Azure Monitor agent network configuration
Azure Monitor Agent supports connecting by using direct proxies, Log Analytics gateway, and private links. This article explains how to define network settings and enable network isolation for Azure Monitor Agent.
Virtual network service tags
The Azure virtual network service tags must be enabled on the virtual network for the virtual machine. Both AzureMonitor and AzureResourceManager tags are required.
Azure Virtual network service tags can be used to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. For scenarios where Azure virtual network service tags cannot be used, the Firewall requirements are given below.
Note
Data collection endpoint public IP addresses are not part of the above mentioned network service tags. If you have custom logs or IIS log data collection rules, consider allowing the data collection endpoint's public IP addresses for these scenarios to work until these scenarios are supported by network service tags.
Firewall endpoints
The following table provides the endpoints that firewalls need to provide access to for different clouds. Each is an outbound connection to port 443.
Important
For all endpoints, HTTPS inspection must be disabled.
Endpoint | Purpose | Example |
---|---|---|
global.handler.control.monitor.azure.com |
Access control service - | |
<virtual-machine-region-name> .handler.control.monitor.azure.com |
Fetch data collection rules for specific machine | westus2.handler.control.monitor.azure.com |
<log-analytics-workspace-id> .ods.opinsights.azure.com |
Ingest logs data | 1234a123-aa1a-123a-aaa1-a1a345aa6789.ods.opinsights.azure.com |
management.azure.com | Only needed if sending time series data (metrics) to Azure Monitor Custom metrics database | - |
<virtual-machine-region-name> .monitoring.azure.com |
Only needed if sending time series data (metrics) to Azure Monitor Custom metrics database | westus2.monitoring.azure.com |
<data-collection-endpoint>.<virtual-machine-region-name> .ingest.monitor.azure.com |
Only needed if sending data to Log Analytics custom logs table | 275test-01li.eastus2euap-1.canary.ingest.monitor.azure.com |
Replace the suffix in the endpoints with the suffix in the following table for different clouds.
Cloud | Suffix |
---|---|
Azure Commercial | .com |
Azure Government | .us |
Microsoft Azure operated by 21Vianet | .cn |
Note
If you use private links on the agent, you must only add the private data collection endpoints (DCEs). The agent does not use the non-private endpoints listed above when using private links/data collection endpoints. The Azure Monitor Metrics (custom metrics) preview isn't available in Azure Government and Azure operated by 21Vianet clouds.
Note
When using AMA with AMPLS, all of your Data Collection Rules must use Data Collection Endpoints. Those DCE's must be added to the AMPLS configuration using private link
Proxy configuration
The Azure Monitor Agent extensions for Windows and Linux can communicate either through a proxy server or a Log Analytics gateway to Azure Monitor by using the HTTPS protocol. Use it for Azure virtual machines, Azure virtual machine scale sets, and Azure Arc for servers. Use the extensions settings for configuration as described in the following steps. Both anonymous and basic authentication by using a username and password are supported.
Important
Proxy configuration isn't supported for Azure Monitor Metrics (public preview) as a destination. If you're sending metrics to this destination, it will use the public internet without any proxy.
Note
Setting Linux system proxy via environment variables such as http_proxy
and https_proxy
is only supported using Azure Monitor Agent for Linux version 1.24.2 and above. For the ARM template, if you have proxy configuration please follow the ARM template example below declaring the proxy setting inside the ARM template. Additionally, a user can set "global" environment variables that get picked up by all systemd services via the DefaultEnvironment variable in /etc/systemd/system.conf.
Use PowerShell commands in the following examples depending on your environment and configuration.:
No proxy
$settingsString = '{"proxy":{"mode":"none"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString
Proxy with no authentication
$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "false"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString
Proxy with authentication
$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "true"}}';
$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString -ProtectedSettingString $protectedSettingsString
Log Analytics gateway configuration
- Follow the guidance above to configure proxy settings on the agent and provide the IP address and port number that correspond to the gateway server. If you've deployed multiple gateway servers behind a load balancer, the agent proxy configuration is the virtual IP address of the load balancer instead.
- Add the configuration endpoint URL to fetch data collection rules to the allowlist for the gateway
Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com
Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com
. (If you're using private links on the agent, you must also add the data collection endpoints.) - Add the data ingestion endpoint URL to the allowlist for the gateway
Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com
. - Restart the OMS Gateway service to apply the changes
Stop-Service -Name <gateway-name>
andStart-Service -Name <gateway-name>
.