Azure Subscription onboarding
This document guides you through the process of setting up your Azure subscription as the data plane. Following these steps ensures that resources are provisioned and managed securely in an isolated environment, leading to a smooth and efficient onboarding experience.
Prerequisites
Before starting the onboarding process, ensure the following requirements are met:
Azure Application Admin Role: Required for the initial subscription onboarding within your Azure tenant.
Resource Group Owner Role: You must have the Owner role on the Azure Resource Group for setup.
Complete your Landing Zone design documentation.
Landing Zone is the foundation that defines the security, naming, and routing standards for your subscription. Landing Zone design documentation is required to ensure the networking components integrate seamlessly with your corporate network, adhere to your tagging policies, and utilize pre-authorized IP address spaces.
Azure Resource Provider Registration: Ensure the necessary features are enabled in your Azure tenant, including Azure BYOA Resource Provider Registration. For more information, see Azure BYOA Resource Provider Registration.
Accessing the Azure Subscription Creation Flow
In the left navigation pane, hover over the Governance App icon. A pop-up menu with a list of apps opens.
From the pop-up menu, select Subscriptions.
Click Add a New Subscription button in the top-right corner.
Select the Microsoft Azure option.
STEP 1 OF 6:
Configure Subscription
Configure your Tessell subscription by providing the following details:
Specify a name for your subscription in the Subscription Name field. (minimum 4 characters). Use a descriptive name for easy identification.
Optionally, add a brief summary or purpose for your subscription in the Description field. This helps with organization, especially if managing multiple subscriptions.
From the Region dropdown list, select the primary region for your subscription’s resources. Additional regions can be added later if needed.
After above details are filled, do one of the following:
Skip to last step: This option can be used if the ARM template generated from Step 6 is already executed.
If the ARM template is not generated, click Next to proceed to the Authorization section.
STEP 2 OF 6:
Authorization
When deploying databases in Azure, a Resource Group must be configured to effectively organize and manage resources. Follow the steps below to set up your Azure Resource Group and grant authorization.
Azure Resource Group Configuration
Provide the following details:
Azure Subscription ID – Specify the Azure Subscription ID associated with the Resource Group used for database deployment. See Appendix - How to find Subscription ID?.
Resource Group Name – Specify the Resource Group Name where databases are hosted. For an existing Resource Group, follow the steps here: See Appendix - How to find Resource Group Name?.
Authorization Setup
Tessell accesses the customer’s Resource Group using a service principal created for the Tessell Azure App in the customer's tenant. Follow these steps:
Azure Tenant ID
Specify the customer’s Azure Tenant ID. See Appendix - How to find Azure Tenant ID?.
Authorize Tessell App
Click Authorize Tessell App to open a new tab for authorizing the Tessell Azure App and creating a service principal in the customer’s Azure Tenant.
Alternatively, select Copy URL to generate a direct authorization link. Note: A user with Application Administrator role (role for the Microsoft Entra ID used to find the tenant ID) is required for this step.
Enable Authorization Confirmation
After authorizing the Tessell App, select the option I have authorized the Tessell App.
Object ID
Retrieve the Object ID of the Tessell Azure App from the Enterprise Applications List in the customer’s Azure Tenant and specify in the Object ID field. See Appendix - How to find the object ID of the Tessell App?.
After the authorization is complete, click Next to proceed to the Network section.
STEP 3 OF 6:
Network Configuration
Tessell offers two options for setting up a network:
Add New: Creates a new Virtual Network (VNet) in the database resource group.
Register: Registers an existing VNet for database hosting with the option to create/register necessary resources.
Private CP-DP communication flag enabled
This flag should be enabled for private communication between Tessell Control Plane (CP) and Azure Data Plane (DP).
Note: Private connectivity is established using Azure Private Link feature.
Add New Network
Virtual Network Details: Provide the following information.
Virtual Network Name: Specify the name of the new VNet.
Virtual Network CIDR: Specify the IP address range (CIDR) for the new VNet.
Private Subnet Name: Specify the name of the new private subnet.
Private Subnet CIDR: Specify the IP address range (CIDR) for the private subnet.
See Appendix - Address Block Requirement for the Vnet/Subnet for private CP-DP.
Endpoint Configuration
Private Endpoint ID for Tessell Control Plane: Specify the name of the Azure private endpoint from the Data Plane VNet for connecting to Private Link Service present in Tessell Control Plane for communication. See Appendix - Tessell Control Plane Endpoint Configuration.
