You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/platform/private-link-security.md
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,8 +8,9 @@ ms.date: 05/20/2020
8
8
ms.subservice:
9
9
---
10
10
11
+
# Use Azure Private Link to securely connect networks to Azure Monitor
11
12
12
-
[Azure Private Link](../../private-link/private-link-overview) allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. However, Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. As a result, we have built a resource called an Azure Monitor Private Link Scope (AMPLS) that allows you to define the boundaries of your monitoring network and connect to your virtual network. This article will cover why to use and how to set up an Azure Monitor Private Link Scope.
13
+
[Azure Private Link](../../private-link/private-link-overview.md) allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. However, Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. As a result, we have built a resource called an Azure Monitor Private Link Scope (AMPLS) that allows you to define the boundaries of your monitoring network and connect to your virtual network. This article will cover why to use and how to set up an Azure Monitor Private Link Scope.
13
14
14
15
## Advantages of Private Link with Azure Monitor
15
16
@@ -21,7 +22,7 @@ With Private Link you can:
21
22
- Stop data exfiltration from your networks by only authorizing access to specific resources, and block access to all destinations
22
23
- Securely connect your private on-premises network to Azure Monitor using ExpressRoute and Private Link
23
24
24
-
For more information, see [Key Benefits of Private Link](../../private-link/private-link-overview#key-benefits)
25
+
For more information, see [Key Benefits of Private Link](../../private-link/private-link-overview#key-benefits.md)
25
26
26
27
## How it works
27
28
@@ -126,18 +127,18 @@ First, you can connect this Log Analytics resource to Azure Monitor Private Link
126
127
Second, you can control how this resource can be reached from outside of the private link scopes listed above.
127
128
If you set **Allow public network access for ingestion** to **No**, then machines outside of the connected scopes cannot upload data to this workspace. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes cannot access data in this workspace. That data includes access to dashboards, query API, insights in the Azure portal, and more.
128
129
129
-
Restricting access in this manner only applies to data in the workspace. Configuration changes, including turning these access settings on or off, are managed by Azure Resource Manager. You should restrict access to Resource Manager using the appropriate roles, permissions, network controls, and auditing. For more information, see [Azure Monitor Roles, Permissions, and Security](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/roles-permissions-security).
130
+
Restricting access in this manner only applies to data in the workspace. Configuration changes, including turning these access settings on or off, are managed by Azure Resource Manager. You should restrict access to Resource Manager using the appropriate roles, permissions, network controls, and auditing. For more information, see [Azure Monitor Roles, Permissions, and Security](roles-permissions-security.md).
130
131
131
132
> [!NOTE]
132
-
> Logs and metrics uploaded to a workspace via Diagnostic Settings (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings) go over a secure private Microsoft channel, and are not controlled by these settings.
133
+
> Logs and metrics uploaded to a workspace via Diagnostic Settings (diagnostic-settings.md) go over a secure private Microsoft channel, and are not controlled by these settings.
133
134
134
135
## Configuring Application Insights components
135
136
136
137
In the Azure portal in your Azure Monitor Application Insights Component resource is a menu item Network Isolation on the left-hand side. You can control two different states from this menu.
137
138
138
139
**---------- TODO ------------- get screenshot----**
First, you can connect this Application Insights resource to Azure Monitor Private Link scopes that you have access to. Click **Add** and select the Azure Monitor Private Link Scope. Click **Apply** to connect it. All connected scopes show up in this screen. Making this connection allows network traffic in the connected virtual networks to reach this component. Making the connection has the same effect as connecting it from the scope as we did in [Connecting Azure Monitor resources](#connecting-azure-monitor-resources).
0 commit comments