You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/containers/kubernetes-monitoring-private-link.md
+12-61Lines changed: 12 additions & 61 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,10 +7,9 @@ ms.custom: devx-track-azurecli
7
7
ms.reviewer: aul
8
8
---
9
9
10
-
# Enable private link for Kubernetes monitoring
11
-
This article describes how to configure monitoring for your Kubernetes cluster for
10
+
# Enable private link for Kubernetes monitoring in Azure Monitor
11
+
[Azure Private Link](../../private-link/private-link-overview.md) enables you to access Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. An [Azure Monitor Private Link Scope (AMPLS)](../logs/private-link-security.md) connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network. This article describes how to configure Container insights and Managed Prometheus to use private link for data ingestion from your Azure Kubernetes Service (AKS) cluster.
12
12
13
-
[Azure Private Link](../../private-link/private-link-overview.md) enables you to access Azure platform as a service (PaaS) resources to your virtual network by using private endpoints. An [Azure Monitor Private Link Scope (AMPLS)](../logs/private-link-security.md) connects a private endpoint to a set of Azure Monitor resources to define the boundaries of your monitoring network.
14
13
15
14
> [!NOTE]
16
15
> - See [Connect to a data source privately](../../../articles/managed-grafana/how-to-connect-to-data-source-privately.md) for details on how to configure private link to query data from your Azure Monitor workspace using Grafana.
@@ -20,14 +19,15 @@ This article describes how to configure monitoring for your Kubernetes cluster f
20
19
## Prerequisites
21
20
This article describes how to connect your cluster to an existing Azure Monitor Private Link Scope (AMPLS). Create an AMPLS following the guidance in [Configure your private link](../logs/private-link-configure.md).
22
21
23
-
## Managed Prometheus
22
+
## Managed Prometheus (Azure Monitor workspace)
23
+
Data for Managed Prometheus is stored in an [Azure Monitor workspace](../essentials/azure-monitor-workspace-overview.md), so you must make this workspace accessible over a private link.
24
24
25
25
### Configure DCEs
26
-
Private links for data ingestion for Managed Prometheus are configured on the Data Collection Endpoints (DCE) of the workspace that stores the data. To identify the DCEs associated with your Azure Monitor workspace, select **Data Collection Endpoints** from your Azure Monitor workspace in the Azure portal.
26
+
Private links for data ingestion for Managed Prometheus are configured on the Data Collection Endpoints (DCE) of the Azure Monitor workspace that stores the data. To identify the DCEs associated with your Azure Monitor workspace, select **Data Collection Endpoints** from your Azure Monitor workspace in the Azure portal.
27
27
28
28
:::image type="content" source="media/kubernetes-monitoring-private-link/azure-monitor-workspace-data-collection-endpoints.png" alt-text="A screenshot show the data collection endpoints page for an Azure Monitor workspace." lightbox="media/kubernetes-monitoring-private-link/azure-monitor-workspace-data-collection-endpoints.png" :::
29
29
30
-
If your AKS cluster isn't in the same region as your Azure Monitor workspace, then you need to [create another DCE](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint) in the same region as the AKS cluster. In this case, open the data collection rule (DCR ) created when you enabled Managed Prometheus. This DCR will be named **MSPrometheus-\<clusterName\>-\<clusterRegion\>**. The cluster will be listed on the **Resources** page. On the **Data collection endpoint** dropdown, select the DCE in the same region as the AKS cluster.
30
+
If your AKS cluster isn't in the same region as your Azure Monitor workspace, then you need to [create another DCE](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint) in the same region as the AKS cluster. In this case, open the data collection rule (DCR ) created when you enabled Managed Prometheus. This DCR will be named **MSProm-\<clusterName\>-\<clusterRegion\>**. The cluster will be listed on the **Resources** page. On the **Data collection endpoint** dropdown, select the DCE in the same region as the AKS cluster.
31
31
32
32
:::image type="content" source="media/kubernetes-monitoring-private-link/azure-monitor-workspace-data-collection-rule.png" alt-text="A screenshot show the data collection rules page for an Azure Monitor workspace." lightbox="media/kubernetes-monitoring-private-link/azure-monitor-workspace-data-collection-rule.png" :::
33
33
@@ -55,19 +55,16 @@ Use the following steps to set up remote write for a Kubernetes cluster over a p
55
55
2. Click **Add** and select your Azure Monitor Private Link scope. It takes a few minutes for the settings to propagate. Once completed, data from your private AKS cluster is ingested into your Azure Monitor workspace over the private link.
56
56
57
57
58
-
## Container insights
59
-
For Container insights, the cluster needs access to the Log Analytics workspace.
