Monitoring and instrumenting Microsoft® Azure with Instana agent

Monitored services

The Instana host agent monitors Azure-managed services by collecting data from Azure APIs. Instana supports monitoring for the following Azure services:

Instrumented services

Edit online

You can instrument the following services:

Supported information

Edit online

Supported operating systems

Edit online

The supported operating systems of the Microsoft® Azure sensor are consistent with host agents requirements. For more information, see the supported operating systems for each Instana host agent.

Installing the Instana agent

Edit online

To monitor an Azure virtual machine or a Kubernetes cluster that runs on Azure Kubernetes Service, see Installing the Instana host agents.

Note: Depending on the number of monitored entities in your cloud environment, you must increase the memory available to your host agent. You can increase the agent memory by setting the environment variable AGENT_MAX_MEM to a value greater than the default value 544 MiB.

For example, to allocate 1 GB of memory to the agent, set AGENT_MAX_MEM=1024M.

Install the Instana host agent on a host inside or outside your Azure environment. Each host agent can monitor remote services within a single subscription. To monitor multiple Azure subscriptions, you must deploy multiple host agents.

Installing an Instana agent outside your Azure environment

Edit online

If you install the Instana agent outside your Azure environment, the agent uses the Azure public cloud endpoint by default.

To specify the Azure cloud endpoint that you want to use, modify the /opt/instana/agent/etc/instana/configuration.yaml agent configuration file as follows:

com.instana.plugin.azure:
  cloud: 'AzurePublicCloud'

Azure cloud endpoints

Edit online

Depending on the Azure cloud endpoint you want to use, you can select from these cloud configuration values: AzurePublicCloud, AzureChinaCloud, AzureUSGovernmentCloud, and AzureGermanCloud. For more information on Azure cloud endpoints, see Azure cloud endpoints.

Make sure that you have access to the following network endpoints for your selected Azure cloud environment:

Table 1. Azure cloud endpoint mappings
Azure cloud endpoint	Active Directory endpoint	Management endpoint
`AzurePublic`: Microsoft Azure public cloud	`https://login.microsoftonline.com`	`https://management.azure.com/`
`AzureChina`: Microsoft Chinese national cloud	`https://login.chinacloudapi.cn/`	`https://management.chinacloudapi.cn/`
`AzureGermany`: Microsoft German national cloud	`https://login.microsoftonline.de/`	`https://management.microsoftazure.de/`
`AzureUsGovernment`: US Government cloud	`https://login.microsoftonline.us/`	`https://management.usgovcloudapi.net/`

To enable external monitoring of Azure services, configure your firewall to allow access to the above REST API endpoints based on your Azure cloud environment. Also, make sure that firewall access to the Log Analytics endpoint at https://api.loganalytics.io, which is required mainly for Databricks, regardless of Azure cloud endpoints.

Instana's Azure monitoring

Edit online

Instana discover Azure resources by using two primary methods:

VM Metadata Service: The Instana agent queries the Azure Instance Metadata Service (IMDS) at http://169.254.169.254/metadata/instance to collect the basic information about the VM instance where the agent is installed.
Azure Resource Manager (ARM) API: Instana uses ARM API to discover what Azure resources exist in a subscription.

You can provide the client ID, client secret, and the tenant ID through the configuration files. Instana automatically retrieves and refreshes access tokens and uses them to access the required Azure APIs based on the permissions granted.

Authorization URL : {activeDirectoryEndpoint} + {TenantId} + /oauth2/token

The sensor that is registered for each discovered resource, periodically collects metrics and metadata for its resource by using Azure Monitor APIs.

Azure API

Edit online

Azure Resource Manager(ARM) API: Instana uses ARM API to discover the Azure resources within a subscription and collects configuration details such as names, types, locations, and tags. Instana also uses these details to understand how resources connect to each other.

ARM API endpoints typically use this pattern: https://{managementendpoint}/subscriptions/{subscriptionId}/...

