Monitoring and instrumenting Microsoft® Azure with Instana agent

After you install the Instana host agent, the Microsoft® Azure sensor is automatically installed. You can view metrics that are related to Microsoft® Azure in the Instana UI after you configure Microsoft® Azure sensor as outlined in the configuration section.

To remotely monitor Azure in a Kubernetes or Red Hat OpenShift cluster, do not install the Instana host agent on each node of the cluster. Install the host agent on a dedicated host machine.

Monitored services

The Instana host agent monitor services that are managed by Azure by collecting data from Azure APIs.

Instrumented services

You can instrument the following services:

Supported information

Supported operating systems

The supported operating systems of the Microsoft® Azure sensor are consistent with host agents requirements. For more information, see the supported operating systems for each Instana host agent.

Installing the Instana agent

To monitor an Azure virtual machine or a Kubernetes cluster that runs on Azure Kubernetes Service, see Installing the Instana host agents.

// Assisted by WCA@IBM // Latest GenAI contribution: ibm/granite-20b-code-instruct-v2-->

Note

    Depending on the number of monitored entities in your cloud environment, you must increase the memory available to your host agent. Increase the agent memory by setting the environment variable AGENT_MAX_MEM to a value greater than the default value 512 MB.

    For example, to allocate 1 GB of memory to the agent, set AGENT_MAX_MEM=1024mb.

Install the Instana host agent on a host inside or outside your Azure environment. Each host agent can monitor remote services within a single subscription. To monitor multiple Azure subscriptions, you must deploy multiple host agents.

Installing an Instana agent outside your Azure environment

If you install the Instana agent outside your Azure environment, the agent uses the Azure public cloud endpoint by default.

To specify the Azure cloud endpoint that you want to use, modify the /opt/instana/agent/etc/instana/configuration.yaml agent configuration file as follows:

com.instana.plugin.azure:
  cloud: 'AzurePublicCloud'

Depending on the Azure cloud endpoint you want to use, you can select from these cloud configuration values: AzurePublicCloud, AzureChinaCloud, AzureUSGovernmentCloud, and AzureGermanCloud.

For more information on Azure cloud endpoints, see Azure Cloud Endpoints.

Service principal

To enable Azure monitoring, configure the host agent with a service principal that has at least reader permissions. The following steps describe how to create a service principal account with read-access to your resources in Azure portal.

  1. Create a service principal by registering an application in Azure portal:

    1. Open the Azure management Portal and select Microsoft Entra ID.

    2. Copy the Tenant ID value, as you need it to configure the agent to connect to your Azure account.

    3. Select App registrations in the navigation pane.

    4. Create a new app by selecting New registration at the top of the App registrations tab.

    5. Type the name of your App, leave all other settings with their default values, and select Register.

    6. Copy the Application (client) ID value, as you need it to configure the Service Principal ID that the agent uses to connect to the Azure account.

    7. Select the newly created app, then choose Certificates & secrets > New client secret in the navigation pane to create a new security key.

    8. Copy the Value of the new Key and save it, as you need it to configure the Service Principal Secret that the agent uses to connect to your Azure account.

      You can view client secret values only immediately after creation. Be sure to save the secret key when you create it, and before you leave the page.

  2. To grant reader permission to your service principal:

    1. In Azure portal, select All services > General > Subscriptions.

    2. On the subscriptions page, select your subscription, and then select Access control (IAM).

    3. Select Add role assignment and choose Reader. Click Next.

    4. In the Members section, enter the following data:

      • For Assign access to, select user, group, or service principal.
      • For Members, click Select members and then select your service principal from the list on the left.
    5. Click Next, and then select Review + assign.

  3. Enable the Azure sensor in the agent configuration.yaml file. A minimal sensor configuration looks like as follows:

    com.instana.plugin.azure:
      enabled: true
      subscription: "Your-Subscription-Id"
      tenant: "Your-Tenant-Id"
      principals:
        - id: "Your-Service-Principal-Account-Id"
          secret: "Your-Service-Principal-Secret"
    

Restart the host agent to apply the new configuration. After restarting, the agent can automatically discover supported remote services on the specified subscription.

Configuration

Proxy configuration

To configure the Instana host agent to use a proxy, add the following settings to the agent configuration:

com.instana.plugin.azure:
  proxy_host: 'example.com' # proxy host name or ip address
  proxy_port: 3128 # proxy port
  proxy_username: 'username' # OPTIONAL: proxy username
  proxy_password: 'password' # OPTIONAL: proxy password

Define both the proxy_host and proxy_port fields to enable the agent to route traffic through a proxy server.

After configuring the proxy, restart the Instana agent for the changes to take place.

Filtering and tagging

The Instana host agent supports filtering of Azure services. The filtering of services and their instances is based on tags and resource groups.

For more information on how to apply tags to Azure resources, see Use tags to organize your Azure resources and management hierarchy.

For more information about defining resource groups in Azure, see What is Azure Resource Manager?.

Apply filtering by modifying the Instana host agent configuration file /opt/instana/agent/etc/instana/configuration.yaml as follows:

com.instana.plugin.azure:
  # Comma separated list of tags in key:value format
  include_tags:
  # Comma separated list of tags in key:value format
  exclude_tags:
  # Comma separated list of resource groups
  include_resource_groups:
  # Comma separated list of resource groups
  exclude_resource_groups:

You can also apply filtering at the level of specific services. For more information, see the Monitored Services section for details on specific services.

Multiple service principals

Azure Monitoring API comes with a limitation of 12000 requests per service principal, which limits the number of services one host agent can monitor. To overcome this limitation, you can create multiple service principals. For information on how to create service principles, see Use Azure PowerShell to create a service principal with a certificate.

After creating the service principals, update the /opt/instana/agent/etc/instana/configuration.yaml file on the Instana host agent as follows:

com.instana.plugin.azure:
  enabled: true
  subscription: "Your-Subscription-Id"
  tenant: "Your-Tenant-Id"
  principals:
    - id: "Your-Service-Principal-Account-Id-1"
      secret: "Your-Base64-encoded-Service-Principal-Secret-1"
    - id: "Your-Service-Principal-Account-Id-2"
      secret: "Your-Base64-encoded-Service-Principal-Secret-2"

The host agent hot reloads changes to these principal configurations, meaning that they take effect without needing to restart the host agent.

Filtering API per API Management service

When you have too many APIs under one API Management service, it can be challenging to collect and analyze the data effectively. To focus on important APIs, configure an option to filter APIs by name, either inclusively or exclusively, by defining a regular expression as shown in the following example YAML file:

com.instana.plugin.azure.apimanagement:
  monitorApiList:
    - serviceName: 'robotShopApiGateway'
      #inclusiveApiRegex: '^(API name 1|API name 2)$'
      exclusiveApiRegex: '^(API name 1|API name 2)$'

As shown in the preceding example, you can use complex regex expressions with or and and logic. If you define both inclusiveApiRegex and exclusiveApiRegex, the host agent prioritizes exclusiveApiRegex.