Guides
ChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogIMPACT 2025

Agent Service Azure Private Link

About

For deployments where you prefer to connect privately to the Monte Carlo Agent Service, you can create an Azure Private Endpoint in your Azure subscription. This helps ensure that traffic between your network and the Monte Carlo Agent Service traverses the Microsoft backbone network rather than the public internet. For additional details, please refer to the Azure Private Link Overview.

Requirements

  • Monte Carlo Role, Subscription, and Supported Type: You must have the Account Owner role in Monte Carlo. Additionally, your account must be subscribed to either the Scale or Enterprise tier with the Advanced Networking add-on.
  • Azure Admin: Administrative access to Azure is necessary for the setup.

Setup

  1. Obtain the Resource ID and Sub-Resource Name
    Navigate to the Account Information page in Monte Carlo. Under the Agent Service section, locate and copy the Application gateway resource ID and Application gateway sub-resource for the Agent Service. These values are required to create a Private Endpoint in your Azure subscription.

  2. Create a Private Endpoint in Azure
    In the Azure portal, create a Private Endpoint in your subscription and virtual network. When configuring the endpoint:

    • Under Resource, select Connect to an Azure resource by resource ID or alias.

    • Paste the Resource ID obtained in Step 1.

    • Enter the Sub-Resource Name (also referred to as target sub-resource) obtained in Step 1.

    📘

    Because you are connecting to a resource outside of your subscription, the connection method will be manual and will require approval from Monte Carlo.

  3. Request Connection Approval
    Contact us at [email protected] to request approval of the Private Endpoint connection. Include your Monte Carlo Account ID (can be found here) in your email. Monte Carlo will approve the connection and notify you once the process is complete.

    🕒

    Note: Do not proceed until you receive confirmation from Monte Carlo that the connection has been approved.

    Typically, you will receive a response within 24-48 hours (US business days).

  4. Configure DNS Resolution
    After the connection is approved, you need to configure DNS so that the Agent Service Private Link Hostname resolves to the Private Endpoint's private IP address. You can find the Agent Service private link endpoint in the Account Information page, under Agent Service.

    To do this, create an Azure Private DNS Zone and link it to your virtual network:

    For example, if the hostname is artemis.privatelink.getmontecarlo.com, the domain is privatelink.getmontecarlo.com and the subdomain is artemis.

    • In the Azure portal, navigate to Private DNS zones and create a new zone. The zone name should match the domain portion of the hostname (e.g., privatelink.getmontecarlo.com).

    • Link the Private DNS Zone to the virtual network where your Private Endpoint resides by adding a Virtual network link.

    • Add an A record in the DNS zone that maps the subdomain (e.g., artemis) to the private IP address of your Private Endpoint.

    📘

    You can find the Private Endpoint's private IP address in the Azure portal under the Private Endpoint's Network interface.

  5. Verify Connectivity
    First, confirm that the Private Endpoint connection status shows as Approved in the Azure portal under the Private Endpoint's Connection state.

    Then, update the Generic Agent configuration setting backendServiceUrl to use the Agent Service private link endpoint from Step 4:

    container:
  backendServiceUrl: https://artemis.privatelink.getmontecarlo.com

    Complete the deployment for the Generic Agent and onboard the agent on Monte Carlo to verify connectivity.

If you prefer, you can also use the Azure API, CLI or any other tool of preference to manage and update any config.

Updated about 2 hours ago