Monitoring Azure Key Vault Managed HSM

Azure Key Vault Managed HSM (Hardware Security Module) is a cloud service that protects your cryptographic keys for cloud applications. Instana uses the Azure Key Vault Managed HSM sensor to monitor Azure Key Vault Managed HSM. Instana comprehensively monitors your Azure Key Vault Managed HSM and provides end-to-end visibility into your environment.

After you install the Instana host agent, the Azure Key Vault Managed HSM sensor is automatically installed. You can view infrastructure metrics that are related to the Azure Key Vault Managed HSM in the Instana UI. For more information about other supported Azure services, see Monitored services.

Configuring the Azure Key Vault Managed HSM sensor

To monitor your Azure Key Vault Managed HSM, enable the Azure sensor by updating the agent <agentinstall_dir>/etc/instana/configuration.yaml file as shown in the following example. For more information, see Installation.

com.instana.plugin.azure:
  enabled: true
  subscription: "[Your-Subscription-Id]"
  tenant: "[Your-Tenant-Id]"
  principals:
    - id: "[Your-Service-Principal-Account-Id]"
      secret: "[Your-Service-Principal-Secret]"

To configure the Azure Key Vault Managed HSM sensor, update the agent configuration file <agentinstall_dir>/etc/instana/configuration.yaml as shown in the following example:

com.instana.plugin.azure.managedhsm:
  enabled: true # Valid values: true, false. Enabled (true) by default 
  include_tags: # Comma separated list of tags in key:value format (e.g. env:prod,env:staging)
  exclude_tags: # Comma separated list of tags in key:value format (e.g. env:dev,env:test)
  include_resource_groups: # Comma separated list of resource groups (e.g. rg_prod,rg_staging)
  exclude_resource_groups: # Comma separated list of resource groups (e.g. rg_dev,rg_test)

You can disable the Azure Key Vault Managed HSM sensor and filter it by tags and resource groups.

Disabling the sensor

To disable monitoring Azure Key Vault Managed HSM, update the agent configuration file <agentinstall_dir>/etc/instana/configuration.yaml as shown in the following example:

com.instana.plugin.azure.managedhsm:
  enabled: true

Filtering HSMs by defining tags and resource groups

Instana monitors all Azure Key Vault Managed HSMs by default. You can set which Azure Key Vault Managed HSMs are monitored by Instana. Define tags and resource groups in the configuration.yaml file for Instana to discover the Azure Key Vault Managed HSMs. Only the Azure Key Vault Managed HSMs in the defined environments and resource groups are monitored.

To define multiple tags and resource groups, separate them with commas. Define tags as a key-value pair separated by a colon (:).

If you define a tag or resource group in both lists (include and exclude), the exclude list has a higher priority.

To set tags for the include list, update the configuration.yaml file as shown in the following example:

com.instana.plugin.azure.managedhsm:
  include_tags: # Comma separated list of tags in key:value format (e.g. env:prod,env:staging)

To set tags for the exclude list, update the configuration.yaml file as shown in the following example:

com.instana.plugin.azure.managedhsm:
  exclude_tags: # Comma separated list of tags in key:value format (e.g. env:dev,env:test)

To set resource groups for the include list, update the configuration.yaml file as shown in the following example:

com.instana.plugin.azure.managedhsm:
  include_resource_groups: # Comma separated list of resource groups (e.g. rg_prod,rg_staging)

To set resource groups for the exclude list, update the configuration.yaml file as shown in the following example:

com.instana.plugin.azure.managedhsm:
  exclude_resource_groups: # Comma separated list of resource groups (e.g. rg_dev,rg_test)

You can set which Azure Key Vault Managed HSMs are discovered by Instana for all Azure services.

When you set filters for an Azure service, it takes precedence over the common filter for all Azure services. For more information, see Configuration.

Viewing metrics

To view the metrics, complete the following steps:

  1. From the navigation menu in the Instana UI, click Infrastructure.
  2. Click an HSM availability zone.

You can see a host dashboard with all the collected metrics and monitored processes.

Metrics are pulled every minute, which is the resolution that Azure provides for the monitoring of these services.

Configuration data

HSM details Description
Name HSM name
Resource Group Resource group of the HSM
Location HSM location
Type Type of the resource
Provisioning State Provisioning state of the HSM
Tier Billing tier of this HSM

Performance metrics

Metric Name Unit Aggregation Description
Service
Overall Service Availability Availability Percent Average Service requests availability
Total Service Api Hits ServiceApiHit Count Count Number of total service API hits
Overall Service Api Latency ServiceApiLatency Milliseconds Average Overall latency of service API requests