Επεξεργασία

Κοινή χρήση μέσω

Enable network isolation for Azure Monitor Agent by using Private Link

  • Άρθρο

By default, Azure Monitor Agent connects to a public endpoint to connect to your Azure Monitor environment. This article explains how to enable network isolation for your agents by using Azure Private Link.

Prerequisites

  • A data collection rule, which defines the data Azure Monitor Agent collects and the destination to which the agent sends data.

Create a data collection endpoint (DCE)

Create a DCE for each of your regions for agents to connect to instead of using the public endpoint. An agent can only connect to a data collection endpoint in the same region. If you have agents in multiple regions, create a data collection endpoint in each one.

Configure your private link to connect your DCE to a set of Azure Monitor resources that define the boundaries of your monitoring network. This set is called an Azure Monitor Private Link Scope.

Add the DCEs to your AMPLS resource. This process adds the data collection endpoints to your private DNS zone (see how to validate) and allows communication via private links. You can do this task from the AMPLS resource or on an existing data collection endpoint resource's Network isolation tab.

Important

Other Azure Monitor resources like the Log Analytics workspaces and data collection endpoint (DCE) configured in your data collection rules that you want to send data to must be part of this same AMPLS resource.

Screenshot that shows configuring data collection endpoint network isolation.

Associate DCEs to target resources

Associate the data collection endpoints to the target resources by editing the data collection rule in the Azure portal. On the Resources tab, select Enable Data Collection Endpoints. Select a data collection endpoint for each virtual machine. See Configure data collection for Azure Monitor Agent.

Screenshot that shows configuring data collection endpoints for an agent.

Next steps