Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,590 questions
Access Issues After Changing "Query Access" Settings on Log Analytics Workspace
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 22%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Rui Silva
0
Reputation points
Hello,
We have an active site-to-site VPN connection between our on-premises office network and our Azure infrastructure. Through this VPN, we can access all private resources, and for some endpoints, we use host file mappings such as:
10.0.1.4 vm-sql.privatelink.database.windows...
10.0.1.8 vm-dce-cics-performance-class...
We are experiencing issues after changing the Query Access settings of our Log Analytics Workspace (name: LOGAN-WS00, resource group and subscription IDs omitted here for privacy).
Before the change:
- The "Query Access" option was set to “Enabled from all networks”.
- We were able to browse the workspace tables both from the Azure Portal (web interface) and internally via VPN.
After the change:
- We changed the setting to “Restricted public inbound, enabled public outbound”.
- After applying the new configuration:
- We can no longer access the tables via the Azure Portal.
- We also lose access when querying from the internal network over VPN.
- The following error is shown:
{
"error": {
"message": "The provided credentials have insufficient access to perform the requested operation",
"code": "InsufficientAccessError",
"correlationId": "...",
"innererror": {
"code": "NspValidationFailedError",
"message": "Access to workspace 'LOGAN-WS00' from '88.157.90.75' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter."
}
}
}
We would like help understanding:
- How to properly restrict access to the workspace while still exclusively access from our internal network via VPN.
- Whether we need to explicitly whitelist our public IP or configure something like Private Link or Network Security Perimeter.
- Why access is lost even though name resolution is working and traffic goes through the VPN.
Thanks in advance for any guidance.
Azure Monitor
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVP%3C/text%3E%3C/svg%3E)
Vinod Pittala 1,830 Reputation points Microsoft External Staff Moderator2025-05-12T18:48:25.74+00:00 Hello Rui Silva,
When you changed the "Query Access" setting to “Restricted public inbound, enabled public outbound,” it restricted access from public networks, including the Azure Portal and potentially your internal network over VPN if not properly configured. Consequently, no machine can access data in this component except those configured through Azure Monitor Private Link.
To restrict access to the workspace while still allowing access from your internal network via VPN, you can configure Private Link.
Private Link allows you to access Azure services over a private endpoint in your virtual network. This ensures that traffic between your virtual network and the Azure service travels over the Microsoft backbone network, eliminating exposure from the public internet.
You can create a Private Link for your Log Analytics Workspace and configure your VPN to route traffic through this private endpoint.
For detailed instructions on setting up Private Link, please refer to the following document.
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-configure
If Private Link is not feasible, you can whitelist your public IP address in the Log Analytics Workspace Networking settings. This will allow access from your specific public IP while still restricting other public access.
- Go to the Log Analytics Workspace > Networking section and set Public Network Access to “Enabled from selected networks.” Add your public IP address to the firewall rule list.
You can also use a Network Security Perimeter to define and enforce network boundaries. This involves configuring network security groups (NSGs) and Azure Firewall rules to allow traffic only from your internal network and VPN.
For more information, refer to this link: https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/network-security-perimeter#create-a-network-security-perimeter
However, ensure that your VPN traffic is allowed in the Log Analytics Workspace Networking settings and verify that your VPN is correctly routing traffic to the Azure services.
If the provided solution works for your query, please do not forget to click Upvote Button. this can be beneficial to other community members.it would be greatly appreciated and helpful to others
Thanks
Sign in to comment
Sign in to answer