The Management endpoint varies based on the Azure cloud endpoint. See the following sample patterns:

https://management.azure.com/subscriptions/{subscriptionId}/...
https://management.usgovcloudapi.net/subscriptions/{subscriptionId}/...

Azure Monitor API: Instana uses the same Azure Monitor API, which shares ARM management endpoint, to collect monitoring data such as metrics, logs, and health information about Azure resources.

Azure Monitor API endpoints typically use this pattern: https://{managementendpoint}/subscriptions/{subscriptionId}/providers/Microsoft.Insights/...

The management endpoint varies based on the Azure cloud endpoint. See the following sample patterns:

https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Insights/...
https://management.usgovcloudapi.net/subscriptions/{subscriptionId}/providers/Microsoft.Insights/...

Service principal

Edit online

1. Creating service principal

Edit online

To enable Azure monitoring, configure the host agent with a service principal that has at least reader permissions. You can create a service principal by using the Azure portal, Azure CLI, or Azure PowerShell.

Create a service principal in the Azure portal

Edit online

The following steps describe how to create a service principal account with read access to your resources in the Azure portal.

Create a service principal by registering an application in the Azure portal:

Open the Azure management Portal and select Microsoft Entra ID.
Copy the Tenant ID value. You need this value to configure the agent to connect to your Azure account.
Select App registrations in the navigation pane.
Create a new application by selecting New registration at the top of the App registrations tab.
Enter the name of your application, leave all other settings with their default values, and select Register.
Copy the Application (client) ID value. You need this value to configure the Service principal ID that the agent uses to connect to the Azure account.
Open the newly created app and select Certificates & secrets > New client secret from the navigation menu to create a new security key.
Copy the Value of the new Key and save it. You need this value to configure the Service Principal Secret that the agent uses to connect to your Azure account.

Note: You can view client secret values only after creation. Make sure to save the secret key when you create it, and before you exit the page.

Create a service principal by using Azure CLI

Edit online

You can use the Azure Command-Line Interface (CLI), a fast and simple method to create a service principal and assign a role in a single command.

Install the Azure CLI.
Run the az login command in your terminal to sign in to your Azure account, and then follow the on-screen instructions.
Open your terminal or Azure Cloud Shell.
Run the following command to find your subscription ID:
```
az account show --query id --output tsv
```
Run the following command to create a service principal. Replace service-principal-name, role, and subscription-ID with your specific values.
```
az ad sp create-for-rbac --name "<service-principal-name>" --role "<role>" --scopes "/subscriptions/<subscription-id>"
```
- --name: A unique name for your service principal.
- --role: The RBAC role to assign, such as contributor, reader, or owner.
- --scopes: The Azure resource scope to apply the role to, such as your subscription, resource group, or a specific resource.
The output from the preceding command provides the service principal's credentials. Copy and securely store the appId (Client ID), password (Client secret), and tenant (Tenant ID) from the JSON output. The password is shown only once and cannot be retrieved later.
Run the following command to verify the new role assignment, Replace the appId with your Client ID:
```
az role assignment list --assignee "<appId>"
```

Creating a service principal by using Azure PowerShell

Edit online

To create a service principal by using Azure PowerShell and grant the required access, follow the steps in theAzure PowerShell documentation.

2. Grant reader permission to your service principal

Edit online

By using the Azure portal:

In the Azure portal, select All services > General > Subscriptions.
On the subscriptions page, select your subscription, and then select Access control (IAM).
Select Add role assignment, and choose Reader. Click Next.
In the Members section, enter the following details:
- For Assign access to, select user, group, or service principal.
- For Members, click Select members, and then select your service principal from the list on the left.
Click Next, and then select Review + assign.

By using Azure CLI:

If you give the role as Reader in the same command when you create the service principal, the CLI automatically grants read permission to the service principal:

az ad sp create-for-rbac --name "<service-principal-name>" --role "Reader" --scopes /subscriptions/{subscription-id}

To verify reader role for a service principal by using Python script (optional), see the Python script.

