enable aks container insights with --ampls-resource-id - must be a private cluster

[haithamshahin333]

Describe the bug

Why must the AKS Cluster be private when --ampls-resource-id is included as a flag in enabling the container insights addon?

Related command

az aks enable-addons --addon monitoring --name <cluster-name> --resource-group <cluster-resource-group-name> --workspace-resource-id <workspace-resource-id> --ampls-resource-id "<azure-monitor-private-link-scope-resource-id>"

Errors

--ampls-resource-id can only be used with private cluster in MSI mode.

Issue script & Debug output

  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/acs/custom.py", line 1191, in aks_enable_addons
    ensure_container_insights_for_monitoring(
  File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/acs/addonconfiguration.py", line 369, in ensure_container_insights_for_monitoring
    raise ArgumentUsageError("--ampls-resource-id can only be used with private cluster in MSI mode.")
azure.cli.core.azclierror.ArgumentUsageError: --ampls-resource-id can only be used with private cluster in MSI mode.

cli.azure.cli.core.azclierror: --ampls-resource-id can only be used with private cluster in MSI mode.
az_command_data_logger: --ampls-resource-id can only be used with private cluster in MSI mode.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f82af15b8b0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 1.309 seconds (init: 0.149, invoke: 1.160)
telemetry.main: Begin splitting cli events and extra events, total events: 1

Expected behavior

Create the backing DCE/DCR to connect the ama pods to the ampls to send container insights data to log analytics.

The cluster is not private in this scenario, but unclear why that would be a requirement.

Environment Summary

`
azure-cli 2.69.0

core 2.69.0
telemetry 1.1.0

Extensions:
ai-examples 0.2.5
ml 2.34.0
ssh 2.0.6

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1
`

Additional context

The cluster is using a User-Assigned Managed Identity

The cluster is not private - want to understand why that would be a requirement

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dyu1208, @FumingZhang, @andyliuliming.

[mbifeld]

Hi @haithamshahin333, ampls (Azure Monitor Private Link Scope) is designed for utilizing Azure Monitor via a private endpoint from a virtual network. I don't believe this field is needed in your case since your clusters aren't private, so ampls doesn't apply. Did you find this command in documentation with the ampls field being recommended?