Register Existing Network
Virtual Network Details: Provide the following information.
Virtual Network ID: Specify the Resource ID of the existing VNet.
Virtual Network Name: Specify the name of the VNet in Tessell for reference.
Private Subnet ID: Specify the Resource ID of the subnet.
Endpoint Configuration
Tessell Control Plane:
Add: Specify the name of the Azure Private Endpoint to be created in the Data Plane VNet connecting to Private Link Service in the Tessell Control Plane.
Register:
Specify the Resource ID of the private endpoint present in Data Plane VNet and attached to the Control Plane Private Link Service.
Endpoint IP: Specify the private endpoint IP.
If private endpoints are registered in another resource group other than the resource group hosting network or database [NOT RECOMMENDED], see APPENDIX - Private endpoints registered in other resource group.
As part of the subscription onboarding, following permissions are assigned to Tessell Service Principal on the resource group hosting the Vnet provided above.
Network Security Group (NSG) Configuration
Tessell Control Plane Endpoint:
Port 8352-8370 outbound connectivity is required from the database VM to the endpoint.
If endpoints are in a different subnet from the database subnet:
Inbound must be open on the private endpoint subnet NSG for port 8352-8370.
Outbound must be open on the database subnet NSG for port 8352-8370.
Private CP-DP Communication Disabled
Add New Network
A new VNet is created as part of subscription onboarding based on the configuration provided in this section.
Virtual Network Details: Provide the following information.
Virtual Network Name: Specify the name of the new VNet.
Virtual Network CIDR: Specify the IP address range for the new VNet.
Private Subnet Name: Specify the name of the subnet.
Private Subnet CIDR: Specify the IP address range for the subnet.
See Appendix - Address Block Requirement for the Vnet/Subnet for non-private CP-DP.
Note: A NAT Gateway with a public IP is created with the VNet for outbound internet access.
Enable Public Subnet
Toggle this option to create a DB Service with public access in the VNet. Additionally, provide the following details for the subnet:
Public Subnet Name: Specify the name of the public subnet.
Public Subnet CIDR: Specify the IP address block (CIDR) for the public subnet.
Register Existing Network
An existing VNet and Subnet can be used for hosting databases by registering the network details:
Virtual Network Details: Provide the following information.
Virtual Network ID: Specify the Resource ID of the existing VNet.
Virtual Network Name: Specify the name of the VNet in Tessell for reference.
Private Subnet ID: Specify the Resource ID of the subnet.
Enable Public Subnet
Toggle this option to create a DB Service with public access in the VNet.
Additionally, provide the following details for the subnet:
Public Subnet ID: Specify the Resource ID of the public subnet.
After the network details are specified, click Next to proceed to the Resources section.
Permissions Assigned to Tessell Service Principal
As part of the subscription onboarding, the following permissions are assigned to Tessell Service Principal on the resource group hosting the VNet provided above:
Network Security Group (NSG) Configuration
Tessell Control Plane Outbound
For Subnet NSG: Open outbound for port 8352-8370 for control IP.
For Firewall: Open outbound for port 8352-8370 for control DNS and IP.
Azure Services Outbound
For Subnet NSG: Open outbound for port 443 for the following Azure Services:
Azure Storage
Azure Key Vault
Azure Active Directory
Azure Resource Manager
Azure Monitor
For Firewall: Open outbound for port 443.
STEP 4 OF 6:
Setup Resources
Storage Account
A Storage Account is created/registered with the following properties:
Part of the Azure resource group hosting the database
Located in the primary region of the Tessell Subscription
Use Case
Storage Accounts store log backups from database instances, ensuring changes and transactions are recorded for recovery and auditing.
Configuration Options
Add New
Creates a new storage account during subscription onboarding.
Storage Account Name: Specify the storage account name.
Register
Registers an existing Storage Account. See Appendix - Existing Storage Account Configuration.
Cloud Resource ID: Provide the Azure Resource ID of the existing account. See Appendix - How to get a Storage Account Resource ID?.
Network Configuration (Database VM VNet → Storage Account)
Option 1: Public Access
Add an NSG outbound rule to allow traffic to
Microsoft.Storage.
Service Tag: Storage
443
Allow access to the storage account
Allow outbound TCP traffic on port 443 if using an external firewall.
