Skip to content

Commit 3d2a771

Browse files
TimShererWithAquentTimShererWithAquent
committed
Freshness.
1 parent 6a53236 commit 3d2a771

File tree

2 files changed

+45
-32
lines changed

2 files changed

+45
-32
lines changed

articles/managed-grafana/how-to-connect-to-data-source-privately.md

Lines changed: 45 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,29 @@
11
---
22
title: How to connect to a data source privately in Azure Managed Grafana
3-
description: Learn how to connect an Azure Managed Grafana workspace to a data source using Managed Private Endpoint
3+
description: Learn how to connect an Azure Managed Grafana workspace to a data source using Managed Private Endpoint.
44
ms.service: azure-managed-grafana
55
ms.topic: how-to
66
author: maud-lv
77
ms.author: malev
8-
ms.date: 02/05/2024
8+
ms.date: 07/17/2025
9+
#customer intent: As a Grafana user, I want to connect an Azure Managed Grafana workspace a data source using Managed Private Endpoint, so that the traffic stays on the Azure network instead of the internet.
910
---
1011

1112
# Connect to a data source privately
1213

13-
In this guide, you learn how to connect your Azure Managed Grafana workspace to a data source using Managed Private Endpoint. Azure Managed Grafana’s managed private endpoints are endpoints created in a Managed Virtual Network that the Azure Managed Grafana service uses. They establish private links from that network to your Azure data sources. Azure Managed Grafana sets up and manages these private endpoints on your behalf. You can create managed private endpoints from your Azure Managed Grafana to access other Azure managed services (for example, Azure Monitor private link scope or Azure Monitor workspace) and your own self-hosted data sources (for example, connecting to your self-hosted Prometheus behind a private link service).
14+
In this guide, you learn how to connect your Azure Managed Grafana workspace to a data source using Managed Private Endpoint. Managed private endpoints for Azure Managed Grafana are endpoints created in a Managed Virtual Network that the Azure Managed Grafana service uses. They establish private links from that network to your Azure data sources. Azure Managed Grafana sets up and manages these private endpoints on your behalf. You can create managed private endpoints from your Azure Managed Grafana to access:
1415

15-
When you use managed private endpoints, traffic between your Azure Managed Grafana and its data sources traverses exclusively over the Microsoft backbone network without going through the internet. Managed private endpoints protect against data exfiltration. A managed private endpoint uses a private IP address from your Managed Virtual Network to effectively bring your Azure Managed Grafana workspace into that network. Each managed private endpoint is mapped to a specific resource in Azure and not the entire service. Customers can limit connectivity to only resources approved by their organizations.
16+
- Other Azure managed services, for example, Azure Monitor private link scope or Azure Monitor workspace
17+
- Your own self-hosted data sources, for example, connecting to your self-hosted Prometheus behind a private link service
1618

17-
A private endpoint connection is created in a "Pending" state when you create a managed private endpoint in your Azure Managed Grafana workspace. An approval workflow is started. The private link resource owner is responsible for approving or rejecting the new connection. If the owner approves the connection, the private link is established. Otherwise, the private link isn't set up. Azure Managed Grafana shows the current connection status. Only a managed private endpoint in an approved state can be used to send traffic to the private link resource that is connected to the managed private endpoint.
19+
When you use managed private endpoints, traffic between your Azure Managed Grafana and its data sources travels only over the Microsoft backbone network instead of the internet. A managed private endpoint uses a private IP address from your Managed Virtual Network to effectively bring your Azure Managed Grafana workspace into that network. Managed private endpoints protect against data exfiltration. Each managed private endpoint is mapped to a specific resource in Azure and not the entire service. You can limit connectivity to only resources approved by your organization.
1820

19-
While managed private endpoints are free, there may be charges associated with private link usage on a data source. For more information, see your data source’s pricing details.
21+
## Prerequisites
2022

21-
> [!NOTE]
22-
> Managed private endpoints are currently only available in Azure Global.
23+
To follow the procedures in this guide, you must have:
2324

24-
> [!NOTE]
25-
> If you're running a private data source in an AKS cluster, when the service’s `externalTrafficPolicy` is set to local, Azure Private Link Service needs to use a different subnet than the Pod’s subnet. If the same subnet is required, the service should use Cluster `externalTrafficPolicy`. See [Cloud Provider Azure](https://cloud-provider-azure.sigs.k8s.io/topics/pls-integration/#restrictions).
25+
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
26+
- An Azure Managed Grafana workspace in the Standard tier. If you don't have one yet, [create a new instance](quickstart-managed-grafana-portal.md).
2627

