Forum Discussion

NotMarcus77's avatar
NotMarcus77
Copper Contributor
May 13, 2026

Ingesting Logs through Azure Private Link

Hi,

 

We are currently using Azure Private Link within our environment and we are attempting to ingest logs into Log Analytics. When I reached out to Microsoft Support, it appears that the CCF connectors will not work using Private Link and the Azure Functions connectors are becoming depricated.

 

Has anyone else run into this issue and what is the solution for getting logs into Sentinel through the Private Link, specifically API log sources? Did this require a custom app for each of these log sources or some sort of custom script that lives on an AMA host within the Private Link to ingest the logs?

 

Any advice here would be greatly appeciated.

 

Thank you,

4 Replies

  • For API-based log sources behind private networking, I would design this around Azure Monitor Private Link Scope plus Data Collection Endpoint/Data Collection Rule and the Logs Ingestion API. CCF connectors are SaaS-hosted, so they are not a good fit when the connector itself must run inside your private network.

     

    There is not a universal "pre-made Logs Ingestion API config" because each source needs a DCR stream/schema and a transform that matches the source payload. The reusable part is the pattern:

     

    1. Create or reuse the Log Analytics workspace used by Sentinel.

    2. Create a DCE in the region and add it to AMPLS.

    3. Create a DCR with a custom table or supported stream.

    4. Run a small collector inside the private network, for example Container Apps, AKS, VM, or Function if still acceptable for your lifecycle.

    5. Send to the DCE Logs Ingestion API endpoint using managed identity or Entra app auth.

     

    For many API sources, one generic collector can support multiple sources if you normalize each source to its own DCR/table. You do not necessarily need one app per source.

     

    Useful docs:

    https://learn.microsoft.com/azure/azure-monitor/fundamentals/private-link-security

    https://learn.microsoft.com/azure/sentinel/create-custom-connector

    https://learn.microsoft.com/azure/sentinel/create-codeless-connector

  • For API-based log sources behind private networking, I would design this around Azure Monitor Private Link Scope plus Data Collection Endpoint/Data Collection Rule and the Logs Ingestion API. CCF connectors are SaaS-hosted, so they are not a good fit when the connector itself must run inside your private network.

     

    There is not a universal "pre-made Logs Ingestion API config" because each source needs a DCR stream/schema and a transform that matches the source payload. The reusable part is the pattern:

     

    1. Create or reuse the Log Analytics workspace used by Sentinel.

    2. Create a DCE in the region and add it to AMPLS.

    3. Create a DCR with a custom table or supported stream.

    4. Run a small collector inside the private network, for example Container Apps, AKS, VM, or Function if still acceptable for your lifecycle.

    5. Send to the DCE Logs Ingestion API endpoint using managed identity or Entra app auth.

     

    For many API sources, one generic collector can support multiple sources if you normalize each source to its own DCR/table. You do not necessarily need one app per source.

     

    Useful docs:

    https://learn.microsoft.com/azure/azure-monitor/fundamentals/private-link-security

    https://learn.microsoft.com/azure/sentinel/create-custom-connector

    https://learn.microsoft.com/azure/sentinel/create-codeless-connector

  • I believe yes, this is a known architectural limitation, for Sentinel/Log Analytics ingestion over Private Link, it may require Azure Monitor Private Link Scope (AMPLS) + Data Collection Endpoint (DCE) + DCR / Logs Ingestion API. For API sources that are reachable only from your own private network, CCF is generally not the right fit, because CCF is a fully SaaS connector service rather than something that runs inside your VNet.

     

    Use Azure Private Link to connect networks to Azure Monitor - Azure Monitor | Microsoft Learn

     

    Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn

     

    Create a codeless connector for Microsoft Sentinel | Microsoft Learn

     

    • NotMarcus77's avatar
      NotMarcus77
      Copper Contributor

      Is there any location where there are pre-made Logs Ingestion API config? Since Azure Functions is also being deprecated as well, this appears to be the only solution for getting API log sources into Sentinel.