Storage Account Firewall: Fully open public access.
Option 2: Service Endpoint
Add Service Endpoint (Microsoft.StorageGlobal) on the subnet hosting the database.
Storage Account Firewall: If public access is restricted, whitelist all database subnets in the firewall.
Option 3: Private Endpoint
Create a private endpoint to the storage account from the Vnet.
It should have Private DNS enabled.
If using Custom DNS Server for the database Vnet, please ensure it is linked to Azure Private DNS Zone for storage account. This allows storage account DNS to resolve to private IP.
If endpoint is created in subnet different from database subnet, add following NSG Rules:
In Database Subnet NSG: Outbound 443 to Subnet with private endpoint.
In Subnet NSG with Private Endpoint: Inbound 443 from the database subnet.
Another endpoint is required for the Control Plane AQS Storage Account. This is used for sending Tessell Operation Logs to the Control Plane.
Control Plane Connectivity
If public access is restricted:
For the control plane region: Whitelist the control plane VNet.
For other regions: Whitelist Control Plane Public NAT IP.
Secrets
A Key Vault is created/registered with:
Part of the Azure resource group hosting the database
Located in the primary region of the Tessell Subscription
Use Case
Key Vaults securely store database secrets and disk encryption keys, ensuring sensitive information is protected and accessible only to authorized entities.
Configuration Options
1. Add New
Creates a new Key Vault during subscription onboarding.
Key Vault: Specify the vault name.
2. Register
Registers an existing Key Vault. See Appendix - Existing Key Vault Configuration.
Cloud Resource ID: Provide the Azure Resource ID. See Appendix - How to get Key Vault Resource ID.
Encryption Key
A Disk Encryption Key is created/registered with:
Part of the Azure resource group hosting the database
Located in the primary region of the Tessell Subscription
Configuration Options
1. Add New
Creates a new Disk Encryption Key Set during subscription onboarding.
Disk Encryption Set: Specify the disk encryption set name.
Key Name: Name of the key stored in the key vault used for creating the disk encryption set.
2. Register
Registers an existing Disk Encryption Key Set. See Appendix - Existing Disk Encryption Key Set Configuration.
Cloud Resource ID: Provide the disk encryption set Azure Resource ID. See Appendix - How to get Disk Encryption Key Set Resource ID.
Key Name: Specify the key name that is used by Tessel internally to refer to the disk encryption set.
3. Set Up Later
Allows configuration at a later stage.
Network Configuration for connectivity from Database VM Vnet to Key Vault
Option 1: Public Access
Add following Rule for the subnet’s NSG for outbound traffic to Service Tag: AzureKeyVault.
Service Tag: AzureKeyVault
443
Allow access to the KeyVault
Allow outbound TCP traffic on port 443 if any external firewall exists.
Key Vault Firewall: Public access should be fully open.
Option 2: Service Endpoint
Add Service Endpoint (Microsoft.KeyVault) on the subnet hosting the database.
Key Vault Firewall: If public access is restricted, Whitelist all database subnets in the firewall.
Option 3: Private Endpoint
Create a Private Endpoint to the Key Vault from the Vnet.
It should have Private DNS enabled.
If using Custom DNS Server for the database Vnet, please ensure it is linked to Azure Private DNS Zone for Key Vault. This allows Key Vault DNS resolve to private IP.
If endpoint is created in subnet different from database subnet, add following NSG Rules:
In Database Subnet NSG: Outbound 443 to Subnet with private endpoint
In Subnet NSG with Private Endpoint: Inbound 443 from the database subnet
Control Plane connectivity to Key Vault
Key Vault Firewall: If public access is restricted, Whitelist Control Plane Public NAT IP
Key Vault Access Policy
Tessell Service Principal
Tessell Managed Identity
Tessell Disk Encryption Key Set
Global Resources
Global resources are created/registered once for all regions for the Tessell Subscription. Part of the Azure resource group hosting the databases.
Following are the global resources:
Log Analytics Workspace
Log Analytics Workspaces collect and analyze database alert logs. These workspaces provide powerful tools for monitoring, diagnosing, and alerting on database issues. By aggregating and analyzing alert logs, we can proactively address potential problems and ensure the smooth operation of our DBaaS environment.
