Uredi

Deli z drugimi prek


Azure Monitor agent network configuration

Azure Monitor Agent supports connecting by using direct proxies, Log Analytics gateway, and private links. This article explains how to define network settings and enable network isolation for Azure Monitor Agent.

Virtual network service tags

The Azure virtual network service tags must be enabled on the virtual network for the virtual machine. Both AzureMonitor and AzureResourceManager tags are required.

Azure Virtual network service tags can be used to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. For scenarios where Azure virtual network service tags cannot be used, the Firewall requirements are given below.

Note

Data collection endpoint public IP addresses are not part of the above mentioned network service tags. If you have custom logs or IIS log data collection rules, consider allowing the data collection endpoint's public IP addresses for these scenarios to work until these scenarios are supported by network service tags.

Firewall endpoints

The following table provides the endpoints that firewalls need to provide access to for different clouds. Each is an outbound connection to port 443.

Important

For all endpoints, HTTPS inspection must be disabled.

Endpoint Purpose Example
global.handler.control.monitor.azure.com Access control service -
<virtual-machine-region-name>.handler.control.monitor.azure.com Fetch data collection rules for specific machine westus2.handler.control.monitor.azure.com
<log-analytics-workspace-id>.ods.opinsights.azure.com Ingest logs data 1234a123-aa1a-123a-aaa1-a1a345aa6789.ods.opinsights.azure.com
management.azure.com Only needed if sending time series data (metrics) to Azure Monitor Custom metrics database -
<virtual-machine-region-name>.monitoring.azure.com Only needed if sending time series data (metrics) to Azure Monitor Custom metrics database westus2.monitoring.azure.com
<data-collection-endpoint>.<virtual-machine-region-name>.ingest.monitor.azure.com Only needed if sending data to Log Analytics custom logs table 275test-01li.eastus2euap-1.canary.ingest.monitor.azure.com

Replace the suffix in the endpoints with the suffix in the following table for different clouds.

Cloud Suffix
Azure Commercial .com
Azure Government .us
Microsoft Azure operated by 21Vianet .cn

Note

If you use private links on the agent, you must only add the private data collection endpoints (DCEs). The agent does not use the non-private endpoints listed above when using private links/data collection endpoints. The Azure Monitor Metrics (custom metrics) preview isn't available in Azure Government and Azure operated by 21Vianet clouds.

Note

When using AMA with AMPLS, all of your Data Collection Rules must use Data Collection Endpoints. Those DCE's must be added to the AMPLS configuration using private link

Proxy configuration

The Azure Monitor Agent extensions for Windows and Linux can communicate either through a proxy server or a Log Analytics gateway to Azure Monitor by using the HTTPS protocol. Use it for Azure virtual machines, Azure virtual machine scale sets, and Azure Arc for servers. Use the extensions settings for configuration as described in the following steps. Both anonymous and basic authentication by using a username and password are supported.

Important

Proxy configuration isn't supported for Azure Monitor Metrics (public preview) as a destination. If you're sending metrics to this destination, it will use the public internet without any proxy.

Note

Setting Linux system proxy via environment variables such as http_proxy and https_proxy is only supported using Azure Monitor Agent for Linux version 1.24.2 and above. For the ARM template, if you have proxy configuration please follow the ARM template example below declaring the proxy setting inside the ARM template. Additionally, a user can set "global" environment variables that get picked up by all systemd services via the DefaultEnvironment variable in /etc/systemd/system.conf.

Use PowerShell commands in the following examples depending on your environment and configuration.:

No proxy

$settingsString = '{"proxy":{"mode":"none"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location>  -SettingString $settingsString

Proxy with no authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "false"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location>  -SettingString $settingsString

Proxy with authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "true"}}';
$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location>  -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

Log Analytics gateway configuration

  1. Follow the guidance above to configure proxy settings on the agent and provide the IP address and port number that correspond to the gateway server. If you've deployed multiple gateway servers behind a load balancer, the agent proxy configuration is the virtual IP address of the load balancer instead.
  2. Add the configuration endpoint URL to fetch data collection rules to the allowlist for the gateway Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com. (If you're using private links on the agent, you must also add the data collection endpoints.)
  3. Add the data ingestion endpoint URL to the allowlist for the gateway Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com.
  4. Restart the OMS Gateway service to apply the changes Stop-Service -Name <gateway-name> and Start-Service -Name <gateway-name>.

Next steps