The blog of a cloud agnostic professional and craft beer connoisseur

Monitoring my hybrid environment – part 2?

Original Post Read More

Hello folks,


2 weeks ago, as part of my series on setting up my demo environment to reflect a typical hybrid (on-prem <-> Azure) environment I covered the basics of what I needed to support operational requirements like monitoring/insights, patch management, change management, etc…  So, I designed a Log Analytics Workspace (LAW) and deployed the Azure Monitor Agent and Dependency Agent.


But some of you eagle eyed readers messaged me and pointed out that unlike when I Azure Arc enabled my servers, I did not configure Azure Monitor to only use the site-to-site VPN. You were correct.  However, it’s something we can remedy. And we’ll do it right now.




There are 2 layers of security we can wrap around the connectivity of Azure Monitor Agent to the components it needs to connect to.

Layer 1

The first one is by using the Log Analytics gateway in Azure Monitor.   The Log Analytics gateway is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. The gateway sends data to Azure Automation and a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet.


If you have servers that you don’t want to give access to the outside world, you can get the agents installed on the to connect to the gateway, which will then in forward data on their behalf. The gateway is a forwarding proxy that doesn’t store any data. Once the agent establishes connection with Azure Monitor, it follows the same encryption flow with or without the gateway. The data is encrypted between the client and the endpoint. Since the gateway is just a tunnel, it doesn’t have the ability the inspect what is being sent.



In this case to backport this functionality I would have to reconfigure my agents already installed to use the gateway to communicate with my LAW.

Layer 2

The second layer, is to force all traffic to use the VPN the same way we did for Azure Arc which is by leveraging Azure Private Link to connect networks to Azure Monitor.   When you set up a Private Link connection, your DNS zones map Azure Monitor endpoints to private IPs in order to send traffic through the Private Link. Azure Monitor uses both resource-specific endpoints and shared global / regional endpoints to reach the workspaces and components in your Azure Monitor Private Link Scope (AMPLS).


In effect you’re tricking your local client to use a private IP address only accessible over the VPN or ExpressRoute to connect with the Azure Monitor endpoints.  It requires a few steps: (the documentation to perform these stes is linked below)


1 – Creating a Private Link Scope with resources




2 – Connect Azure Monitor resources to your AMPLS




3 – Creating a Private Endpoint on your network and connecting it to the scope



4 – Configuring the required access on your Azure Monitor resources.


So far we covered the configuration of your network, but you should also consider how you want to configure network access to your monitored resources – Log Analytics workspaces, Application Insights components and Data Collection endpoints.


Complete the DNS configuration

Number 5 is to finish the DNS config.  it’s not in the Azure Monitor Private Link Scope (AMPLS) documentation, but I’ll cover it nonetheless. Just like I did for the Azure Arc Private Link Scope I need to configure my DNS forwarding rules for my Azure DNS Private Resolver  and on my local DNS server configure the conditional forwarders.  Check out the post here where I cover it


The DNS configuration needed for Azure Monitor can be found here






After I added the appropriate rules to my ruleset, I can move on the local DNS server. And configure the forwarder to send the queries for the domains needed by the agent to the private resolver.



And now, when an Azure Monitor Agent tries to contact one of its end point it will resolve as internal, and use the VPN/ExpressRoute to get there.



The Onion

We’ve now defined to layers to managing how your clients connect to the Azure Monitor resources.  The first, as we mentioned is to use a gateway, in effect configuring a single machine that can connect to the Azure Monitor endpoints.  And the second, send the connections to a private IP address exclusively through a tunnel you control.  Your VPN or ExpressRoute link.


If you are in an environment where security and controls are extremely important, you can actually wrap each layer around each other by using the proxy gateway described in Layer 1 and configure the gateway to use the private endpoint as described in Layer 2.  Making an onion as opposed to pealing one…  So to speak.


Ok, now that I rectified my oversight from last week we will return to our scheduled programing.  Again, at the risk of sounding like a broken record, let me know if there are scenarios for hybrid management that you have questions about.  It really helps make the blog better and more relevant to you.