User Managed Identity
A User-Managed Identity (UMI) is attached to the VM for secure access to:
Azure Key Vault: Enables the VM to retrieve secrets, keys, and certificates without storing credentials.
Snapshot Operations: Allows the VM to create and manage disk snapshots for backup and restore.
Using UMI ensures secure, credential-free authentication while adhering to Azure security best practices.
Global resource can be configured with 2 options:
Add
Log Analytics Workspace
Creates a new log analytics workspace during subscription onboarding.
Specify log analytics workspace name.
User Managed Identity
Creates a new user managed identity during subscription onboarding.
Specify user managed identity name.
Register
Log Analytics Workspace
Registers an existing log analytics workspace.
Cloud Resource ID: Provide the Azure Resource ID.
User Managed Identity
Registers an existing user managed identity.
Cloud Resource ID: Provide the Azure Resource ID.
Endpoint Configuration
Azure Monitor Private Link (Optional): If registering existing VNet: Empty the field to skip creating the resource. All endpoints are created in the subnet hosting the database.
Private Link Scope Configuration:
Add: Specify the name of the Azure Monitor Private Link Scope for Log Analytics Workspace. Note: Created in the resource group hosting the database.
Register: Resource ID of the Azure Monitor Private Link Scope. See Appendix - How to find Azure Monitor Private Link Scope Resource ID?.
Log Analytics Workspace created/registered is configured in the private link scope as part of subscription onboarding ARM Template.
Azure Log Monitor Endpoint (Optional):
Add: Name of the Azure Private Endpoint for Azure Monitor Private Link Scope.
Register: Resource ID of the Azure Private Endpoint for Azure Monitor Private Link Scope. See Appendix - How to find Azure Monitor Private Endpoint Resource ID?.
Private DNS is disabled for Azure Log Monitor Endpoint.
After the resources details are specified, click Next to proceed to the Advanced Settings section.
Network Security Group (NSG) Configuration
Azure Monitor
Private Endpoint:
Port 443 outbound connectivity is required from the database VM to the endpoint.
If endpoints are in a different subnet from the database subnet:
Inbound must be open on the private endpoint subnet NSG for port 443.
Outbound must be open on the database subnet NSG for port 443.
Public Access:
Port 443 outbound connectivity is required from the database VM to Azure Monitor Service.
To achieve this, add an outbound rule in the database subnet NSG for port 443 for the Azure Monitor Service tag.
If a firewall is used, enable outbound for port 443.
Azure Active Directory and Azure Resource Manager
These are required for:
SQL Server
High-Performance Shapes
Public Access [Recommended]:
Port 443 outbound connectivity is required from the database VM to:
Azure Active Directory Service
Azure Resource Manager Service
Service Endpoint
Add outbound rule in the database subnet NSG for port 443 for the Azure Active Directory & Azure Resource Manager Service tag.
If a firewall is used, enable outbound for port 443.
Private Link + Private Endpoint
Port 443 outbound connectivity is required from the database VM to the private endpoint.
Inbound must be open on the private endpoint subnet NSG for port 443.
Outbound must be open on the database subnet NSG for port 443.
STEP 5 OF 6:
Setup Permissions
This section lists the Tessell’s permissions across various Azure resources. When the toggle switch is disabled, you see permissions with a green tick and red cross. A green tick indicates full permission and a red cross indicates read-only permissions.
Toggle the switch to enable Tessell to manage networks and keys within the resource group. This option is only available for non private CP-DP.
Click Next to Launch and Deploy resources.
STEP 6 OF 6:
Launch and Deploy
After all the details are filled, click Launch ARM Template to get the JSON output.
Alternatively, select Copy URL to generate a direct link to Azure ARM Template.
In the ARM template, click Edit template if you want to edit resources in the ARM template.
Select your Subscription, Resource group, and Region from the respective dropdown list.
Click Review + create to review your template and create the resources in Azure.
Azure runs a validation check before creating, correct any validation errors.
After the resources are created in Azure, copy the JSON output.
In the Tessell portal, select the check box “I have generated the ARM deployment output (JSON)” and paste the JSON output in the box.
Click Review to review the resources.
Click Edit subscription if you want to edit previous details. Selecting this option returns you to the previous section, allowing navigation and editing of the resources as needed.
Click Create.
As an alternate method, deploy resources using code.
Use the Code button at the top-right corner to view the code in different languages like Shell, Python, Go, Java, Javascript, and PowerShell.
