Azure Government Monitoring + Management
12/11/2019 12 minutes to read …
This article outlines the monitoring and management services variations and considerations for the Azure Government environment.
Note
This article has been updated to use the new Azure PowerShell Az
module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020.
To learn more about the new Az module and AzureRM compatibility, see
Introducing the new Azure PowerShell Az module. For
Az module installation instructions, see Install Azure PowerShell.
Advisor
Advisor is generally available in Azure Government.
For more information, see Advisor public documentation.
Variations
The following Advisor recommendations are not currently available in Azure Government:
- High Availability
- Configure your VPN gateway to active-active for connection resilience
- Create Azure Service Health alerts to be notified when Azure issues affect you
- Configure Traffic Manager endpoints for resiliency
- Use soft delete for your Azure Storage Account
- Performance
- Improve App Service performance and reliability
- Reduce DNS time to live on your Traffic Manager profile to fail over to healthy endpoints faster
- Improve SQL Data Warehouse performance
- Use Premium Storage
- Migrate your Storage Account to Azure Resource Manager
- Cost
- Buy reserved virtual machines instances to save money over pay-as-you-go costs
- Eliminate unprovisioned ExpressRoute circuits
- Delete or reconfigure idle virtual network gateways
The calculation used to recommend that you should right-size or shut down underutilized virtual machines is as follows in Azure Government:
Advisor monitors your virtual machine usage for 7 days and identifies low-utilization virtual machines. Virtual machines are considered low-utilization if their CPU utilization is 5% or less and their network utilization is less than 2% or if the current workload can be accommodated by a smaller virtual machine size. If you want to be more aggressive at identifying underutilized virtual machines, you can adjust the CPU utilization rule on a per subscription basis.
Automation
Automation is generally available in Azure Government.
For more information, see Automation public documentation.
Azure Migrate
Azure Migrate is generally available in Azure Government.
For more information, see Azure Migrate documentation.
Variations
The following Azure Migrate features are currently not available in Azure Government:
- Dependency visualization functionality is not available in Azure Government as Azure Migrate depends on Service Map for dependency visualization which is currently unavailable in Azure Government.
- You can only create assessments for Azure Government as target regions and using Azure Government offers.
Backup
Backup is generally available in Azure Government.
For more information, see Azure Government Backup.
Policy
Policy is generally available in Azure Government.
For more information, see Azure Policy.
Site Recovery
Azure Site Recovery is generally available in Azure Government.
For more information, see Site Recovery commercial documentation.
Variations
The following Site Recovery features are not currently available in Azure Government:
| Site Recovery | Classic | Resource Manager |
|---|---|---|
| VMware/Physical | GA | GA |
| Hyper-V | GA | GA |
| Site to Site | GA | GA |
The following URLs for Site Recovery are different in Azure Government:
Monitor
Azure Monitor is generally available in Azure Government.
For more information, see Monitor commercial documentation.
Variations
The following sections detail differences and workarounds for features of Azure Monitor in Azure Government:
Action Groups
Action Groups are generally available in Azure Government with no differences from commercial Azure.
Activity Log Alerts
Activity Log Alerts are generally available in Azure Government with no differences from commercial Azure.
Alerts Experience
The unified alerts UI experience is available for metric and log alerts in Azure Government.
Autoscale
Autoscale is generally available in Azure Government.
