Edit

Share via


Azure Monitor Agent network configuration

The Azure Monitor Agent supports connections by using direct proxies, a Log Analytics gateway, and private links. This article describes how to define network settings and enable network isolation for the Azure Monitor Agent.

Virtual network service tags

Azure Virtual Network service tags must be enabled on the virtual network for the virtual machine (VM). Both AzureMonitor and AzureResourceManager tags are required. See AzureMonitor entry in Available service tags for any additional requirements.

You can use Azure Virtual Network service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. For scenarios where Azure Virtual Network service tags can't be used, the firewall requirements are described later in this article.

Note

Data collection endpoint (DCE) public IP addresses aren't included in the network service tags you can use to define network access controls for Azure Monitor. If you have custom logs or Internet Information Services (IIS) log data collection rules (DCRs), consider allowing the DCE's public IP addresses for these scenarios to work until these scenarios are supported via network service tags.

Firewall endpoints

The following table provides the endpoints that firewalls must provide access to for different clouds. Each endpoint is an outbound connection to port 443.

Important

For all endpoints, HTTPS inspection must be disabled.

Endpoint Purpose Example
global.handler.control.monitor.azure.com Access the control service Not applicable
global.prod.microsoftmetrics.com Access the metrics service Not applicable
<virtual-machine-region-name>.handler.control.monitor.azure.com Fetch DCRs for a specific machine westus2.handler.control.monitor.azure.com
<log-analytics-workspace-id>.ods.opinsights.azure.com Ingest log data 1234a123-aa1a-123a-aaa1-a1a345aa6789.ods.opinsights.azure.com
management.azure.com Needed only if you send time series data (metrics) to an Azure Monitor custom metrics database Not applicable
<virtual-machine-region-name>.monitoring.azure.com Needed only if you send time series data (metrics) to an Azure Monitor custom metrics database westus2.monitoring.azure.com
<data-collection-endpoint>.<virtual-machine-region-name>.ingest.monitor.azure.com Ingest log data 275test-01li.eastus2euap-1.canary.ingest.monitor.azure.com

Replace the suffix in the endpoints with the suffix in the following table for respective clouds:

Cloud Suffix
Azure Commercial .com
Azure Government .us
Microsoft Azure operated by 21Vianet .cn

Note

  • If you use private links on the agent, you must add only private DCEs. The agent doesn't use the nonprivate endpoints listed in the preceding table when you use private links or private DCEs.

  • The Azure Monitor metrics (custom metrics) preview isn't available in Azure Government and Azure operated by 21Vianet clouds.

  • When you use the Azure Monitor Agent with Azure Monitor Private Link Scope, all your DCRs must use DCEs. The DCEs must be added to the Azure Monitor Private Link Scope configuration via a private link.

Proxy configuration

The Azure Monitor Agent extensions for Windows and Linux can communicate either through a proxy server or through a Log Analytics gateway to Azure Monitor by using the HTTPS protocol. Use it for Azure VMs, scale sets, and Azure Arc for servers. Use the extensions settings for configuration as described in the following steps. Both anonymous authentication and basic authentication by using a username and password are supported.

Important

OMS Gateway is not supported with Azure Arc-enabled servers for proxy connectivity, private link connectivity, and public endpoint connectivity options.

Important

Proxy configuration isn't supported for Azure Monitor Metrics (preview) as a destination. If you send metrics to this destination, it uses the public internet without any proxy.

Note

Setting Linux system proxy via environment variables like http_proxy and https_proxy is supported only when you use the Azure Monitor Agent for Linux version 1.24.2 or later. For the Azure Resource Manager template (ARM template), if you configure a proxy, use the ARM template shown here as an example of how to declare the proxy settings inside the ARM template. Also, a user can set global environment variables that are picked up by all systemd services via the DefaultEnvironment variable in /etc/systemd/system.conf.

Use Azure PowerShell commands in the following examples based on your environment and configuration.

No proxy

$settingsString = '{"proxy":{"mode":"none"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString

Proxy with no authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "false"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString

Proxy with authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "true"}}';
$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

Revert Proxy configuration to defaults

To restore proxy configuration to defaults you could define $settingsString = '{}'; as in the following example:

$settingsString = '{}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName RESOURCE GROUP HERE -VMName VM NAME HERE -Location westeurope -> > SettingString $settingsString

Log Analytics gateway configuration

  1. Follow the preceding guidance to configure proxy settings on the agent and provide the IP address and port number that correspond to the gateway server. If you deployed multiple gateway servers behind a load balancer, for the agent proxy configuration, instead use the virtual IP address of the load balancer.

  2. Add the configuration endpoint URL to fetch DCRs to the allowlist for the gateway:

    1. Run Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com.
    2. Run Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com.

    (If you use private links on the agent, you must also add the DCEs.)

  3. Add the data ingestion endpoint URL to the allowlist for the gateway:

    • Run Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com.
  4. To apply the changes, restart the Log Analytics gateway (OMS Gateway) service:

    1. Run Stop-Service -Name <gateway-name>.
    2. Run Start-Service -Name <gateway-name>.