Monitoring Azure Key Vault Managed HSM
Azure Key Vault Managed HSM (Hardware Security Module) is a cloud service that protects your cryptographic keys for cloud applications. Instana uses the Azure Key Vault Managed HSM sensor to monitor Azure Key Vault Managed HSM. Instana comprehensively monitors your Azure Key Vault Managed HSM and provides end-to-end visibility into your environment.
After you install the Instana host agent, the Azure Key Vault Managed HSM sensor is automatically installed. You can view infrastructure metrics that are related to the Azure Key Vault Managed HSM in the Instana UI.
For more information about other supported Azure services, see Monitored services.
Configuring the Azure Key Vault Managed HSM sensor
To monitor your Azure Key Vault Managed HSM, enable the Azure sensor by updating the agent <agentinstall_dir>/etc/instana/configuration.yaml file as shown in the following example. For more information, see Installation.
com.instana.plugin.azure:
enabled: true
subscription: "[Your-Subscription-Id]"
tenant: "[Your-Tenant-Id]"
principals:
- id: "[Your-Service-Principal-Account-Id]"
secret: "[Your-Service-Principal-Secret]"
To configure the Azure Key Vault Managed HSM sensor, update the agent configuration file <agentinstall_dir>/etc/instana/configuration.yaml as shown in the following example:
com.instana.plugin.azure.managedhsm:
enabled: true # Valid values: true, false. Enabled (true) by default
include_tags: # Comma separated list of tags in key:value format (e.g. env:prod,env:staging)
exclude_tags: # Comma separated list of tags in key:value format (e.g. env:dev,env:test)
include_resource_groups: # Comma separated list of resource groups (e.g. rg_prod,rg_staging)
exclude_resource_groups: # Comma separated list of resource groups (e.g. rg_dev,rg_test)
You can disable the Azure Key Vault Managed HSM sensor and filter it by tags and resource groups.
Disabling the sensor
To disable monitoring Azure Key Vault Managed HSM, update the agent configuration file <agentinstall_dir>/etc/instana/configuration.yaml as shown in the following example:
com.instana.plugin.azure.managedhsm:
enabled: true
Filtering HSMs by defining tags and resource groups
Instana monitors all Azure Key Vault Managed HSMs by default. You can set which Azure Key Vault Managed HSMs are monitored by Instana. Define tags and resource groups in the configuration.yaml file for Instana to discover the Azure Key Vault Managed HSMs. Only the Azure Key Vault Managed HSMs in the defined environments and resource groups are monitored.
To define multiple tags and resource groups, separate them with commas. Define tags as a key-value pair separated by a colon (:).
If you define a tag or resource group in both lists (include and exclude), the exclude list has a higher priority.
To set tags for the include list, update the configuration.yaml file as shown in the following example:
com.instana.plugin.azure.managedhsm:
include_tags: # Comma separated list of tags in key:value format (e.g. env:prod,env:staging)
To set tags for the exclude list, update the configuration.yaml file as shown in the following example:
com.instana.plugin.azure.managedhsm:
exclude_tags: # Comma separated list of tags in key:value format (e.g. env:dev,env:test)
To set resource groups for the include list, update the configuration.yaml file as shown in the following example:
com.instana.plugin.azure.managedhsm:
include_resource_groups: # Comma separated list of resource groups (e.g. rg_prod,rg_staging)
To set resource groups for the exclude list, update the configuration.yaml file as shown in the following example:
com.instana.plugin.azure.managedhsm:
exclude_resource_groups: # Comma separated list of resource groups (e.g. rg_dev,rg_test)
You can set which Azure Key Vault Managed HSMs are discovered by Instana for all Azure services.
Viewing metrics
To view the metrics, complete the following steps:
- From the navigation menu in the Instana UI, click Infrastructure.
- Click an HSM availability zone.
You can see a host dashboard with all the collected metrics and monitored processes.
Metrics are pulled every minute, which is the resolution that Azure provides for the monitoring of these services.
Configuration data
| HSM details | Description |
|---|---|
| Name | Name of the HSM |
| Resource Group | Resource group of the HSM |
| Subscription Id | Subscription ID of the HSM |
| Location | Location of the HSM |
| Type | Type of the resource |
| Provisioning State | Provisioning state of the HSM |
| Tier | Billing tier of this HSM |
Performance metrics
| Metric | Name | Unit | Aggregation | Description |
|---|---|---|---|---|
| Service | ||||
| Overall Service Availability | Availability | Percent | Average | Service requests availability |
| Total Service Api Hits | ServiceApiHit | Count | Count | Number of total service API hits |
| Overall Service Api Latency | ServiceApiLatency | Milliseconds | Average | Overall latency of service API requests |