58
+
## Container insights (Log Analytics workspace)
59
+
Data for Container insights, is stored in a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md), so you must make this workspace accessible over a private link.
60
60
61
-
### Cluster using managed identity authentication
62
-
63
-
### Prerequisites
64
-
- Create an Azure Monitor Private Link Scope (AMPLS) following the guidance in [Configure your private link](../logs/private-link-configure.md).
65
-
- The template must be deployed in the same resource group as the cluster.
61
+
> [!NOTE]
62
+
> This section describes how to enable private link for Container insights using CLI. For details on using an ARM template, see [Enable Container insights](./kubernetes-monitoring-enable.md?tabs=arm#enable-container-insights) and note the parameters `useAzureMonitorPrivateLinkScope` and `azureMonitorPrivateLinkScopeResourceId`.
66
63
64
+
### Cluster using managed identity authentication
67
65
68
-
### [CLI](#tab/cli)
69
66
70
-
####Existing AKS Cluster
67
+
### Existing AKS Cluster
71
68
72
69
**Use default Log Analytics workspace**
73
70
@@ -106,52 +103,6 @@ az aks create --resource-group "my-resource-group" --name "my-cluster" --enabl
106
103
```
107
104
108
105
109
-
### [ARM](#tab/arm)
110
-
111
-
The following sections provide links to the template and parameter files for enabling private link with Container insights on an AKS and Arc-enabled clusters.
112
-
113
-
Edit the values in the parameter file and deploy the template using any valid method for deploying ARM templates. Retrieve the **resource ID** of the resources from the **JSON** View of their **Overview** page.
114
-
115
-
Based on your requirements, you can configure other parameters such `streams`, `enableContainerLogV2`, `enableSyslog`, `syslogLevels`, `syslogFacilities`, `dataCollectionInterval`, `namespaceFilteringModeForDataCollection` and `namespacesForDataCollection`.
116
-
117
-
### Prerequisites
118
-
- Create an Azure Monitor Private Link Scope (AMPLS) following the guidance in [Configure your private link](../logs/private-link-configure.md).
119
-
- The template must be deployed in the same resource group as the cluster.
|`aksResourceLocation`| Azure Region of the cluster. |
131
-
|`workspaceResourceId`| Resource ID of the Log Analytics workspace. |
132
-
|`workspaceRegion`| Region of the Log Analytics workspace. |
133
-
|`resourceTagValues`| Tag values specified for the existing Container insights extension data collection rule (DCR) of the cluster and the name of the DCR. The name will be MSCI-\<clusterName\>-\<clusterRegion\>, and this resource created in an AKS clusters resource group. For first time onboarding, you can set arbitrary tag values. |
134
-
|`useAzureMonitorPrivateLinkScope`| Boolean flag to indicate whether Azure Monitor link scope is used or not. |
135
-
|`azureMonitorPrivateLinkScopeResourceId`| Resource ID of the Azure Monitor Private link scope. This only used if `useAzureMonitorPrivateLinkScope` is set to **true**. |
|`clusterResourceId`| Resource ID of the cluster. |
145
-
|`clusterRegion`| Azure Region of the cluster. |
146
-
|`workspaceResourceId`| Resource ID of the Log Analytics workspace. |
147
-
|`workspaceRegion`| Region of the Log Analytics workspace. |
148
-
|`workspaceDomain`| Domain of the Log Analytics workspace:<br>`opinsights.azure.com` for Azure public cloud<br>`opinsights.azure.us` for Azure US Government<br>`opinsights.azure.cn` for Azure China Cloud |
149
-
|`resourceTagValues`| Tag values specified for the existing Container insights extension data collection rule (DCR) of the cluster and the name of the DCR. The name will be MSCI-\<clusterName\>-\<clusterRegion\>, and this resource created in an AKS clusters resource group. For first time onboarding, you can set arbitrary tag values. |
150
-
|`useAzureMonitorPrivateLinkScope`| Boolean flag to indicate whether Azure Monitor link scope is used or not. |
151
-
|`azureMonitorPrivateLinkScopeResourceId`| Resource ID of the Azure Monitor Private link scope. This is only used if `useAzureMonitorPrivateLinkScope` is set to **true**. |
152
-
153
-
---
154
-
155
106
## Cluster using legacy authentication
156
107
Use the following procedures to enable network isolation by connecting your cluster to the Log Analytics workspace using [Azure Private Link](../logs/private-link-security.md) if your cluster is not using managed identity authentication. This requires a [private AKS cluster](/azure/aks/private-clusters).
0 commit comments