Skip to main content
This feature isn’t available to all Chronosphere Observability Platform users and might not be visible in your app. For information about enabling this feature in your environment, contact Chronosphere Support.
Azure metrics integration connects Chronosphere Observability Platform with Azure Monitor to ingest metrics.

Create the Azure principal

Configure Azure to allow Observability Platform to access metrics in Azure. To do so:
  1. Ensure the Azure Managed Identity principal is assigned the built-in Reader role for every subscription within scope. The Reader role is more restrictive than the MonitoringReader role. It’s important to create a dedicated Managed Identity to isolate the Azure API quota used by Chronosphere.
  2. Contact Chronosphere Support to obtain the specific credential_issuer and credential_subject for your tenant.
  3. Copy both the credential_issuer and credential_subject variables exactly as specified to allow authentication between your Chronosphere tenant and Azure.
  4. When creating the Azure principal, grant it access to subscriptions using one of the following options:
    • Management group-based: Access can be granted at the Azure Management Group level. This is the preferred approach, as it means that the subscriptions that Chronosphere has access to are kept in sync with the management group. As subscriptions are added and removed from the management group, these changes will be automatically reflected in Chronosphere. The same principal can also be granted access to multiple management groups.
    • Subscription-based: Access can be granted at the subscription level. In this case, the principal is granted access to individual subscriptions. This approach provides the most control, but has the downside that the list of subscriptions granted to the principal must be kept up to date by the customer. Chronosphere won’t be able to ingest Azure metric data for subscriptions that haven’t been assigned to the principal.
  5. After provisioning the Azure Managed Identity, provide Chronosphere with the two Terraform outputs defined in the following examples: azure_tenant_id and identity_client_id. These outputs specify the ID of your Azure tenant and the client ID of the Azure Managed Identity, respectively. Chronosphere requires both values to complete the integration.

Terraform examples

The following examples show how you can integrate Azure using one of the previously mentioned methods:
The following Terraform code provides an example of how to create an Azure principal and grant it access to the subscriptions within a management group.
################################################################################
## Azure Provider

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
  }
}

provider "azurerm" {
  subscription_id = var.subscription_id
  features {}
}

################################################################################
## Terraform Variables

variable "subscription_id" {
  type        = string
  description = "Azure subscription ID in which to create resources"
}

variable "location" {
  type        = string
  description = "Location in which to create resources"
  default     = "eastus"
}

variable "resource_group_name" {
  type        = string
  description = "Name of the existing resource group to create resources in"
}

variable "management_group_id" {
  type        = string
  description = "Management group to be integrated with Chronosphere"
  default     = "production-group"
}

variable "principal_name" {
  type        = string
  description = "Name of the Azure principal managed identity"
  default     = "chronosphere-integration"
}

variable "credential_issuer" {
  type        = string
  description = "Federated identity credential issuer"
  default     = "https://accounts.google.com"
}

variable "credential_subject" {
  type        = string
  description = "Unique ID of your tenant-specific GCP service account"
  default     = "123456789123456789"
}

################################################################################
## Azure Resources

data "azurerm_management_group" "this" {
  name = var.management_group_id
}

resource "azurerm_user_assigned_identity" "chronosphere" {
  name                = var.principal_name
  location            = var.location
  resource_group_name = var.resource_group_name
}

# Assign the principal the Reader role on all subscriptions in the management group.
resource "azurerm_role_assignment" "chronosphere" {
  principal_id         = azurerm_user_assigned_identity.chronosphere.principal_id
  scope                = data.azurerm_management_group.this.id
  role_definition_name = "Reader"
}

resource "azurerm_federated_identity_credential" "chronosphere" {
  name                = var.principal_name
  issuer              = var.credential_issuer
  subject             = var.credential_subject
  resource_group_name = var.resource_group_name
  parent_id           = azurerm_user_assigned_identity.chronosphere.id
  audience            = ["api://AzureADTokenExchange"]
}

################################################################################
## Terraform Outputs

output "azure_tenant_id" {
  value = azurerm_user_assigned_identity.chronosphere.tenant_id
}

output "identity_client_id" {
  value = azurerm_user_assigned_identity.chronosphere.client_id
}

Set up Observability Platform to receive Azure data

After configuring Azure to enable access to metrics, you must configure Observability Platform to receive and process those metrics. To access the API directly, see the Chronosphere API for Azure metrics.

