Application Insights - AMPLS DNS Resolution

Robert Lehmann 0 Reputation points

I have an anomaly when using AMPLS and Application Insights. I have a standard hybrid setup consists of:

  • On-premises DCs
  • Azure DCs
  • Hub Spoke Vnet
  • Azure Private DNS Zones

If I provide Application insights via AMPLS, the connection string copied from the portal without any changes are not working.

InstrumentationKey=XXXXXXXXXXXXXXXXXXXXXXXXXXXX;IngestionEndpoint=https://germanywestcentral1.in.applicationinsights.azure.com/;LiveEndpoint=https://germanywestcentral.livediagnostics.monitor.azure.com/;ApplicationId=XXXXXXXXXXXXXXXXXXXXXXXXXXXX

The Record germanywestcentral-1.in.applicationinsights.azure.com cannot be resolved internally, there is no conditional forwarder / Azure Private DNS Zone for this zone. In this documation I found the public global Endpoint https://learn.microsoft.com/en-us/azure/azure-monitor/ip-addresses for the Ingestion. I changed the record to the global endpoint dc.applicationinsights.azure.com. It seams to be there is an internal Azure resolution from dc.applicationinsights.azure.com to CNAME global.in.ai.privatelink.monitor.azure.com. As the result the connection string works fine. In this case, who hosts the applicationinsights.azure.com zone and the CNAME within it?

When I ask Azure DNS directly I will receive the same information. So I guess that's where the magic happens.

germanywestcentral1.in.applicationinsights.azure.com --> Non-existent domain

dc.applicationinsights.azure.com --> CNAME privatelink.monitor.azure.com --> AMPLS Private Endpoint IP

When I read the private Endpoint DNS Zones followed by this documentation, in the past was here a conditional forwarder for applicationinsights.azure.com, but now there isnΒ΄t.

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

Means the table I need a additional Conditional Forwarder on my DCs for the Zones services.visualstudio.com and applicationinsights.azure.com to 168.63.129.16?

Private link resource typeSubresourcePrivate DNS zone namePublic DNS zone forwardersmAzure Monitor (Microsoft.Insights/privateLinkScopes)azuremonitorprivatelink.monitor.azure.com privatelink.oms.opinsights.azure.com privatelink.ods.opinsights.azure.com privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.netmonitor.azure.com oms.opinsights.azure.com ods.opinsights.azure.com agentsvc.azure-automation.net blob.core.windows.net services.visualstudio.com applicationinsights.azure.comThe Zones applicationinsights.azure.com and services.visualstudio.com are not part of any documentation about AMPLS. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure

How does the magic happends and why it only works with the global Ingestion Endpoint and not with the regional? Can anyone confirm the configuration and how it works in their environment?

Thanks.

  1. Pranay Reddy Madireddy 6,340 Reputation points β€’ Moderator

    Hii Robert Lehmann

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    When using Azure Private Link, it's important for your DNS to work correctly. Regional endpoints like "southcentralus.in.applicationinsights.azure.com" are meant for public use, but they might not resolve properly in a hybrid setup. This can cause connection problems. To avoid this, using a global endpoint instead can help, as it usually connects reliably within Azure's network.

    Azure has a private DNS zone called privatelink.monitor.azure.com for connecting to private endpoints. If applicationinsights.azure.com isn't resolving correctly, you need to check and set up the right DNS entries. This will help your applications connect to Azure services properly.

    Switching to "dc.applicationinsights.azure.com" lets your instrumentation work because it connects to a global address that points to the right private endpoint. This avoids problems with the regional endpoint and provides a more reliable connection, especially if the regional one has DNS or network issues.

    Set up your on-premises DNS to forward requests for applicationinsights.azure.com and services.visualstudio.com to 168.63.129.16. This will improve DNS resolution. Also, if the global endpoint (dc.applicationinsights.azure.com) works well for you, keep using it until you fix any problems with the regional endpoint.

    If you have any further queries, do let us know.

    If the answer is helpful, please click "Accept Answer" and "Upvote it".

  2. Pranay Reddy Madireddy 6,340 Reputation points β€’ Moderator

    Hii Robert Lehmann
    If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!

  3. Pranay Reddy Madireddy 6,340 Reputation points β€’ Moderator

    Robert Lehmann - If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!

Sign in to comment

1 answer

  1. Experiencing something similar, but in regards to Live Metrics, westeurope.livediagnostics.monitor.azure.com is resolved to a public IP address and the connection fails.

    The Application Insights resource is integrated into AMPLS, with both having public access disabled.

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer