Accessing Azure Log Analytics from Portal via AMPLS

Question

I'm trying to restrict access to our Azure Monitor resources (Log Analytics Workspace and Application Insights) with an Azure Monitor Private Link Scope that has both "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No", while still being able to access them the Azure Portal while connected to an Azure VPN peered with the main virtual network.

In the main resource group, I have the following:

• Virtual Network
• Subnet with "Private endpoint network policy" set to "Network security groups" and linked to NSG
• NSG with Inbound Service Tag rules for AzurePortal, AzureResourceManager, AzureFrontDoor.FirstParty and AzureFrontDoor.Frontend:
  • Source port ranges: *
  • Destination: Any
  • Service: HTTPS
• Log Analytics Workspace with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
• Application Insights with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
• Azure Monitor Private Link Scope with "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" set to "No"
• AMPLS Private Endpoint
• App Service connected to Application Insights and Log Analytics for HTTP request logging
• App Service Private Endpoint

In the VPN resource group, I have the following:

• Virtual Network with one-way peering to main Virtual Network
• Virtual Network Gateway
• Public IP

On my own computer, I have the DNS records for the Private Endpoints in the Windows hosts file.

What I've tried:

• Connect to VPN
• Open Azure Portal
• Go to App Service > Logs tab
• Run the following query for the last 24 hours:

  AppServiceHTTPLogs
  | where UserAgent != 'AlwaysOn'
  

• Go to Application Insights > Transaction search
• Click "See all data for the last 24 hours"
• Create a Container Instance in the Virtual Network and send a request to the same https://api.loganalytics.io endpoint used by the Logs query

What happened:

• The Logs query returned no results
• The Application Insights search displayed "Error retrieving data"
• The request from the Container Instance returned the expected results

What I want to be able to do:

• I want to be able to access logs and other data from the Azure Portal while connected to the VPN (on my own computer)

Answer 1

If you are using Azure custom DNS servers (eg VMs configured in your VNET DNS settings) or Azure DNS resolver you can also configure conditional forwarding for these FQDNs from local/on-prem to your Azure custom DNS servers and your Azure custom DNS servers should forward them to Azure provided DNS (168.63.129.16). Also your private DNS zones in Azure should be linked to VNET where DNS servers reside and all other VNETS (if any) should be peered for proper DNS resolution.

I've encountered this issue too, shame that MS docs doesn't provide this information on AMPLS configuration guide (api.loganalytics.io and api.applicationinsights.azure.com are not mentioned at all).

Answer 2

I don't know if there's a better solution, but manually adding hosts file entries for api.loganalytics.io and api.applicationinsights.azure.com pointing to the same private IP as api.monitor.azure.com allowed me to access Log Analytics and Application Insights from the Azure Portal over the VPN.

I also removed the NSG and "Private endpoint network policy" for the subnet.