Edit

Azure Monitor Agent network configuration

The Azure Monitor Agent supports connections by using direct proxies, a Log Analytics gateway, and private links. This article describes how to define network settings and enable network isolation for the Azure Monitor Agent.

Virtual network service tags

You must enable Azure Virtual Network service tags on the virtual network for the virtual machine (VM). Both AzureMonitor and AzureResourceManager tags are required. See the AzureMonitor entry in Available service tags for any other requirements.

You can use Azure Virtual Network service tags to define network access controls on network security groups, Azure Firewall, and user-defined routes. Use service tags in place of specific IP addresses when you create security rules and routes. For scenarios where you can't use Azure Virtual Network service tags, see the firewall requirements later in this article.

Note

You can't use network service tags to define network access controls for Azure Monitor to include data collection endpoint (DCE) public IP addresses. If you have custom logs or Internet Information Services (IIS) log data collection rules (DCRs), consider allowing the DCE's public IP addresses. This configuration ensures the scenarios work until these scenarios are supported via network service tags.

Firewall endpoints

The following table provides the endpoints that firewalls must provide access to for different clouds. Each endpoint is an outbound connection to port 443.

Important

For all endpoints, disable HTTPS inspection.

Endpoint Purpose Example
global.handler.control.monitor.azure.com Access the control service Not applicable
global.prod.microsoftmetrics.com Access the metrics service Not applicable
<virtual-machine-region-name>.handler.control.monitor.azure.com Fetch DCRs for a specific machine westus2.handler.control.monitor.azure.com
<log-analytics-workspace-id>.ods.opinsights.azure.com Ingest log data 1234a123-aa1a-123a-aaa1-a1a345aa6789.ods.opinsights.azure.com
management.azure.com Needed only if you send time series data (metrics) to an Azure Monitor custom metrics database Not applicable
<virtual-machine-region-name>.monitoring.azure.com Needed only if you send time series data (metrics) to an Azure Monitor custom metrics database westus2.monitoring.azure.com
<data-collection-endpoint>.<virtual-machine-region-name>.ingest.monitor.azure.com Ingest log data 275test-01li.eastus2euap-1.canary.ingest.monitor.azure.com

Replace the suffix in the endpoints with the suffix in the following table for respective clouds:

Cloud Suffix
Azure Commercial .com
Azure Government .us
Microsoft Azure operated by 21Vianet .cn

Note

  • If you use private links on the agent, add only private DCEs. The agent doesn't use the nonprivate endpoints listed in the preceding table when you use private links or private DCEs.

  • The Azure Monitor metrics (custom metrics) preview isn't available in Azure Government and Azure operated by 21Vianet clouds.

  • When you use the Azure Monitor Agent with Azure Monitor Private Link Scope, all your DCRs must use DCEs. Add the DCEs to the Azure Monitor Private Link Scope configuration via a private link.

Proxy configuration

The Azure Monitor Agent extensions for Windows and Linux can communicate through either a proxy server or a Log Analytics gateway to Azure Monitor by using the HTTPS protocol. Use the extensions for Azure VMs, scale sets, and Azure Arc for servers. Use the extensions settings for configuration as described in the following steps. Both anonymous authentication and basic authentication by using a username and password are supported.

Important

Azure Arc-enabled servers don't support OMS Gateway for proxy connectivity, private link connectivity, and public endpoint connectivity options.

Important

Proxy configuration isn't supported for Azure Monitor Metrics (preview) as a destination. If you send metrics to this destination, it uses the public internet without any proxy.

Note

Setting the Linux system proxy through environment variables like http_proxy and https_proxy is supported only when you use the Azure Monitor Agent for Linux version 1.24.2 or later. For the Azure Resource Manager template (ARM template), if you configure a proxy, use the ARM template shown here as an example of how to declare the proxy settings inside the ARM template. Also, a user can set global environment variables that all systemd services pick up via the DefaultEnvironment variable in /etc/systemd/system.conf.

Use the commands in the following examples based on your environment and configuration.

No proxy

$settingsString = '{"proxy":{"mode":"none"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString

Proxy with no authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "false"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString

Proxy with authentication

$settingsString = '{"proxy":{"mode":"application","address":"http://[address]:[port]","auth": "true"}}';
$protectedSettingsString = '{"proxy":{"username":"[username]","password": "[password]"}}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString -ProtectedSettingString $protectedSettingsString

Revert proxy configuration to defaults

To restore proxy configuration to defaults, define $settingsString = '{}'; as in the following example:

$settingsString = '{}';
Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -SettingString $settingsString

Log Analytics gateway configuration

  1. Follow the preceding guidance to configure proxy settings on the agent and provide the IP address and port number that correspond to the gateway server. If you deployed multiple gateway servers behind a load balancer, for the agent proxy configuration, use the virtual IP address of the load balancer.

  2. Add the configuration endpoint URL to fetch DCRs to the allow list for the gateway:

    1. Run Add-OMSGatewayAllowedHost -Host global.handler.control.monitor.azure.com.
    2. Run Add-OMSGatewayAllowedHost -Host <gateway-server-region-name>.handler.control.monitor.azure.com.

    If you use private links on the agent, you must also add the DCEs.

  3. Add the data ingestion endpoint URL to the allow list for the gateway:

    • Run Add-OMSGatewayAllowedHost -Host <log-analytics-workspace-id>.ods.opinsights.azure.com.

  4. To apply the changes, restart the Log Analytics gateway (OMS Gateway) service:

    1. Run Stop-Service -Name <gateway-name>.
    2. Run Start-Service -Name <gateway-name>.

Related content

  • Last updated on