This blog post is relevant for customers using virtual network injection and opting out of subnet delegation.
You are not affected if you are using no network security feature or a strategy based on private endpoints.
We have added a new outbound dependency in the category "Internal Tracing" for Azure Data Explorer. This dependency is used to collect diagnostic data to our internal monitoring systems, which helps us to provide you with a reliable and secure service.
If you are using virtual network injection to protect your Azure Data Explorer clusters and you have opted out of subnet delegation, you must update your firewall configuration to allow traffic to this dependency. You can find the exact value by using the API to discover all external outbound dependencies.
Example:
{
"id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Kusto/Clusters/<clusterName>/OutboundNetworkDependenciesEndpoints/InternalTracing",
"name": "<clustername>/InternalTracing",
"type": "Microsoft.Kusto/Clusters/OutboundNetworkDependenciesEndpoints",
"location": "<Location>",
"properties": {
"category": "Internal Tracing",
"endpoints": [
{
"domainName": "ingest-<internalTracingCluster>.<region>.kusto.windows.net",
"endpointDetails": [
{
"port": 443,
"ipAddress": "25.24.23.22"
}
]
}
],
"provisioningState": "Succeeded"
}
}
We apologize for any inconvenience this may cause and we appreciate your cooperation.
