How to restrict what/who can send data to Azure Application Insights

Question

I would like to ensure that only specific applications are able to send data to my Application insights resource. The situation I'm trying to avoid is if some developer or attacker has the instrumentation key, telemetry data from their machines are not sent to my application insights resource.

More concrete: I have an Azure VM running 3 IIS ASP.NET web apps. Each report to their own respective Application Inisghts resource. Currently, if a developer spins up one of those apps locally and points to the same app insights resource, it will accept the data and skew the metric data. I want to ensure that this is not possible.

Additional Context: I am experimenting with the codeless ApplicationInsights agent, but mostly using the manual SDK instrumentation method for ASP.NET.

I have looked at the network isolation method, but this seems like a huge cost increase because I will be charged extra for data going through privatelink, on top of data charges from AppInsights.

Currently, anyone on the public internet with my instrumentation key can send data to the appinsights resource. I would like to somehow restrict this to a specific AD application role or VM.

Can anyone help here? Thanks in advance.

Answer 1

We recently released support of Azure AD authentication for Application Insights (https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net).

You can assign either user-assigned or system-assigned managed identity to your VM and give this identity rights to ingest telemetry.

On top of it you can disable local authentication. This will block ingestion based instrumentation key alone.