The basics
What is Azure Monitor ?
Just like Azure Security Center is the central but for security in Azure, Azure Monitor the central hub for monitoring in Azure. It means that whenever a resource is deployed within Azure and must be monitored, Azure Monitor is the service that should be used.
For example, you deployed 10 Virtual Machines (VMs) and you want to take a look at their performance. You have two options: look at each VM, or use Azure Monitor which centralizes all of them.
Look at each VM
This is a view you may be familiar with. When selecting a VM in the Azure portal, you can click on the Metrics tab, under the Monitoring section, and look at some performance statistics.
Use Azure Monitor
When using Azure Monitor, we can click on the Virtual Machine tab, under the Insight section. This enables the monitoring of multiple VMs with custom or premade dashboards. For example, the following dashboard is available in the Workbook tab, then Public template, and is called Key Metrics.
But what are metrics ?
In Azure, resources generate two types of data we can monitor : logs, and metrics.
Metrics are mainly numbers and statistics, which make them pretty light. Those statistics can be the CPU usage for Virtual Machines, the mean number of requests received for an App Service, and so on. Metrics are near real-time and can be interesting to monitor the availability of services, and raise alerts when preconfigured thresholds are reached.
In additiona, metrics are automatically enabled at no cost when a resource is created. Metrics retention can vary depending on the resource that was deployed : most of them are stored for 93 days. This period can be increased using storage solutions (e.g. Log Analytics workspaces).
What’s the difference with logs ?
Logs are much more dense : again, it depends on the resource which produces the logs. As an example, imagine a Web Application Firewall (WAF) deployed on Azure, through an Application Gateway. The Application Gateway generates metrics such as the number of requests filtered by the WAF, the WAF availability, etc. For the same kind of data, logs will store much more information, such as the source IP address, the HTTP request that was filtered, the filtering policy that was matched, etc.
By providing so much information, logs are really interesting from a security perspective, and are actually used in security solutions such as Azure Sentinel. Logs are not enabled by default and need to be stored somewhere. This somewhere can be a Log Analytics workspace or a Storage account. Altough logs are not real-time, Azure usually provides a pretty low latency (2 minutes can be expected) between generation and storage.
Visualizing with Azure Monitor
After data is collected, we want to monitor it using beautiful, customizable and comfortable dashboards. In the context of Azure Monitor, we now call these dashboard Workbooks.
Workbooks are built on top of metrics and logs, and can gather many data : for example, if you have multiple subscription, you may know that there are sometimes limitations. With workbooks, we can collect any data from any resource that belongs to your tenant, regardless of the subscription where the resource is deployed, and regardless of whether we collect metrics or logs.
I mentioned that workbooks can be customized. Let me give some examples. First, workbooks are composed of requests on the data we collect to build charts, but also of Markdown, which allows you to add titles, or comments on how the charts should be analyzed. Second, you can create conditional display, which allows you to display items based on filter buttons or tabs, which make the workbook dynamic and really comfortable for the end user. Finaly, there are many (many) settings to display your chart how you want.
This was a first non technical post which gives an idea of Azure monitor capabilities. In the next part, I will get into the technical detail with Azure Log Analytics workspace that are essential to understand in the Azure Monitor context.
