Skip to content

Commit 1240b2b

Browse files
BCS2022BCS2022
authored
Merge pull request #209103 from maud-lv/ml-g-ip
Add deterministic IP how-to
2 parents f9330fb + 40fda32 commit 1240b2b

File tree

4 files changed

+109
-0
lines changed

4 files changed

+109
-0
lines changed

articles/managed-grafana/how-to-deterministic-ip.md

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
---
2+
title: How to set up and use deterministic outbound APIs in Azure Managed Grafana
3+
description: Learn how to set up and use deterministic outbound APIs in Azure Managed Grafana
4+
ms.service: managed-grafana
5+
ms.topic: how-to
6+
author: maud-lv
7+
ms.author: malev
8+
ms.date: 08/24/2022
9+
---
10+
11+
# Use deterministic outbound IPs
12+
13+
In this guide, learn how to activate deterministic outbound IP support used by Azure Managed Grafana to communicate with its data sources, disable public access and set up a firewall rule to allow inbound requests from your Grafana instance.
14+
15+
## Prerequisites
16+
17+
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
18+
- A data source. For example, an [Azure Data Explorer database](/azure/data-explorer/create-cluster-database-portal).
19+
20+
## Enable deterministic outbound IPs
21+
22+
Deterministic outbound IP support is disabled by default in Azure Managed Grafana. You can enable this feature during the creation of the instance, or you can activate it on an instance that's already been created.
23+
24+
### Create an Azure Managed Grafana workspace with deterministic outbound IPs enabled
25+
26+
#### [Portal](#tab/portal)
27+
28+
When creating an instance, in the **Advanced** tab, set **Deterministic outbound IP** to **Enable**.
29+
30+
For more information about creating a new instance, go to [Quickstart: Create an Azure Managed Grafana instance](quickstart-managed-grafana-portal.md).
31+
32+
#### [Azure CLI](#tab/azure-cli)
33+
34+
Run the [az grafana create](/cli/azure/grafana#az-grafana-create) command to create an Azure Managed Grafana instance with deterministic outbound IPs enabled. Replace `<azure-managed-grafana-name>` and `<resource-group>` with the name of the new Azure Managed Grafana instance and a resource group.
35+
36+
```azurecli-interactive
37+
az grafana create --name <azure-managed-grafana-name> --resource-group <resource-group> --deterministic-outbound-ip Enabled
38+
```
39+
40+
---
41+
42+
### Activate deterministic outbound IPs on an existing Azure Managed Grafana instance
43+
44+
#### [Portal](#tab/portal)
45+
46+
1. In the Azure portal, under **Settings** select **Configuration**, and then under **Deterministic outbound IP**, select **Enable**.
47+
48+
:::image type="content" source="media/deterministic-ips/enable-deterministic-ip-addresses.png" alt-text="Screenshot of the Azure platform. Enable deterministic IPs.":::
49+
1. Select **Save** to confirm the activation of deterministic outbound IP addresses.
50+
1. Select **Refresh** to display the list of IP addresses under **Static IP address**.
51+
52+
#### [Azure CLI](#tab/azure-cli)
53+
54+
Run the [az grafana update](/cli/azure/grafana#az-grafana-update) command to update your Azure Managed Grafana instance and enable deterministic outbound IPs. Replace `<azure-managed-grafana-name>` with the name of your Azure Managed Grafana instance.
55+
56+
```azurecli-interactive
57+
az grafana update --name <azure-managed-grafana-name> --deterministic-outbound-ip Enabled
58+
```
59+
60+
The deterministic outbound IPs are listed under `outboundIPs` in the output of the Azure CLI.
61+
62+
---
63+
64+
## Disable public access to a data source and allow Azure Managed Grafana IP addresses
65+
66+
This example demonstrates how to disable public access to Azure Data Explorer and set up private endpoints. This process is similar for other Azure data sources.
67+
68+
1. Open an Azure Data Explorer Cluster instance in the Azure portal, and under **Settings**, select **Networking**.
69+
1. In the **Public Access** tab, select **Disabled** to disable public access to the data source.
70+
1. Under **Firewall**, check the box **Add your client IP address ('88.126.99.17')** and under **Address range**, enter the IP addresses found in your Azure Managed Grafana workspace.
71+
1. Select **Save** to finish adding the Azure Managed Grafana outbound IP addresses to the allowlist.
72+
73+
:::image type="content" source="media/deterministic-ips/add-ip-data-source-firewall.png" alt-text="Screenshot of the Azure platform. Add Azure Managed Grafana outbound IPs to datasource firewall allowlist.":::
74+
75+
You have limited access to your data source by disabling public access, activating a firewall and allowing access from Azure Managed Grafana IP addresses.
76+
77+
## Check access to the data source
78+
79+
Check if the Azure Managed Grafana endpoint can still access your data source.
80+
81+
### [Portal](#tab/portal)
82+
83+
1. In the Azure portal, go to your instance's **Overview** page and select the **Endpoint** URL.
84+
85+
1. Go to **Configuration > Data Source > Azure Data Explorer Datasource > Settings** and at the bottom of the page, select **Save & test**:
86+
- If the message "Success" is displayed, Azure Managed Grafana can access your data source.
87+
- If the following error message is displayed, Azure Managed Grafana can't access the data source: `Post "https://<Azure-Data-Explorer-URI>/v1/rest/query": dial tcp 13.90.24.175:443: i/o timeout`. Make sure that you've entered the IP addresses correctly in the data source firewall allowlist.
88+
89+
### [Azure CLI](#tab/azure-cli)
90+
91+
Run the [az grafana data-source query](/cli/azure/grafana/data-source#az-grafana-data-source-query) command to query the data source. Replace `<azure-managed-grafana-name>` and `<data-source-name>` with the name of your Azure Managed Grafana instance and the name of your data source.
92+
93+
```azurecli-interactive
94+
az grafana data-source query --name <azure-managed-grafana-name> --data-source <data-source-name> --output table
95+
```
96+
97+
If the following error message is displayed, Azure Managed Grafana can't access the data source: `"error": "Post \\"https://<Azure-Data-Explorer-URI>/v1/rest/query\\": dial tcp 13.90.24.175:443: i/o timeout"`. Make sure that you've entered the IP addresses correctly in the data source firewall allowlist.
98+
99+
> [!TIP]
100+
> You can get the name of your data sources by running `az grafana data-source list --name <azure-managed-grafana-instance-name> --output table`
101+
102+
---
103+
104+
## Next steps
105+
106+
> [!div class="nextstepaction"]
107+
> [Call Grafana APIs](how-to-api-calls.md)

articles/managed-grafana/media/deterministic-ips/add-ip-data-source-firewall.png

75.5 KB
Loading

articles/managed-grafana/media/deterministic-ips/enable-deterministic-ip-addresses.png

140 KB
Loading

articles/managed-grafana/toc.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ items:
4141
href: troubleshoot-managed-grafana.md
4242
- name: Enable zone redundancy
4343
href: how-to-enable-zone-redundancy.md
44+
- name: Use deterministic outbound IPs
45+
href: how-to-deterministic-ip.md
4446
- name: Reference
4547
items:
4648
- name: Azure CLI

0 commit comments

Comments
 (0)