If you are using PowerShell/ARM/REST calls to specify settings, set the “Location” of the Autoscale to “USGov Virginia” or “USGov Iowa”. The resource targeted by Autoscale can exist in any region. An example of the setting is below:
$rule1 = New-AzAutoscaleRule -MetricName "Requests" -MetricResourceId "/subscriptions/S1/resourceGroups/RG1/providers/Microsoft.Web/sites/WebSite1" -Operator GreaterThan -MetricStatistic Average -Threshold 10 -TimeGrain 00:01:00 -ScaleActionCooldown 00:05:00 -ScaleActionDirection Increase -ScaleActionScaleType ChangeCount -ScaleActionValue "1"
$rule2 = New-AzAutoscaleRule -MetricName "Requests" -MetricResourceId "/subscriptions/S1/resourceGroups/RG1/providers/Microsoft.Web/sites/WebSite1" -Operator GreaterThan -MetricStatistic Average -Threshold 10 -TimeGrain 00:01:00 -ScaleActionCooldown 00:10:00 -ScaleActionDirection Increase -ScaleActionScaleType ChangeCount -ScaleActionValue "2"
$profile1 = New-AzAutoscaleProfile -DefaultCapacity 2 -MaximumCapacity 10 -MinimumCapacity 2 -Rules $rule1, $rule2 -Name "MyProfile"
$webhook_scale = New-AzAutoscaleWebhook -ServiceUri https://example.com?mytoken=mytokenvalue
$notification1= New-AzAutoscaleNotification -CustomEmails [email protected] -SendEmailToSubscriptionAdministrator -SendEmailToSubscriptionCoAdministrators -Webhooks $webhook_scale
Add-AzAutoscaleSetting -Location "USGov Virginia" -Name "MyScaleVMSSSetting" -ResourceGroup sdubeys-usgv -TargetResourceId /subscriptions/s1/resourceGroups/rg1/providers/Microsoft.Web/serverFarms/ServerFarm1 -AutoscaleProfiles $profile1 -Notifications $notification1
If you are interested in implementing autoscale on your resources, use PowerShell/ARM/Rest calls to specify the settings.
For more information on using PowerShell, see public documentation.
Metrics
Metrics are generally available in Azure Government. However, multi-dimensional metrics are supported only via the REST API. The ability to show multi-dimensional metrics is in preview in the Azure Government portal.
Metric Alerts
The first generation of metrics alerts is generally available in both Azure Government and commercial Azure. The first generation is called Alerts (Classic). The second generation of metric alerts (also called the unified alerts experience) is now also available, but with a reduced set of resource providers compared to the public cloud. More will be added over time.
The resources currently supported in the second generation alerts experience are:
- Microsoft.ApiManagement/service
- Microsoft.Cache/redis
- Microsoft.Compute/virtualMachines
- Microsoft.DBforMySQL/servers
- Microsoft.DBforPostgreSQL/servers
- Microsoft.DBforMariaDB/servers
- Microsoft.Devices/IotHubs
- Microsoft.EventGrid/domains
- Microsoft.EventGrid/topics
- Microsoft.EventHub/clusters
- Microsoft.EventHub/namespaces
- Microsoft.Insights/components
- Microsoft.Network/dnsZones
- Microsoft.Network/loadBalancers
- Microsoft.Network/natGateways
- Microsoft.Network/privateEndpoints
- Microsoft.Network/privateLinkServices
- Microsoft.Network/trafficManagerProfiles
- Microsoft.OperationalInsights/workspaces
- Microsoft.PowerBIDedicated/capacities
- Microsoft.Relay/namespaces
- Microsoft.ServiceBus/namespaces
- Microsoft.Sql/managedInstances
- Microsoft.Sql/servers/databases
- Microsoft.Sql/servers/elasticPools
- Microsoft.Storage/storageAccounts
- Microsoft.Storage/storageAccounts/blobServices
- Microsoft.Storage/storageAccounts/fileServices
- Microsoft.Storage/storageAccounts/queueServices
- Microsoft.Storage/storageAccounts/tableServices
- Microsoft.Web/hostingEnvironments/multiRolePools
- Microsoft.Web/hostingEnvironments/workerPools
- Microsoft.Web/serverfarms
- Microsoft.Web/sites
- Microsoft.Web/sites/slots
Note
Creating multi-resource metric alert rules on Virtual Machines is currently not supported. This article will be updated as soon as this functionality becomes available.
You can still use classic alerts for resources not yet available in the second generation of alerts.
When using PowerShell/ARM/Rest calls to create metric alerts, you will need to set the “Location” of the metric alert to “USGov Virginia” or “USGov Iowa”. An example of the setting is below:
$actionEmail = New-AzAlertRuleEmail -CustomEmail [email protected]
$actionWebhook = New-AzAlertRuleWebhook -ServiceUri https://example.com?token=mytoken
Add-AzMetricAlertRule -Name vmcpu_gt_1 -Location "USGov Virginia" -ResourceGroup myrg1 -TargetResourceId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.ClassicCompute/virtualMachines/my_vm1 -MetricName "Percentage CPU" -Operator GreaterThan -Threshold 1 -WindowSize 00:05:00 -TimeAggregationOperator Average -Actions $actionEmail, $actionWebhook -Description "alert on CPU > 1%"
For more information on using PowerShell, see public documentation.
Application Insights
This section describes the supplemental configuration that is required to use Application Insights in Azure Government. To learn more about Azure Monitor and Application Insights checkout the full documentation.
Enable Application Insights for ASP.NET & ASP.NET Core with Visual Studio
Azure Government customers can enable Application Insights with a codeless agent for their Azure App Services hosted applications or via the traditional Add Applications Insights Telemetry button in Visual Studio, which requires a small manual workaround. Customers experiencing the associated issue may see error messages like “There is no Azure subscription associated with this account or “The selected subscription does not support Application Insights even though the microsoft.insights resource provider has a status of registered for the subscription. To mitigate this issue, you must perform the following steps:
-
Switch Visual Studio to target the Azure Government cloud.
-
Create (or if already existing set) the User Environment variable for AzureGraphApiVersion as follows: (To create a User Environment variable go to Control Panel > System > Advanced system settings > Advanced > Environment Variables.)
Variable name: AzureGraphApiVersion
Variable value: 2014-04-01 -
Make the appropriate Application Insights SDK endpoint modifications for either ASP.NET or ASP.NET Core depending on your project type.
Snapshot Debugger
Snapshot Debugger is now available for Azure Government customers. To use Snapshot Debugger the only additional prerequisite is to insure that you are using Snapshot Collector version 1.3.5 or later. Then simply follow the standard Snapshot Debugger documentation.
SDK endpoint modifications
In order to send data from Application Insights to the Azure Government region, you will need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications.
.NET with applicationinsights.config
Note
The applicationinsights.config file is automatically overwritten anytime a SDK upgrade is performed. After performing an SDK upgrade be sure to re-enter the region specific endpoint values.
<ApplicationInsights>
...
<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector">
<QuickPulseServiceEndpoint>https://quickpulse.applicationinsights.us/QuickPulseService.svc</QuickPulseServiceEndpoint>
</Add>
</TelemetryModules>
...
<TelemetryChannel>
<EndpointAddress>https://dc.applicationinsights.us/v2/track</EndpointAddress>
</TelemetryChannel>
...
<ApplicationIdProvider Type="Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId.ApplicationInsightsApplicationIdProvider, Microsoft.ApplicationInsights">
<ProfileQueryEndpoint>https://dc.applicationinsights.us/api/profiles/{0}/appId</ProfileQueryEndpoint>
</ApplicationIdProvider>
...
</ApplicationInsights>
ASP.NET Core
Modify the appsettings.json file in your project as follows to adjust the main endpoint:
"ApplicationInsights": {
"InstrumentationKey": "instrumentationkey",
"TelemetryChannel": {
"EndpointAddress": "https://dc.applicationinsights.us/v2/track"
}
}
The values for Live Metrics and the Profile Query Endpoint can only be set via code. To override the default values for all endpoint values via code, make the following changes in the ConfigureServices method of the Startup.cs file:
using Microsoft.ApplicationInsights.Extensibility;
using Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId;
using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse;
using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel; //place at top of Startup.cs file
services.ConfigureTelemetryModule<QuickPulseTelemetryModule>((module, o) => module.QuickPulseServiceEndpoint="https://quickpulse.applicationinsights.us/QuickPulseService.svc");
services.AddSingleton<IApplicationIdProvider, ApplicationInsightsApplicationIdProvider>(_ => new ApplicationInsightsApplicationIdProvider() { ProfileQueryEndpoint = "https://dc.applicationinsights.us/api/profiles/{0}/appId" });
services.AddSingleton<ITelemetryChannel>(_ => new ServerTelemetryChannel() { EndpointAddress = "https://dc.applicationinsights.us/v2/track" });
//place in ConfigureServices method. If present, place this prior to services.AddApplicationInsightsTelemetry("instrumentation key");
Azure Functions
Please install following packages into your Function project:
- Microsoft.ApplicationInsights version 2.10.0
- Microsoft.ApplicationInsights.PerfCounterCollector version 2.10.0
- Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel version 2.10.0
And also add (or modify) the startup code for your Function application:
[assembly: FunctionsStartup(typeof(Example.Startup))]
namespace Example
{
class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
var quickPulseFactory = builder.Services.FirstOrDefault(sd => sd.ServiceType == typeof(ITelemetryModule) &&
sd.ImplementationType == typeof(QuickPulseTelemetryModule));
if (quickPulseFactory != null)
{
builder.Services.Remove(quickPulseFactory);
}
var appIdFactory = builder.Services.FirstOrDefault(sd => sd.ServiceType == typeof(IApplicationIdProvider));
if (appIdFactory != null)
{
builder.Services.Remove(appIdFactory);
}
var channelFactory = builder.Services.FirstOrDefault(sd => sd.ServiceType == typeof(ITelemetryChannel));
if (channelFactory != null)
{
builder.Services.Remove(channelFactory);
}
builder.Services.AddSingleton<ITelemetryModule, QuickPulseTelemetryModule>(_ =>
new QuickPulseTelemetryModule
{
QuickPulseServiceEndpoint = "https://quickpulse.applicationinsights.us/QuickPulseService.svc"
});
builder.Services.AddSingleton<IApplicationIdProvider, ApplicationInsightsApplicationIdProvider>(_ => new ApplicationInsightsApplicationIdProvider() { ProfileQueryEndpoint = "https://dc.applicationinsights.us/api/profiles/{0}/appId" });
builder.Services.AddSingleton<ITelemetryChannel>(_ => new ServerTelemetryChannel() { EndpointAddress = "https://dc.applicationinsights.us/v2/track" });
}
}
}
Java
Modify the applicationinsights.xml file to change the default endpoint address.
<?xml version="1.0" encoding="utf-8"?>
<ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings">
<InstrumentationKey>ffffeeee-dddd-cccc-bbbb-aaaa99998888</InstrumentationKey>
<TelemetryModules>
<Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebRequestTrackingTelemetryModule"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebSessionTrackingTelemetryModule"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebUserTrackingTelemetryModule"/>
</TelemetryModules>
<TelemetryInitializers>
<Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebOperationIdTelemetryInitializer"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebOperationNameTelemetryInitializer"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebSessionTelemetryInitializer"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebUserTelemetryInitializer"/>
<Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebUserAgentTelemetryInitializer"/>
</TelemetryInitializers>
<!--Add the following Channel value to modify the Endpoint address-->
<Channel type="com.microsoft.applicationinsights.channel.concrete.inprocess.InProcessTelemetryChannel">
<EndpointAddress>https://dc.applicationinsights.us/v2/track</EndpointAddress>
</Channel>
</ApplicationInsights>
Spring Boot
Modify the application.properties file and add:
azure.application-insights.channel.in-process.endpoint-address= https://dc.applicationinsights.us/v2/track
Node.js
var appInsights = require("applicationinsights");
appInsights.setup('INSTRUMENTATION_KEY');
appInsights.defaultClient.config.endpointUrl = "https://dc.applicationinsights.us/v2/track"; // ingestion
appInsights.defaultClient.config.profileQueryEndpoint = "https://dc.applicationinsights.us/api/profiles/{0}/appId"; // appid/profile lookup
appInsights.defaultClient.config.quickPulseHost = "https://quickpulse.applicationinsights.us/QuickPulseService.svc"; //live metrics
appInsights.Configuration.start();
The endpoints can also be configured through environment variables:
Instrumentation Key: "APPINSIGHTS_INSTRUMENTATIONKEY"
Profile Endpoint: "https://dc.applicationinsights.us/api/profiles/{0}/appId"
Live Metrics Endpoint: "https://quickpulse.applicationinsights.us/QuickPulseService.svc"
JavaScript
<script type="text/javascript">
var sdkInstance="appInsightsSDK";window[sdkInstance]="appInsights";var aiName=window[sdkInstance],aisdk=window[aiName]||function(e){
