Azure network security perimeter for log analytic workspace

Hi @ **Nana Poku,

**It sounds like you're looking to enhance the security of your Log Analytics Workspace by adding inbound rules to the network security perimeter. Here’s how you can approach this:

1. Define Your Security Perimeter: Start by accessing the Azure portal and navigating to the Network Security Perimeter menu. Here, you can create a new network security perimeter profile if you don't already have one.
2. Inbound Access Rules: Add inbound rules to specify which resources or IP ranges (like your VMs) can connect to your Log Analytics Workspace. For instance, you may want to include specific private IPs that will be making requests to your workspace.
3. Outbound Access Rules: While you're focusing on inbound rules, it’s also important to configure outbound rules that allow resources within the perimeter to access necessary services, like Azure Storage or Event Hubs, by specifying their Fully Qualified Domain Names (FQDNs).
4. Data Collection Endpoint: Ensure that your Data Collection Endpoint (DCE) and Log Analytics Workspace are linked properly under your Azure Monitor resources within the AMPLS (Azure Monitor Private Link Scope). This is essential for secure log ingestion.
5. Disable Public Network Access: Once your DCE is configured to work with AMPLS, make sure to disable public access to enhance security further.
6. DNS Configuration: Verify that the names for your API endpoints resolve to private IPs, ensuring that the traffic is routed securely. If they are resolving to public IPs, you may need to update your DNS settings accordingly.
7. Testing: After configuring everything, you should test querying your logs to ensure that the setup works as expected without any errors indicating public network access.

You can find more detailed steps in the following documentation:

• Configure Azure Monitor with Network Security Perimeter
• Use Azure Private Link to connect networks to Azure Monitor
• Configure private link for Azure Monitor

Hope this helps you secure your Log Analytics Workspace effectively! If you have any more questions or need further assistance, feel free to ask!

Begin by opening the Log Analytics workspace in the Azure portal and switching both ingestion and query access modes to “perimeter only.” This links or creates the perimeter that governs access. Once secure access is active, you navigate to the Network Security Perimeter resource. Inside the perimeter configuration, you add inbound rules that define which sources may send data to the workspace or query it. A rule specifies a source such as a virtual network, subnet, private endpoint, virtual machine, AKS cluster or other Azure resource, and identifies the workspace as the destination. It also specifies whether the access granted is for ingestion, for query, or for both. By doing this, you explicitly allow only those sources that should legitimately interact with the workspace, while the workspace blocks all access from outside the perimeter.

For stronger isolation, consider using Private Link by creating a Log Analytics Private Link Scope and associating the workspace. Placing the private endpoints inside your virtual network and then allowing that network through the perimeter gives you a fully private, controlled path for both ingestion and querying. This reduces exposure and ensures that no access occurs over public endpoints. Note that some Azure-originated pipelines, such as certain diagnostic settings, require resource-based onboarding rather than network-based access, so the inbound rules must reflect this by granting access to the originating resource’s identity rather than a subnet. Once all required rules are in place, switch ingestion and query to “perimeter only”.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin