Implement AMPLS into Landing Zone

[awood-ops]

Describe the feature end to end, including deployment scenario details under which the feature would occur.

Recently we deployed a landing zone which had all the private dns zones linked.
After this we deployed some Applications with Application Insights enabled, but found none of these working. After investigation, it appears that the application couldn't resolve the monitor DNS endpoint, to resolve this we had to unlink privatelink.monitor.azure.com.
After this was unlinked Application Insights started working and resolving correctly,

A future project will be to implement AMPLS into our landing zone, but as the ALZ-Bicep was deploying private endpoint policies, I thought it may be a good place to put it as an optional component

Why is this feature important. Describe why this would be important for your organization and others. Would this impact similar orgs in the same way?

Provides private endpoints for all the monitoring solutions such as Log Analytics, Application Insights, Azure Monitor.
For those that want a private solution this would be a nice to have

Please provide the correlation id associated with your error or bug.

N/A

Can you describe any alternatives that you have taken since this feature does not exist?

Had to unlink the privatelink.monitor.azure.com DNS zone whilst I work on implementing AMPLS into our environment

Feature Implementation

Not yet....

Check previous GitHub issues

• I have searched the issues for this item and found no duplicate

Code of Conduct

• I agree to follow this project's Code of Conduct

[oZakari]

Hi @awood86, thanks for bringing this up! As for incorporating AMPLS, it is something that will need to happen on ALZ all-up before we integrate it within ALZ-Bicep. There are some current limitations within AMPLS which that product team is working on, and we have it added to the backlog as something to incorporate potentially in the future.

As a temporary fix for unlinking the DNS Zones, within both connectivity (Hub Networking and VWAN) modules, there is a parameter called parPrivateDnsZones which is an array of all of the DNS zones that will be provisioned and linked to the hub network. You can remove the privatelink.monitor.azure.com from this array which will stop the link from being reconfigured if you redeploy the module.

[awood-ops]

Hi @awood86, thanks for bringing this up! As for incorporating AMPLS, it is something that will need to happen on ALZ all-up before we integrate it within ALZ-Bicep. There are some current limitations within AMPLS which that product team is working on, and we have it added to the backlog as something to incorporate potentially in the future.

As a temporary fix for unlinking the DNS Zones, within both connectivity (Hub Networking and VWAN) modules, there is a parameter called parPrivateDnsZones which is an array of all of the DNS zones that will be provisioned and linked to the hub network. You can remove the privatelink.monitor.azure.com from this array which will stop the link from being reconfigured if you redeploy the module.

Thanks for the response @oZakari, totally appreciate it's not a simple change so understand! I'll have a go in my test environment with decoupling the privatelink.monitor.azure.com, I feel there could be more DNS zones as monitor, log analytics and others have dependencies. I'll reply on this thread as a reference should there be any more that are troublesome