|
| 1 | +--- |
| 2 | +title: Enable Trusted Access for Azure Monitor for SAP solutions |
| 3 | +description: Learn about enabling private endpoints for your AMS resources |
| 4 | +author: vaidehikher18 |
| 5 | +ms.service: sap-on-azure |
| 6 | +ms.subservice: sap-monitor |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 03/05/2025 |
| 9 | +ms.author: vaidehikher |
| 10 | +#Customer intent: As an SAP Basis or cloud infrastructure team member, I want to deploy Azure Monitor for SAP solutions with private endpoints for storage account and key vault. |
| 11 | +--- |
| 12 | + |
| 13 | +# Enabling private endpoints for AMS resources |
| 14 | +One of the challenges for customers is that the key vault and storage account that are created as part of the Azure Monitor for SAP solutions Managed Resource Group have their public access enabled. Customers want to disable this public access to be security compliant, but blocking the public access on these resources can lead to functional issues within AMS. |
| 15 | +With this feature, you can use the system-assigned identity of the Azure Monitor for SAP solutions resource and our service will use trusted access mode to interact with the key vault and storage account. Using this feature, you can then block public access and only allow traffic from AMS subnet on your key vault and storage account in AMS managed resource group. |
| 16 | +This feature provides more security and control over your AMS resources, as you can limit the access to the key vault and storage account to the AMS service and subnet only and prevent any unauthorized or malicious access from outside. |
| 17 | + |
| 18 | +## Prerequisites and steps to enable trusted access using System Assigned Managed Identity |
| 19 | +To use the trusted access using MSI feature, you need to meet the following prerequisites and follow the steps below: |
| 20 | +* Migrate to Dedicated app service plan: [Follow steps here](https://go.microsoft.com/fwlink/?linkid=2306196) |
| 21 | +> [!Note] |
| 22 | +> Migrating to dedicated app service plan is a mandatory step to avoid having function app scaling issues after storage account's public access is disabled. |
| 23 | +
|
| 24 | +> [!Important] |
| 25 | +> Trusted access feature is supported only if the "ROUTE ALL" is enabled during the monitor creation. |
| 26 | +
|
| 27 | +## Steps to follow while creating new AMS |
| 28 | +1. Log in to the Azure portal and create a new Azure Monitor for SAP solutions resource. |
| 29 | +2. Fill in the required fields, such as the name, description, etc. |
| 30 | +3. Under the Networking section, have the 'Route all' option enabled. |
| 31 | +4. Under the Identity section, select Enable System Assigned Managed Identity. |
| 32 | + |
| 33 | +5. Click on Save to create the monitor instance. |
| 34 | +6. Create all the providers that are needed. |
| 35 | + |
| 36 | +## Steps to follow for existing AMS |
| 37 | +1. Log in to the Azure portal and navigate to your Azure Monitor for SAP solutions resource. |
| 38 | +2. Migrate to Dedicated app service plan: [Follow steps here](https://go.microsoft.com/fwlink/?linkid=2306196) |
| 39 | +3. Go to the identity tab and enable the system assigned identity and wait for the operation to complete and monitor should be in succeeded state after the operation. |
| 40 | + |
| 41 | + |
| 42 | +## Disable Identity on existing AMS |
| 43 | +* Go to Identity tab for AMS and disable the identity and save. |
0 commit comments