![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
561 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 99%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Hi ,
Thanks for reaching out to Microsoft Q&A.
yes/. connecting Azure Data Explorer (ADX) to a Log Analytics workspace that is restricted via Azure Monitor Private Link Scope (AMPLS) poses a challenge, because ADX currently does not natively support AMPLS for querying Log Analytics workspaces that enforce private access only.
Current Limitation:
As of now (April 2025):
Azure Monitor Private Link Scope (AMPLS) is not supported by Azure Data Explorer (aka Kusto) when trying to connect to Log Analytics workspaces.
Even if your client is on a private network or has the right DNS resolution, the ADX connector still routes through public endpoints, which AMPLS blocks.
Workarounds (with caveats):
- Query Logs via Azure Monitor REST API (via Private Link) from a Notebook/Function
If you want to bypass ADX's direct integration, you can:
- Create an Azure Function or Notebook in a private network (that supports AMPLS).
- Use Azure Monitor REST API with the
Queryendpoint:
import requests url = "https://<AMPLS-PrivateEndpoint>/v1/workspaces/<workspaceId>/query" query = {"query": "Heartbeat | take 10"} headers = { "Authorization": "Bearer <token>", "Content-Type": "application/json" } response = requests.post(url, json=query, headers=headers)
This gives you a private, AMPLS compliant log access path. You can then ingest or visualize this data into ADX separately.
- Mirror Logs into Azure Data Explorer
Set up Diagnostic Settings or Event Hub routing from Log Analytics to an ADX table.
This avoids needing ADX to query Log Analytics directly.
Use Log Analytics -> Event Hub -> Azure Stream Analytics or Azure Function -> ADX pipeline.
- Relax AMPLS restriction temporarily
Not recommended for production, but for testing, allow public endpoint access temporarily to validate the connection. This lets ADX query logs but breaks the isolation.
Conclusion:
You will either need to:
Use an intermediary (Notebook, Function, REST API) to query logs privately and push to ADX.
Ingest logs into ADX through an Event Hub or other supported mechanism.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.