Dec 02 2019
- last edited on
Apr 08 2022
The public documentation specifies that for Log Analytics to be used, Virtual Machines must be granted outbound access to:
Opening network firewalls carte blanche to the whole of Azure's blob storage is difficult for Security to accept.
With the Azure firewall bringing fqdn filtering to the platform, there must now be a way to whitelist access through the firewall to support the Agent.
The MOM Agent can be installed by package. From what I've seen, the agent seems to need access to:
... as we know the Workspace GUIDs, that's workable.
There is an agent 'typology' request made to:
which I expect is instructing the agent on the location of geographic blob storage for augmenting the install.
In Australia, the regional blobs seem to be: seauoiomsmds.blob.core.windows.net (Storage.AustraliaSouthEast), cauoiomssa.blob.core.windows.net (Storage.AustraliaCentral) & eauoiomssa.blob.core.windows.net (Storage.AustraliaEast). These seem to be the same requirements for all VMs in a geographic area.
Lastly, there is also a need for access to Microsoft Intelligence Packs https://scadvisorcontent.blob.core.windows.net/ (Storage.SouthCentralUS).
If this is all that's required, it would be possible to still restrict outbound network access while allowing the Log Analytics Agent to be used... making Security and Cloud Engineers both happy!
Is anyone able to tell me if there are other addresses that would be needed for the Log Analytics (with Intelligence Packs) to properly install and function?
Regards & Thanks
Apr 23 2021 09:28 AM
@Laurie_Rhodes Consider Service Endpoint Policies for locking down the storage accounts that can be access on the wire - Create and associate service endpoint policies - Azure portal | Microsoft Docs
Also a new DNS capability to privately connect to Azure Monitor resources exists Use Azure Private Link to securely connect networks to Azure Monitor - Azure Monitor | Microsoft Doc...
These 2 capabilities can help remove exfiltration abilities.