Copy or download the code using the buttons in the top-right corner.
Use the Close button at the bottom-left corner to return to the main window.
Managing subscriptions in the dashboard
The Subscriptions dashboard displays all the available subscriptions across various cloud providers.
Specify a subscription name in the Search bar to find and display details of a specific Azure subscription.
Click the ellipsis icon (︙) at the top-right corner of a subscription. Following options are displayed:
Add Region
Using this workflow, you can add a new region to your subscription apart from the primary region. You can then configure networks and resources, and deploy them in the new region.
Refer to the steps mentioned below for adding a region:
Remove Regions
This option allows you to remove a region from the subscription.
To remove a region from your subscription, choose the desired region from the dropdown list, confirm your choice, and then click Remove.
Users
This option allows you to view users and their assigned roles within this subscription. You can also add new users and assign them either the 'member' or 'co-owner' role.
Note: Account Owner can view all the subscriptions without sharing.
Edit Name
Select this option to edit the name of the subscription.
Disable
Select this option to disable the subscription. Upon confirmation, subscription is disabled.
If you disable a subscription, members can not create new services in this subscription.
Delete Subscription
Select this option to delete a subscription. Deleting the subscription impacts all associated resources, permissions granted during its creation. Tessell performs all the necessary checks before deleting.
You have to follow certain prerequisites before deleting a subscription.
For example,
Delete any associated Availability Machines.
If an availability machine is retained for a service, snapshots and backups are retained.
Terminate the database services running in this subscription. As a result, resources like NIC1, security groups, snapshots, backups are deleted along with database service.
Delete the associated servers in the subscription.
Appendix
How to find Subscription ID
Log in to the Azure Portal:
Open Azure Portal and log in with your credentials.
Navigate to Subscriptions:
In the left-hand navigation pane, click on Subscriptions.
If you do not see it, use the search bar at the top to search for "Subscriptions."
Go to the Desired Subscriptions:
Click on the Subscriptions you want to use.
Copy the Subscription ID:
In the Overview tab of the resource group, locate and copy the Subscription ID.
How to find Resource Group Name
Navigate to Resource Groups:
In the left-hand navigation pane, click on Resource Groups.
If you do not see it, use the search bar at the top to search for "Resource Groups."
Go to the Desired Resource Group:
Click on the resource group you want to use.
Locate the Resource Group Name:
The name of the resource group is displayed at the top of the Overview tab.
How to find Azure Tenant ID
Navigate to Microsoft Entra ID:
In the left-hand navigation pane, click on Microsoft Entra ID.
If you do not see it, use the search bar at the top to search for "Microsoft Entra ID."
Copy the Tenant ID:
In the Overview section of Azure Active Directory, locate and copy the Tenant ID.
How to find the object ID of the Tessell App
Navigate to Enterprise Applications:
In the left-hand navigation pane, click on Enterprise Applications.
If you do not see it, use the search bar at the top to search for "Enterprise Applications".
Search for the Tessell Application:
In the search bar, enter the application name Tessell.
Click on the application after it appears in the results.
Find the Object ID:
Inside the application details, go to the Overview section.
The Object ID is listed there.
Tessell Control Plane Endpoint Configuration
Navigate to Private Link Center:
In the left-hand navigation pane, click on Private Link Center.
If you do not see it, use the search bar at the top to search for "Private Link Center"
Create a Private Endpoint
Click on Private Endpoints > + Create.
Configure Basics
Subscription: Select your Azure subscription.
Resource Group: Choose an existing or create a new one.
Name: Specify a name for your Private Endpoint.
Region: Select the Azure region.
Configure Resource Connection:
Tessell Control Plane Endpoint
Select the connection method: Connect to an Azure resource by resource ID or alias.
Provide Tessell Control Plane Private Link Service ID in Resource ID or alias input.
Configure Virtual Network and Subnet
Select the database VNet and Subnet where the Private Endpoint is created.
Ensure that the subnet does not have a Network Security Group (NSG) blocking traffic to Private Link on port (8350-8370).
Private DNS Integration : Disabled by default.
Provide Tags, and Review and Create.
Provide Tags as required.
Click Review + Create.
Once validation passes, click Create.
Endpoint is created with connection state as Pending. It gets approved on Tessell subscription onboarding completion.