2728
## Supported data sources
2829

@@ -38,58 +39,70 @@ Managed private endpoints work with Azure services that support private link. Us
3839
- Azure Databricks
3940
- Private link services
4041

41-
## Prerequisites
42+
When you create a managed private endpoint in your Azure Managed Grafana workspace, a private endpoint connection is created in a *Pending* state. This action begins an approval workflow. The private link resource owner is responsible for approving or rejecting the new connection. If the owner approves the connection, the private link is established. Otherwise, the private link isn't set up.
4243

43-
To follow the steps in this guide, you must have:
44+
Azure Managed Grafana shows the current connection status. Only a managed private endpoint in an *approved* state can be used to send traffic to the private link resource that is connected to the managed private endpoint.
4445

45-
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).
46-
- An Azure Managed Grafana workspace in the Standard tier. If you don't have one yet, [create a new instance](quickstart-managed-grafana-portal.md).
46+
> [!NOTE]
47+
> Managed private endpoints are currently only available in Azure Global.
48+
49+
Managed private endpoints are free. There can be charges associated with private link usage on a data source. For more information, see pricing details for your data source.
50+
51+
> [!NOTE]
52+
> If you run a private data source in an Azure Kubernetes Service (AKS) cluster, if the service `externalTrafficPolicy` is set to local, Azure Private Link Service needs to use a different subnet than the Pod’s subnet. If the same subnet is required, the service should use Cluster `externalTrafficPolicy`. See [Cloud Provider Azure](https://cloud-provider-azure.sigs.k8s.io/topics/pls-integration/#restrictions).
4753

4854
## Create a managed private endpoint for Azure Monitor workspace
4955

5056
You can create a managed private endpoint in your Azure Managed Grafana workspace to connect to a [supported data source](#supported-data-sources) using a private link.
5157

52-
1. In the Azure portal, navigate to your Grafana workspace and then select **Networking**.
53-
1. Select **Managed Private Endpoint**, and then select **Create**.
58+
1. In the Azure portal, navigate to your Grafana workspace and then select **Settings** > **Networking**.
59+
1. Select **Managed Private Endpoint**, and then select **Add**.
5460

55-
:::image type="content" source="media/managed-private-endpoint/create.png" alt-text="Screenshot of the Azure portal create managed private endpoint." lightbox="media/managed-private-endpoint/create.png":::
61+
:::image type="content" source="media/managed-private-endpoint/create.png" alt-text="Screenshot of the Azure portal add managed private endpoint." lightbox="media/managed-private-endpoint/create.png":::
5662

57-
1. In the *New managed private endpoint* pane, fill out required information for resource to connect to.
63+
1. In the **New managed private endpoint** pane, fill out required information for resource to connect to.
5864

59-
:::image type="content" source="media/managed-private-endpoint/new-details-azure-monitor.png" alt-text="Screenshot of the Azure portal new managed private endpoint details for Azure Monitor workspace.":::
65+
:::image type="content" source="media/managed-private-endpoint/new-details-azure-monitor.png" alt-text="Screenshot of the Azure portal new managed private endpoint details for Azure Monitor workspace." lightbox="media/managed-private-endpoint/new-details-azure-monitor.png":::
6066

61-
1. Select an Azure *Resource type* (for example, **Microsoft.Monitor/accounts** for Azure Monitor Managed Service for Prometheus).
67+
1. Select an Azure **Resource type**, for example, **Microsoft.Monitor/accounts** for Azure Monitor Managed Service for Prometheus.
6268
1. Select **Create** to add the managed private endpoint resource.
6369
1. Contact the owner of target Azure Monitor workspace to approve the connection request.
6470

6571
> [!NOTE]
66-
> After the new private endpoint connection is approved, all network traffic between your Azure Managed Grafana workspace and the selected data source will flow only through the Azure backbone network.
72+
> After the new private endpoint connection is approved, all network traffic between your Azure Managed Grafana workspace and the selected data source flows only through the Azure backbone network.
6773

