Question posted in 
I’m trying to restrict access to our Azure Monitor resources (Log Analytics Workspace and Application Insights) with an Azure Monitor Private Link Scope that has both "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No", while still being able to access them the Azure Portal while connected to an Azure VPN peered with the main virtual network.
In the main resource group, I have the following:
- Virtual Network
- Subnet with "Private endpoint network policy" set to "Network security groups" and linked to NSG
- NSG with Inbound Service Tag rules for
AzurePortal,AzureResourceManager,AzureFrontDoor.FirstPartyandAzureFrontDoor.Frontend:- Source port ranges: *
- Destination: Any
- Service: HTTPS
- Log Analytics Workspace with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
- Application Insights with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
- Azure Monitor Private Link Scope with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
- AMPLS Private Endpoint
- App Service connected to Application Insights and Log Analytics for HTTP request logging
- App Service Private Endpoint
In the VPN resource group, I have the following:
- Virtual Network with one-way peering to main Virtual Network
- Virtual Network Gateway
- Public IP
On my own computer, I have the DNS records for the Private Endpoints in the Windows hosts file.
What I’ve tried:
- Connect to VPN
- Open Azure Portal
- Go to App Service > Logs tab
- Run the following query for the last 24 hours:
AppServiceHTTPLogs | where UserAgent != 'AlwaysOn' - Go to Application Insights > Transaction search
- Click "See all data for the last 24 hours"
- Create a Container Instance in the Virtual Network and send a request to the same https://api.loganalytics.io endpoint used by the Logs query
What happened:
- The Logs query returned no results
- The Application Insights search displayed "Error retrieving data"
- The request from the Container Instance returned the expected results
What I want to be able to do:
- I want to be able to access logs and other data from the Azure Portal while connected to the VPN (on my own computer)
2
Answers
I don't know if there's a better solution, but manually adding hosts file entries for
api.loganalytics.ioandapi.applicationinsights.azure.compointing to the same private IP asapi.monitor.azure.comallowed me to access Log Analytics and Application Insights from the Azure Portal over the VPN.I also removed the NSG and "Private endpoint network policy" for the subnet.
If you are using Azure custom DNS servers (eg VMs configured in your VNET DNS settings) or Azure DNS resolver you can also configure conditional forwarding for these FQDNs from local/on-prem to your Azure custom DNS servers and your Azure custom DNS servers should forward them to Azure provided DNS (168.63.129.16). Also your private DNS zones in Azure should be linked to VNET where DNS servers reside and all other VNETS (if any) should be peered for proper DNS resolution.
I’ve encountered this issue too, shame that MS docs doesn’t provide this information on AMPLS configuration guide (api.loganalytics.io and api.applicationinsights.azure.com are not mentioned at all).