cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Monitoring my hybrid environment – part 2?
By
Pierre Roman
Published Aug 24 2022 12:00 AM 5,764 Views
Pierre Roman
Microsoft
‎Aug 24 2022 12:00 AM

Monitoring my hybrid environment – part 2?

‎Aug 24 2022 12:00 AM

Hello folks,

 

2 weeks ago, as part of my series on setting up my demo environment to reflect a typical hybrid (on-prem <-> Azure) environment I covered the basics of what I needed to support operational requirements like monitoring/insights, patch management, change management, etc...  So, I designed a Log Analytics Workspace (LAW) and deployed the Azure Monitor Agent and Dependency Agent.

 

But some of you eagle eyed readers messaged me and pointed out that unlike when I Azure Arc enabled my servers, I did not configure Azure Monitor to only use the site-to-site VPN. You were correct.  However, it’s something we can remedy. And we’ll do it right now.

 

PierreRoman_0-1661319035907.png

 

 

There are 2 layers of security we can wrap around the connectivity of Azure Monitor Agent to the components it needs to connect to.

Layer 1

The first one is by using the Log Analytics gateway in Azure Monitor.   The Log Analytics gateway is an HTTP forward proxy that supports HTTP tunneling using the HTTP CONNECT command. The gateway sends data to Azure Automation and a Log Analytics workspace in Azure Monitor on behalf of the computers that cannot directly connect to the internet.

 

If you have servers that you don’t want to give access to the outside world, you can get the agents installed on the to connect to the gateway, which will then in forward data on their behalf. The gateway is a forwarding proxy that doesn’t store any data. Once the agent establishes connection with Azure Monitor, it follows the same encryption flow with or without the gateway. The data is encrypted between the client and the endpoint. Since the gateway is just a tunnel, it doesn’t have the ability the inspect what is being sent.

 

PierreRoman_1-1661319035914.png

 

In this case to backport this functionality I would have to reconfigure my agents already installed to use the gateway to communicate with my LAW.

Layer 2

The second layer, is to force all traffic to use the VPN the same way we did for Azure Arc which is by leveraging Azure Private Link to connect networks to Azure Monitor.   When you set up a Private Link connection, your DNS zones map Azure Monitor endpoints to private IPs in order to send traffic through the Private Link. Azure Monitor uses both resource-specific endpoints and shared global / regional endpoints to reach the workspaces and components in your Azure Monitor Private Link Scope (AMPLS).

 

In effect you’re tricking your local client to use a private IP address only accessible over the VPN or ExpressRoute to connect with the Azure Monitor endpoints.  It requires a few steps: (the documentation to perform these stes is linked below)

 

1 - Creating a Private Link Scope with resources

 

PierreRoman_2-1661319035915.png

 

 

2 - Connect Azure Monitor resources to your AMPLS

 

PierreRoman_3-1661319035924.png

 

 

3 - Creating a Private Endpoint on your network and connecting it to the scope

 

PierreRoman_4-1661319035944.png

 

4 - Configuring the required access on your Azure Monitor resources.

 

So far we covered the configuration of your network, but you should also consider how you want to configure network access to your monitored resources - Log Analytics workspaces, Application Insights components and Data Collection endpoints.

 

Complete the DNS configuration

Number 5 is to finish the DNS config.  it's not in the Azure Monitor Private Link Scope (AMPLS) documentation, but I'll cover it nonetheless. Just like I did for the Azure Arc Private Link Scope I need to configure my DNS forwarding rules for my Azure DNS Private Resolver  and on my local DNS server configure the conditional forwarders.  Check out the post here where I cover it

 

The DNS configuration needed for Azure Monitor can be found here

 

PierreRoman_5-1661319035948.png

 

 

PierreRoman_6-1661319035955.png

 

 

After I added the appropriate rules to my ruleset, I can move on the local DNS server. And configure the forwarder to send the queries for the domains needed by the agent to the private resolver.

 

PierreRoman_7-1661319035958.png

 

And now, when an Azure Monitor Agent tries to contact one of its end point it will resolve as internal, and use the VPN/ExpressRoute to get there.

 

PierreRoman_8-1661319035964.png

 

The Onion

We’ve now defined to layers to managing how your clients connect to the Azure Monitor resources.  The first, as we mentioned is to use a gateway, in effect configuring a single machine that can connect to the Azure Monitor endpoints.  And the second, send the connections to a private IP address exclusively through a tunnel you control.  Your VPN or ExpressRoute link.

 

If you are in an environment where security and controls are extremely important, you can actually wrap each layer around each other by using the proxy gateway described in Layer 1 and configure the gateway to use the private endpoint as described in Layer 2.  Making an onion as opposed to pealing one…  So to speak.

 

Ok, now that I rectified my oversight from last week we will return to our scheduled programing.  Again, at the risk of sounding like a broken record, let me know if there are scenarios for hybrid management that you have questions about.  It really helps make the blog better and more relevant to you.

 

Cheers!

 

Pierre

 

 

 

 

 

Co-Authors
Version history
Last update:
‎Aug 24 2022 12:00 AM
Updated by:
Labels