6874
## Create a managed private endpoint to Azure Private Link service
6975

70-
If you have a data source internal to your virtual network, such as an InfluxDB server hosted on an Azure virtual machine, or a Loki server hosted inside your AKS cluster, you can connect your Azure Managed Grafana to it. You first need to add a private link access to that resource using the Azure Private Link service. The exact steps required to set up a private link is dependent on the type of Azure resource. Refer to the documentation of the hosting service you have. For example, [this article](https://cloud-provider-azure.sigs.k8s.io/topics/pls-integration/) describes how to create a private link service in Azure Kubernetes Service by specifying a kubernetes service object.
76+
If you have a data source internal to your virtual network, you can connect your Azure Managed Grafana to it. Examples include an InfluxDB server hosted on an Azure virtual machine and a Loki server hosted inside your AKS cluster.
77+
78+
You first need to add a private link access to that resource using the Azure Private Link service. The exact steps to set up a private link depend on the type of Azure resource. Refer to the documentation of the hosting service. For example, [Azure Private Link Service Integration](https://cloud-provider-azure.sigs.k8s.io/topics/pls-integration/) describes how to create a private link service in Azure Kubernetes Service by specifying a kubernetes service object.
7179

72-
Once you've set up the private link service, you can create a managed private endpoint in your Grafana workspace that connects to the new private link.
80+
After you set up the private link service, you can create a managed private endpoint in your Grafana workspace that connects to the new private link.
7381

74-
1. In the Azure portal, navigate to your Grafana resource and then select **Networking**.
75-
1. Select **Managed Private Endpoint**, and then select **Create**.
82+
1. In the Azure portal, navigate to your Grafana resource and then select **Settings** > **Networking**.
83+
1. Select **Managed Private Endpoint**, and then select **Add**.
7684

77-
:::image type="content" source="media/managed-private-endpoint/create.png" alt-text="Screenshot of the Azure portal create managed private endpoint." lightbox="media/managed-private-endpoint/create.png":::
85+
:::image type="content" source="media/managed-private-endpoint/create.png" alt-text="Screenshot of the Azure portal add managed private endpoint." lightbox="media/managed-private-endpoint/create.png":::
7886

79-
1. In the *New managed private endpoint* pane, fill out required information for resource to connect to.
87+
1. In the **New managed private endpoint** pane, fill out required information for resource to connect to.
8088

81-
:::image type="content" source="media/managed-private-endpoint/new-details-private-link.png" alt-text="Screenshot of the Azure portal new managed private endpoint details for Private link services.":::
89+
:::image type="content" source="media/managed-private-endpoint/new-details-private-link.png" alt-text="Screenshot of the Azure portal new managed private endpoint details for Private link services." lightbox="media/managed-private-endpoint/new-details-private-link.png":::
8290

8391
> [!TIP]
84-
> The *Domain name* field is optional. If you specify a domain name, Azure Managed Grafana will ensure that this domain name will be resolved to the managed private endpoint's private IP inside this Grafana's service managed network. You can use this domain name in your Grafana data source's URL configuration instead of the private IP address. You will be required to use the domain name if you enabled TLS or Server Name Indication (SNI) for your self-hosted data store.
92+
> The *Domain name* field is optional. If you specify a domain name, Azure Managed Grafana ensures that this domain name resolves to the managed private endpoint's private IP inside this Grafana's service managed network. You can use this domain name in your Grafana data source's URL configuration instead of the private IP address. You must use the domain name if you enabled TLS or Server Name Indication (SNI) for your self-hosted data store.
8593

8694
1. Select **Create** to add the managed private endpoint resource.
8795
1. Contact the owner of target private link service to approve the connection request.
8896
1. After the connection request is approved, select **Refresh** to ensure the connection status is **Approved** and private IP address is shown.
8997

9098
> [!NOTE]
91-
> The **Refresh** step cannot be skipped, since refreshing triggers a network sync operation by Azure Managed Grafana. Once the new managed private endpoint connection is shown approved, all network traffic between your Azure Managed Grafana workspace and the selected data source will only flow through the Azure backbone network.
99+
> You can't skip the **Refresh** step. Refreshing triggers a network sync operation by Azure Managed Grafana. After the new managed private endpoint connection is shown approved, all network traffic between your Azure Managed Grafana workspace and the selected data source flows only through the Azure backbone network.
100+
101+
## Next step
102+
103+
In this how-to guide, you learned how to configure private access between an Azure Managed Grafana workspace and a data source.
92104

93-
## Next steps
105+
To learn how to set up private access from your users to an Azure Managed Grafana workspace, see:
94106

95-
In this how-to guide, you learned how to configure private access between an Azure Managed Grafana workspace and a data source. To learn how to set up private access from your users to an Azure Managed Grafana workspace, see [Set up private access](how-to-set-up-private-access.md).
107+
> [!div class="nextstepaction"]
108+
> [Set up private access](how-to-set-up-private-access.md)

articles/managed-grafana/media/managed-private-endpoint/create.png

-9.26 KB
Loading

0 commit comments

Comments
 (0)