:azureMonitorPrivateLinkScopeResourceId
Resource ID of the Azure Monitor Private link scope. This only used if useAzureMonitorPrivateLinkScope
is set to true.
Based on your requirements, you can configure other parameters such streams
, enableContainerLogV2
, enableSyslog
, syslogLevels
, syslogFacilities
, dataCollectionInterval
, namespaceFilteringModeForDataCollection
and namespacesForDataCollection
.
- Deploy the template with the parameter file by using any valid method for deploying Resource Manager templates. For examples of different methods, see Deploy the sample templates.
Cluster using legacy authentication
Use the following procedures to enable network isolation by connecting your cluster to the Log Analytics workspace using Azure Private Link if your cluster is not using managed identity authentication. This requires a private AKS cluster.
Create a private AKS cluster following the guidance in Create a private Azure Kubernetes Service cluster.
Disable public Ingestion on your Log Analytics workspace.
Use the following command to disable public ingestion on an existing workspace.
az monitor log-analytics workspace update --resource-group <azureLogAnalyticsWorkspaceResourceGroup> --workspace-name <azureLogAnalyticsWorkspaceName> --ingestion-access Disabled
Use the following command to create a new workspace with public ingestion disabled.
az monitor log-analytics workspace create --resource-group <azureLogAnalyticsWorkspaceResourceGroup> --workspace-name <azureLogAnalyticsWorkspaceName> --ingestion-access Disabled
Configure private link by following the instructions at Configure your private link. Set ingestion access to public and then set to private after the private endpoint is created but before monitoring is enabled. The private link resource region must be same as AKS cluster region.
Enable monitoring for the AKS cluster.
az aks enable-addons -a monitoring --resource-group <AKSClusterResourceGorup> --name <AKSClusterName> --workspace-resource-id <workspace-resource-id>
Next steps
- If you experience issues while you attempt to onboard the solution, review the Troubleshooting guide.
- With monitoring enabled to collect health and resource utilization of your AKS cluster and workloads running on them, learn how to use Container insights.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for