Support for Azure Monitor Private Link Scope

[ross-p-smith]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Allow azurerm provider to create/update Azure Monitor Private Link Scope resources: az cli reference. This is supported in the 2019-10-17 preview schema here. But I don't believe it is in the Azure Go SDK.

Implementing this will enable use of Azure Monitor behind Private Endpoints.

New or Affected Resource(s)

• azurerm_monitor

Potential Terraform Configuration

resource "azurerm_monitor_private_link_scope" "example" {
  name = "example"
  log_analytics_workspace_id = "law_id"
}

[tjcorr]

Depends on Azure/azure-sdk-for-go#14090

[robertdias]

Deploying this for a large customer now and until this resource is added, we will have to attempt to use azurerm_template with an ARM for AMPLS.

[geekzter]

The resource has been implemented in provider 2.85. However, it has no meaningful properties next to name and resource_group_name. I'm confused.

[geekzter]

I think we have to wait for this PR for the azurerm_monitor_private_link_scoped_service resource to get merged and released

[nick4fake]

@geekzter it has been merged

[dawsonar802]

I am not sure if I should open a new issue for this or if it makes sense to have it here. I am running into an issue with this resource now that it is available. When deploying the ALMPL scope the first scoped service seems to deploy fine. Any additional services either in the same Terraform Module, in a different, or even through the portal seem to have the same issue. In terraform it gives an async error and times out after around 15-20 minutes.

In troubleshooting this a bit more, I have found that if I go to the AMPL scope, choose the scope, choose the Private Endpoint Connections on the left, select the Private Endpoint, it has the following at the top of the screen as a warning:

"Please refresh the private endpoint to allow connectivity to all regions.
"
Right after clicking refresh, the second AMPL service resource provisions ok. Does anyone know what may be causing this? I am not seeing any options for location on this resource, but it shows global in the portal. Private Endpoint does not allow location to be global. Any thoughts?

[LaurentLesle]

According to the AMPLS design document you can attach up to 300 log analytics workspaces or application insigight. Looks like the PR above only support 1 attachment. Is it a limitation of the SDK or shall I open a new issue https://docs.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design

[davidsampson-hv]

Right after clicking refresh, the second AMPL service resource provisions ok. Does anyone know what may be causing this? I am not seeing any options for location on this resource, but it shows global in the portal. Private Endpoint does not allow location to be global. Any thoughts?

Hi Laurent,

Long time no speak, I hope you're well! We are also experiencing this issue with the second workspace link, as you said the documentation is clear that up to 300 workspaces are supported so I think an issue should be opened for this. In the meantime does anyone know if it's possible to hit that refresh button programatically?

Regards,
David

[scott1138]

We are looking at deploying AMPLS and I am confused by the azurerm_monitor_private_link_scope having no access mode property. Does it default to open?

[dawsonar802]

From what I have seen when deploying AMPLS it defaults Ingestion access mode to private and Query access mode to open. For the actual resources like LA or App Insights, when using the azurerm_monitor_private_link_scoped_service resource it sets both the "Accept data ingestion from public networks not connected through a Private Link Scope" and "Accept queries from public networks not connected through a Private Link Scope" to No.

[kaovd]

Jumping on this thread as noticed its still open, ideally support for DCE's which are currently not meeting the rules validation would be nice. Will try with azapi but may PR to change the validation

[swati-delphix]

Is there any further update, as "Accept queries from public networks not connected through a Private Link Scope" is still setting default open ?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.