View Azure metrics integrations

To list or view Azure metrics integrations, use one of the following options:
To list your Azure metrics integrations using Chronoctl, use this command:
chronoctl azure-metrics-integrations list
To view a Azure metrics integration, use this command:
chronoctl azure-metrics-integrations read SLUG
Replace SLUG with the unique identifier of the Azure metrics integration.

Create or update an Azure metrics integration

You can create or update your Azure metrics integration with Observability Platform by applying a configuration file with Chronoctl or Terraform. You must add your account principal to an Observability Platform team with SysAdmin permissions.
To create a Azure metrics integration using Chronoctl, use this command:
chronoctl azure-metrics-integrations create --filename FILENAME
Replace FILENAME with the name of your Chronoctl configuration file.To update a Azure metrics integration, use this command:
chronoctl azure-metrics-integrations update --filename FILENAME
Replace FILENAME with the name of your Chronoctl configuration file.The input file uses the following structure:
api_version: v1/config
kind: AzureMetricsIntegration
spec:
  name: NAME
  slug: SLUG
  principal:
    tenant_id: TENANT_ID
    client_id: CLIENT_ID
  scrape_config:
    resource_types:
      - name: RESOURCE_TYPE_NAME
        metric_names:
          - METRIC_NAME
    locations:
      - LOCATION
    subscription_ids:
      - SUBSCRIPTION_ID
  usage_metrics_enabled: USAGE_METRICS_ENABLED
  count_metrics_enabled: COUNT_METRICS_ENABLED
  propagate_tags: PROPAGATE_TAGS
Replace the following:
  • NAME: (string) The name of the Azure integration.
  • SLUG: (string) The unique identifier of the Azure integration.
  • TENANT_ID: (UUID) The ID of the Azure tenant that hosts the managed identity principal.
  • CLIENT_ID: (UUID) The OAuth 2.0 client ID of the managed identity principal.
  • RESOURCE_TYPE_NAME: (string) Name of the resource type.
  • METRIC_NAME: (list(string)) List of metric names to be targeted. These apply to this resource type. Leave unset to retrieve all metrics.
  • LOCATION: (list(string)) Locations to be ingested for this integration. Applies to all subscriptions. Leave unset to retrieve all locations.
  • SUBSCRIPTION_ID: (list(string)) Subscriptions to be targeted for this integration. Leave unset to retrieve all subscriptions.
  • USAGE_METRICS_ENABLED: (Boolean) Enables collection of azure usage metrics under this principal (Microsoft.Compute, Microsoft.Network, Microsoft.Storage).
  • COUNT_METRICS_ENABLED: (Boolean) Enables Azure count metrics for the configured resources.
  • PROPAGATE_TAGS: (Boolean) Specifies whether Azure resource, group, and subscription tags should be propagated as metric labels.

Delete an Azure integration

Delete an Azure integration using one of the following methods:
Your account must have SysAdmin permissions to complete this action.To delete an Azure integration using Chronoctl, use this command:Use the command:
chronoctl azure-metrics-integrations delete SLUG
Replace SLUG with the unique identifier of the Azure metrics integration.

Metric information

Observability Platform ingests a wide range of Azure metrics. See the list of available Azure metrics.

Metric labels

You can request custom labels for your Azure metrics as defaultLabels. To add custom labels, contact Chronosphere Support. When importing metrics, some defaultLabels might conflict with prefixes which already exist in Observability Platform (for example, job). When this occurs, Observability Platform adds the prefix exported_ to the source labels to prevent conflicts.

Find Azure metrics in Metrics Explorer

Use Metrics Explorer to find and review the status of your ingested metrics.
  • All Azure metrics start with the prefix azure_. Search for this prefix to display all Azure metrics in the platform.
  • Search supports substrings. For example, if the original Azure metric name contains a substring like storageAccounts, searching for the substring returns the Azure metric, along with other metrics containing the substring.