Share via

Logs are not sent to log workspace when network security perimeter is set as network isolation.

Munduz Subanov 10 Reputation points
2025-01-23T17:32:57.3033333+00:00

Current Setup:

  • All resources in the same Subscription.
  • Storage account and Synapse Workspace are streaming logs to log workspace (logw-main).
  • Azure Monitoring Workbook reads logs from logw-main and show some charts.
  • Log workspace (logw-main) has Network Isolation: Secured by perimeter, and network security perimeter allows all resources from the Subscription.

Problem:

When querying log workspace (logw-main) in azure portal it works as expected. Ex: I can query logs when I add a rule to network security perimeter, that allows my ip address.

But Storage account and Synapse Workspace do not stream logs to log workspace (logw-main). This is when Network Security Perimeter enabled.

How can we fix this problem? We want log workspace public, as we query logs from Azure Monitoring Workbooks.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,446 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Podila 1,725 Reputation points Microsoft Vendor
    2025-01-27T08:47:04.6733333+00:00

    Hi @Munduz Subanov

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    You have two basic options for fixing this. The first is to set up a private endpoint, which is a more secure option. This creates a secure connection between your services (such as your storage account and synapse) and the log analytics workstation without a public internet connection to do this, log into your log analytics workstation in the Azure portal, select private endpoints under networking and update. Now make sure your storage account and synapse workspace are set up to send logs to that workspace. Using that set, test everything to make sure the logs are flowing properly.

    If you’re looking for a simpler solution and don’t mind a little less security, you can disable web isolation for the log analytics workspace. This allows your product to send logs without having to provide a private connection. You can disable network isolation under network in your log analytics workstation settings. Once you’ve done this, just double check that your storage account and synapse workspace are sending logs to the workstation, then make sure everything is working as expected.

    You’re after a more secure setup, I would recommend going with the private endpoint option. But if you’re looking for a quick and easy fix, turning off web isolation will work.

    If you have any concerns, please go through this link:-

    https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings

    https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal

    If you have any further queries, do let us know

    If the answer is helpful, please click "Accept Answer" and "Upvote it"

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.