3. Enable the Azure sensor in the agent

Edit online

To enable Azure monitoring, configure the Azure sensor in the agent configuration.yaml file. A minimal configuration looks like the following example:

com.instana.plugin.azure:
  enabled: true
  subscription: "Your-Subscription-Id"
  tenant: "Your-Tenant-Id"
  principals:
    - id: "Your-Service-Principal-Account-Id"
      secret: "Your-Service-Principal-Secret"

Restart the host agent to apply the new configuration. After the restart, the agent can automatically discover supported remote services on the specified subscription.

Configuration

Edit online

Proxy configuration

Edit online

To configure the Instana host agent to use a proxy, add the following settings to the agent configuration:

com.instana.plugin.azure:
  proxy_host: 'example.com' # proxy host name or ip address
  proxy_port: 3128 # proxy port
  proxy_username: 'username' # OPTIONAL: proxy username
  proxy_password: 'password' # OPTIONAL: proxy password

Define both the proxy_host and proxy_port fields to enable the agent to route traffic through a proxy server.

After you configure the proxy, restart the Instana agent for the changes to take place.

Filtering and tagging

Edit online

The Instana host agent supports filtering of Azure services. The filtering of services and their instances is based on tags and resource groups.

For more information on how to apply tags to Azure resources, see Use tags to organize your Azure resources and management hierarchy.

For more information about defining resource groups in Azure, see What is Azure Resource Manager?.

Apply filtering by modifying the Instana host agent configuration file at /opt/instana/agent/etc/instana/configuration.yaml as follows:

com.instana.plugin.azure:
  # Comma separated list of tags in key:value format
  include_tags:
  # Comma separated list of tags in key:value format
  exclude_tags:
  # Comma separated list of resource groups
  include_resource_groups:
  # Comma separated list of resource groups
  exclude_resource_groups:

You can also apply filtering at the level of specific services. For more information, see the Monitored Services section for details on specific services.

Multiple service principals

Edit online

Azure Monitoring API comes with a limitation of 12000 requests per service principal, which limits the number of services that a single host agent can monitor. To overcome this limitation, you can create multiple service principals. For information on how to create service principles, see Use Azure PowerShell to create a service principal with a certificate.

After you create the service principals, update the /opt/instana/agent/etc/instana/configuration.yaml file on the Instana host agent as follows:

com.instana.plugin.azure:
  enabled: true
  subscription: "Your-Subscription-Id"
  tenant: "Your-Tenant-Id"
  principals:
    - id: "Your-Service-Principal-Account-Id-1"
      secret: "Your-Base64-encoded-Service-Principal-Secret-1"
    - id: "Your-Service-Principal-Account-Id-2"
      secret: "Your-Base64-encoded-Service-Principal-Secret-2"

Note: The host agent hot reloads changes to these principal configurations, meaning that they take effect without needing to restart the host agent.

Filtering API per API management service

Edit online

When you have too many APIs under one API Management service, it can be challenging to collect and analyze the data effectively. To focus on important APIs, configure API filtering by defining an inclusive or exclusive regular expression as shown in the following example YAML file:

com.instana.plugin.azure.apimanagement:
  monitorApiList:
    - serviceName: 'robotShopApiGateway'
      #inclusiveApiRegex: '^(API name 1|API name 2)$'
      exclusiveApiRegex: '^(API name 1|API name 2)$'

As shown in the preceding example, you can use complex regex expressions with or and and logic. If you define both inclusiveApiRegex and exclusiveApiRegex, the host agent prioritizes exclusiveApiRegex.

Available metrics for each resource type

Edit online

You can view the list of supported metrics for the different resource types in the official Azure documentation.

Cost calculation of Azure API usage

Edit online

For more information about Azure API usage cost calculations, see Azure API usage cost calculation.