Can we have a private monitoring stack in Azure ?

That was a question I got from one of my customers.

They are using #ZeroTrust Network and wanted all services to be exposed only privately through Private Endpoint. They wanted to apply the same principle for Azure Monitor including: #LogAnalytics, Managed #Prometheus and #Grafana.

What I found is that:

1) Log Analytics doesn't support Private Endpoint (PE).

2) Azure Monitor Agent (AMA) sends the metrics not directly to Prometheus, but to Data Collection Endpoint (DCE) and then to Prometheus

3) DCE doesn't support PE

4) You cannot use Private Link Service (PLS) with Log Analytics and DCE

5) For Azure Monitor, there is a special kind of PLS, called #Azure #Monitor Private Link Scope (AMPLS)

6) AMPLS is the enabler for the private monitoring and logging stack in Azure

7) To connect privately to Managed Prometheus, Grafana doesn't use PE, but it uses Managed Private Endpoint.

I've spent long hours learning these new services. To save you precious time, here is all resumed in a 9 minutes video.
Follow me on Twitter for more content:   / houssemdellai