function n(e){t[e]=function(){var n=arguments;t.queue.push(function(){t[e].apply(t,n)})}}var t={config:e};t.initialize=!0;var i=document,a=window;setTimeout(function(){var n=i.createElement("script");n.src=e.url||"https://az416426.vo.msecnd.net/next/ai.2.min.js",i.getElementsByTagName("script")[0].parentNode.appendChild(n)});try{t.cookie=i.cookie}catch(e){}t.queue=[],t.version=2;for(var r=["Event","PageView","Exception","Trace","DependencyData","Metric","PageViewPerformance"];r.length;)n("track"+r.pop());n("startTrackPage"),n("stopTrackPage");var s="Track"+r[0];if(n("start"+s),n("stop"+s),n("setAuthenticatedUserContext"),n("clearAuthenticatedUserContext"),n("flush"),!(!0===e.disableExceptionTracking||e.extensionConfig&&e.extensionConfig.ApplicationInsightsAnalytics&&!0===e.extensionConfig.ApplicationInsightsAnalytics.disableExceptionTracking)){n("_"+(r="onerror"));var o=a[r];a[r]=function(e,n,i,a,s){var c=o&&o(e,n,i,a,s);return!0!==c&&t["_"+r]({message:e,url:n,lineNumber:i,columnNumber:a,error:s}),c},e.autoExceptionInstrumented=!0}return t
}({
instrumentationKey:"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
endpointUrl: "https://dc.applicationinsights.us/v2/track"
});
window[aiName]=aisdk,aisdk.queue&&0===aisdk.queue.length&&aisdk.trackPageView({});
</script>
Firewall exceptions
The Azure Application Insights service uses a number of IP addresses. You might need to know these addresses if the app that you are monitoring is hosted behind a firewall.
Note
Although these addresses are static, it’s possible that we will need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhooks, which require inbound firewall rules.
Outgoing ports
You need to open some outgoing ports in your server’s firewall to allow the Application Insights SDK and/or Status Monitor to send data to the portal:
| Purpose | URL | IP | Ports |
|---|---|---|---|
| Telemetry | dc.applicationinsights.us | 23.97.4.113 | 443 |
Azure Monitor logs
Azure Monitor logs is generally available in Azure Government.
Note
This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.
Variations
- Solutions that are available in Azure Government include:
- Network Performance Monitor (NPM) – NPM is a cloud-based network monitoring solution for public and hybrid cloud environments. Organizations use NPM to monitor network availability across on-premises and cloud environments. Endpoint Monitor – a subcapability of NPM, monitors network connectivity to applications.
The following Azure Monitor logs features and solutions are not currently available in Azure Government.
- Solutions that are in preview in Microsoft Azure, including:
- Service Map
- Windows 10 Upgrade Analytics solution
- Application Insights solution
- Azure Networking Security Group Analytics solution
- Azure Automation Analytics solution
- Key Vault Analytics solution
- Solutions and features that require updates to on-premises software, including:
- Features that are in preview in global Azure, including:
- Export of data to Power BI
- Azure metrics and Azure diagnostics
The URLs for Azure Monitor logs are different in Azure Government:
The following Azure Monitor logs features behave differently in Azure Government:
-
To connect your System Center Operations Manager management group to Azure Monitor logs, you need to download and import updated management packs.
-
For more information about using computer groups from Configuration Manager, see Connect Configuration Manager to Azure Monitor.
Frequently asked questions
- Can I migrate data from Azure Monitor logs in Microsoft Azure to Azure Government?
- No. It is not possible to move data or your workspace from Microsoft Azure to Azure Government.
- Can I switch between Microsoft Azure and Azure Government workspaces from the Operations Management Suite portal?
- No. The portals for Microsoft Azure and Azure Government are separate and do not share information.
For more information, see Azure Monitor logs public documentation.
Scheduler
For information on this service and how to use it, see Azure Scheduler Documentation.
Azure portal
The Azure Government portal can be accessed here.
Azure Resource Manager
For information on this service and how to use it, see Azure Resource Manager Documentation.
