| title | How to set up and use deterministic outbound IPs |
|---|---|
| titleSuffix | Azure Managed Grafana |
| description | Learn how to activate deterministic outbound IP support used by Azure Managed Grafana to communicate with data sources. |
| ms.service | azure-managed-grafana |
| ms.topic | how-to |
| author | maud-lv |
| ms.author | malev |
| ms.date | 12/20/2024 |
| ms.custom | sfi-image-nochange |
In this guide, learn how to activate deterministic outbound IP support used by Azure Managed Grafana to communicate with data sources, disable public access and set up a firewall rule to allow inbound requests from your Grafana workspace.
Note
The deterministic outbound IPs feature is only accessible for customers with a Standard plan. For more information about plans, go to pricing plans.
- An Azure account with an active subscription. Create an account for free.
- A data source. For example, an Azure Data Explorer database.
Deterministic outbound IP support is disabled by default in Azure Managed Grafana. You can enable this feature during the creation of the workspace, or you can activate it on an existing workspace.
When creating a workspace, select the Standard pricing plan and then in the Advanced tab, set Deterministic outbound IP to Enable.
For more information about creating a new workspace, go to Quickstart: Create an Azure Managed Grafana workspace.
Run the az grafana create command to create an Azure Managed Grafana workspace with deterministic outbound IPs enabled. Replace <azure-managed-grafana-name> and <resource-group> with the name of the new Azure Managed Grafana workspace and a resource group.
az grafana create --name <azure-managed-grafana-name> --resource-group <resource-group> --deterministic-outbound-ip Enabled
-
In the Azure portal, under Settings select Configuration, and then under General settings > Deterministic outbound IP, select Enable.
:::image type="content" source="media/deterministic-ips/enable-deterministic-ip-addresses.png" alt-text="Screenshot of the Azure platform. Enable deterministic IPs.":::
-
Select Save to confirm the activation of deterministic outbound IP addresses.
-
Select Refresh to display the list of IP addresses under Static IP address.
Run the az grafana update command to update your Azure Managed Grafana workspace and enable deterministic outbound IPs. Replace <azure-managed-grafana-name> with the name of your Azure Managed Grafana workspace.
az grafana update --name <azure-managed-grafana-name> --deterministic-outbound-ip Enabled
The deterministic outbound IPs are listed under outboundIPs in the output of the Azure CLI.
This example demonstrates how to disable public access to Azure Data Explorer and set up private endpoints. This process is similar for other Azure data sources.
-
Open an Azure Data Explorer cluster in the Azure portal, and under Settings, select Networking.
-
In the Public Access tab, select Disabled to disable public access to the data source.
:::image type="content" source="media/deterministic-ips/add-ip-data-source-firewall.png" alt-text="Screenshot of the Azure platform. Add Disable public network access.":::
-
Under Firewall, check the box Add your client IP address and under Address range, enter the IP addresses found in your Azure Managed Grafana workspace.
-
Select Save to finish adding the Azure Managed Grafana outbound IP addresses to the allowlist.
You have limited access to your data source by disabling public access, activating a firewall and allowing access from Azure Managed Grafana IP addresses.
Check if the Azure Managed Grafana endpoint can still access your data source.
-
In the Azure portal, go to your workspace's Overview page and select the Endpoint URL.
-
Go to Configuration > Data Source > Azure Data Explorer Datasource > Settings and at the bottom of the page, select Save & test:
- If the message "Success" is displayed, Azure Managed Grafana can access your data source.
- If the following error message is displayed, Azure Managed Grafana can't access the data source:
Post "https://<Azure-Data-Explorer-URI>/v1/rest/query": dial tcp ...: i/o timeout. Make sure that you've entered the IP addresses correctly in the data source firewall allowlist.
Run the az grafana data-source query command to query the data source. Replace <azure-managed-grafana-name> and <data-source-name> with the name of your Azure Managed Grafana workspace and the name of your data source.
az grafana data-source query --name <azure-managed-grafana-name> --data-source <data-source-name> --output table
If the following error message is displayed, Azure Managed Grafana can't access the data source: "error": "Post \\"https://<Azure-Data-Explorer-URI>/v1/rest/query\\": dial tcp 13.90.24.175:443: i/o timeout". Make sure that you've entered the IP addresses correctly in the data source firewall allowlist.
Tip
You can get the name of your data sources by running az grafana data-source list --name <azure-managed-grafana-workspace-name> --output table
[!div class="nextstepaction"] Set up private access