Skip to content

feat(infra): add Azure Monitor Private Link Scope for network isolation#302

Merged
peteroden merged 1 commit intomainfrom
feat/296-ampls-network-isolation
Mar 16, 2026
Merged

feat(infra): add Azure Monitor Private Link Scope for network isolation#302
peteroden merged 1 commit intomainfrom
feat/296-ampls-network-isolation

Conversation

@peteroden
Copy link
Owner

@peteroden peteroden commented Mar 16, 2026

What

Add Azure Monitor Private Link Scope (AMPLS) to route all monitoring traffic through the VNet, eliminating the last publicly accessible data-plane endpoints.

Why

Log Analytics Workspace and Application Insights were the only two resources still publicly accessible. Telemetry containing application logs (MR content, code review context, Copilot interactions) was traversing the public internet.

Changes

  • infra/variables-apps.tf: New monitoring_subnet_prefix variable (10.0.5.0/24)
  • infra/networking.tf: Monitoring subnet (snet-monitoring) + NSG rule AllowMonitoringOutbound (priority 140)
  • infra/monitoring.tf:
    • AMPLS resource with PrivateOnly ingestion/query access modes
    • Scoped services for LAW and App Insights
    • 4 private DNS zones (monitor, OMS, ODS, agentsvc) + VNet links
    • Private endpoint pe-ampls-* with DNS zone group
    • Disabled public ingestion/query on LAW and App Insights

How to test

  1. cd infra && terraform init -backend=false && terraform validate
  2. After apply: verify App Insights Live Metrics still receives telemetry
  3. Verify LAW/AI reject queries from public internet

Review notes

  • OWASP review completed — addressed HIGH finding (added PrivateOnly access modes)
  • Cross-vendor code review completed
  • Follows existing PE patterns from storage.tf and keyvault.tf

Part of #296

@peteroden peteroden added security Security hardening infrastructure Infrastructure and deployment labels Mar 16, 2026
@peteroden peteroden force-pushed the feat/296-ampls-network-isolation branch 2 times, most recently from b2b725f to 0ac5a5b Compare March 16, 2026 15:40
feat(infra): add Azure Monitor Private Link Scope for network isolation
1090cdb 
- Add AMPLS resource scoped to Log Analytics Workspace and App Insights
- Create monitoring subnet (snet-monitoring, 10.0.5.0/24)
- Add NSG rule AllowMonitoringOutbound (priority 140)
- Create 4 private DNS zones for monitor, OMS, ODS, and agent service
- Deploy private endpoint pe-ampls-* with all 5 DNS zones (4 new + blob)
- Disable public ingestion/query on Log Analytics and App Insights

Part of #296

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@peteroden peteroden force-pushed the feat/296-ampls-network-isolation branch from 0ac5a5b to 1090cdb Compare March 16, 2026 15:56
@peteroden peteroden merged commit b968d8d into main Mar 16, 2026
11 checks passed
@peteroden peteroden deleted the feat/296-ampls-network-isolation branch March 16, 2026 16:01
@peteroden peteroden mentioned this pull request Mar 16, 2026
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

infrastructure Infrastructure and deployment security Security hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peteroden