How to get resource ID for a private endpoint
Navigate to Private Link Center, from the left-hand menu select Private endpoints.
Choose your private endpoint from the list displayed on the right-hand side.
On the left-hand side, select Properties to view the Resource ID field.
Existing Storage Account Configuration
The existing storage account should have the following configuration:
Storage Account in Azure Portal > Settings > Configuration
Allow storage account key access : Enabled
Blob access tier (default) : Hot
Storage Account in Azure Portal > Security + Networking > Networking > Firewalls and virtual networks, either of the following options should be enabled.
Enabled from all networks
Enabled from selected virtual networks and IP addresses
[If dataplane and control plane regions are different] Add Tessell Control Public IP in the firewall Address range.
[If dataplane and control plane regions are same]: Register Tessell Control Plane Vnet in the storage Account Firewall.
Is tag required: "ALLOW_IMPORT_TO_TESSELL": "true"
Custom Encryption Key Impact has no impact.
How to get a Storage Account resource ID
Navigate to Azure Portal > Storage Accounts.
Select a storage account, under essentials, click JSON View on the top-right corner to view the Resource ID.
Existing Key Vault Configuration
The existing key vault should have the following configuration:
Key Vault in Azure Portal > Settings > Access configuration
Permission model: It should be set for Vault access policy
Resource access: Following should be enabled:
Azure Disk Encryption for volume encryption
Azure Resource Manager for template deployment
OR
Key Vault in Azure Portal > Settings > Networking > Firewalls and virtual networks, either of the following options should be enabled
Enabled from all networks
Enabled from selected virtual networks and IP addresses
Add Tessell Control Public IP in the firewall Address range,
Key Vault in Azure Portal > Objects > Keys
Configuration of the Key to be used for Disk Encryption Key Set
Key Type: RSA
RSA Key Size: 2048
Permitted Operations: All should be enabled
Existing Disk Encryption Key Set Configuration
Disk Encryption Set Configuration
Disk Encryption Sets in Azure Portal > Settings > Key
Current Key: Should have value of the key in the Key Vault shared with Tessell
Auto key rotation: Should be disabled
User-assigned identity: Should not be set
Multi-tenant application: Should not be set
Tessell Subscription Onboarding ARM Template takes care of Key Vault access policy.
How to get Key Vault resource ID
Navigate to Azure Portal > Key Vaults.
Select a key vault from the list, go to Settings > Properties to view the Resource ID.
How to get Disk Encryption Key Set resource ID
Navigate to the Azure Portal > Disk Encryption Sets.
Select a disk encryption set from the list, go to Settings > Properties to view the Resource ID.
Address block requirement for private CP-DP
Number of IPs required in the subnet:
1 IP for Tessell Control Plane Private Endpoint
14 IPs for Azure Monitor Private Endpoint (Optional)
2 IPs for Storage Account Endpoint (Optional)
1 IP for Key Vault Endpoint
1 IP is required for every DB VM including observer nodes
When creating all endpoints, an Address block of /27 or larger should be used. If endpoints are created in another subnet, database subnet address block can start from /29.
Address block requirement for non-private CP-DP
Number of IPs required in the subnet:
1 IP for the NAT Gateway
1 IP is required for every DB VM including observer nodes
If public subnet is enabled, 1 IP will be required for every DB VM in the public subnet
Address blocks of size /28 or above is good enough. /29 should be used only if one single instance DB is planned to be provisioned in the subnet.
How to find Azure Monitor Private Link Scope resource ID
Navigate to Azure Portal > Azure Monitor Private LInk Scopes, and select a private link scope.
Go to Configure > Properties to view the Resource ID.
How to find Azure Monitor Private Endpoint resource ID
Navigate to Azure Portal > Azure Monitor Private LInk Scopes, and select a private link scope.
Go to Configure > Private Endpoint Connections, select a private endpoint from the list.
Go to Settings > Properties to view the Resource ID.
Private endpoints in another resource group (not recommended)
Provide following permissions on the resource group to Tessell Service Principal:
For the Tessell Control Plane Endpoint, this is Mandatory.
For Azure Monitor Private Endpoint
Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write This permission is required to add data collection endpoint to azure monitor private link scope. Data collection endpoints are created for every region.
So if this permission is not provided, it is the responsibility of the customer to add these endpoints to private link scope after every region enablement and subscription onboarding.
Last updated
Was this helpful?