Azure metrics integration
This feature isn’t available to all Chronosphere Observability Platform users and might not be visible in your app. For information about enabling this feature in your environment, contact Chronosphere Support.
Azure metrics (opens in a new tab) integration connects Chronosphere Observability Platform with Azure Monitor to ingest metrics.
Create the Azure principal
Configure Azure to allow Observability Platform to access metrics in Azure. To do so:
-
Ensure the Azure Managed Identity principal is assigned the built-in
Reader
(opens in a new tab) role for every subscription within scope. TheReader
role is more restrictive than theMonitoringReader
role. It’s important to create a dedicated Managed Identity to isolate the Azure API quota used by Chronosphere. -
Copy both the
credential_issuer
andcredential_subject
variables exactly as specified to allow authentication between your Chronosphere tenant and Azure. -
When creating the Azure principal, grant it access to subscriptions using one of the following options:
- Management group-based: Access can be granted at the Azure Management Group (opens in a new tab) level. This is the preferred approach, as it means that the subscriptions that Chronosphere has access to are kept in sync with the management group. As subscriptions are added and removed from the management group, these changes will be automatically reflected in Chronosphere. The same principal can also be granted access to multiple management groups.
- Subscription-based: Access can be granted at the subscription level. In this case, the principal is granted access to individual subscriptions. This approach provides the most control, but has the downside that the list of subscriptions granted to the principal must be kept up to date by the customer. Chronosphere won’t be able to ingest Azure metric data for subscriptions that haven’t been assigned to the principal.
-
After provisioning the Azure Managed Identity, provide Chronosphere with the two Terraform outputs defined in the following examples:
azure_tenant_id
andidentity_client_id
. These outputs specify the ID of your Azure tenant and the client ID of the Azure Managed Identity, respectively. Chronosphere requires both values to complete the integration.
Terraform examples
The following examples show how you can integrate Azure using one of the previously mentioned methods:
The following Terraform code provides an example of how to create an Azure principal and grant it access to the subscriptions within a management group.
################################################################################
## Azure Provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
}
}
provider "azurerm" {
subscription_id = var.subscription_id
features {}
}
################################################################################
## Terraform Variables
variable "subscription_id" {
type = string
description = "Azure subscription ID in which to create resources"
}
variable "location" {
type = string
description = "Location in which to create resources"
default = "eastus"
}
variable "resource_group_name" {
type = string
description = "Name of the existing resource group to create resources in"
}
variable "management_group_id" {
type = string
description = "Management group to be integrated with Chronosphere"
default = "production-group"
}
variable "principal_name" {
type = string
description = "Name of the Azure principal managed identity"
default = "chronosphere-integration"
}
variable "credential_issuer" {
type = string
description = "Federated identity credential issuer"
default = "https://accounts.google.com"
}
variable "credential_subject" {
type = string
description = "Unique ID of your tenant-specific GCP service account"
default = "123456789123456789"
}
################################################################################
## Azure Resources
data "azurerm_management_group" "this" {
name = var.management_group_id
}
resource "azurerm_user_assigned_identity" "chronosphere" {
name = var.principal_name
location = var.location
resource_group_name = var.resource_group_name
}
# Assign the principal the Reader role on all subscriptions in the management group.
resource "azurerm_role_assignment" "chronosphere" {
principal_id = azurerm_user_assigned_identity.chronosphere.principal_id
scope = data.azurerm_management_group.this.id
role_definition_name = "Reader"
}
resource "azurerm_federated_identity_credential" "chronosphere" {
name = var.principal_name
issuer = var.credential_issuer
subject = var.credential_subject
resource_group_name = var.resource_group_name
parent_id = azurerm_user_assigned_identity.chronosphere.id
audience = ["api://AzureADTokenExchange"]
}
################################################################################
## Terraform Outputs
output "azure_tenant_id" {
value = azurerm_user_assigned_identity.chronosphere.tenant_id
}
output "identity_client_id" {
value = azurerm_user_assigned_identity.chronosphere.client_id
}
Set up Observability Platform to receive Azure data
After configuring Azure to enable access to metrics, you must configure Observability Platform to receive and process those metrics.
To access the API directly, see the Chronosphere API for Azure metrics.
View Azure metrics integrations
To list or view Azure metrics integrations, use one of the following options:
To list your Azure metrics integrations using Chronoctl, use this command:
chronoctl azure-metrics-integrations list
To view a Azure metrics integration, use this command:
chronoctl azure-metrics-integrations read SLUG
Replace SLUG
with the unique identifier of the Azure metrics integration.
Create or update an Azure metrics integration
You can create or update your Azure metrics integration with Observability Platform by applying a configuration file with Chronoctl or Terraform. You must add your account principal to an Observability Platform team with SysAdmin permissions.
To create a Azure metrics integration using Chronoctl, use this command:
chronoctl azure-metrics-integrations create --filename FILENAME
Replace FILENAME
with the name of your Chronoctl configuration file.
To update a Azure metrics integration, use this command:
chronoctl azure-metrics-integrations update --filename FILENAME
Replace FILENAME
with the name of your Chronoctl configuration file.
The input file uses the following structure:
api_version: v1/config
kind: AzureMetricsIntegration
spec:
name: NAME
slug: SLUG
principal:
tenant_id: TENANT_ID
client_id: CLIENT_ID
scrape_config:
resource_types:
- name: RESOURCE_TYPE_NAME
metric_names:
- METRIC_NAME
locations:
- LOCATION
subscription_ids:
- SUBSCRIPTION_ID
usage_metrics_enabled: USAGE_METRICS_ENABLED
count_metrics_enabled: COUNT_METRICS_ENABLED
propagate_tags: PROPAGATE_TAGS
Replace the following:
NAME
: (string) The name of the Azure integration.SLUG
: (string) The unique identifier of the Azure integration.TENANT_ID
: (UUID) The ID of the Azure tenant that hosts the managed identity principal.CLIENT_ID
: (UUID) The OAuth 2.0 client ID of the managed identity principal.RESOURCE_TYPE_NAME
: (string) Name of the resource type.METRIC_NAME
: (list(string)) List of metric names to be targeted. These apply to this resource type. Leave unset to retrieve all metrics.LOCATION
: (list(string)) Locations to be ingested for this integration. Applies to all subscriptions. Leave unset to retrieve all locations.SUBSCRIPTION_ID
: (list(string)) Subscriptions to be targeted for this integration. Leave unset to retrieve all subscriptions.USAGE_METRICS_ENABLED
: (Boolean) Enables collection of azure usage metrics under this principal (Microsoft.Compute
,Microsoft.Network
,Microsoft.Storage
).COUNT_METRICS_ENABLED
: (Boolean) Enables Azure count metrics for the configured resources.PROPAGATE_TAGS
: (Boolean) Specifies whether Azure resource, group, and subscription tags should be propagated as metric labels.
Delete an Azure integration
Delete an Azure integration using one of the following methods:
Metric information
Observability Platform ingests a wide range of Azure metrics. See the list of available Azure metrics.
Metric labels
You can request custom labels for your Azure metrics as defaultLabels
. To add
custom labels, contact Chronosphere Support.
When importing metrics, some defaultLabels
might conflict with prefixes which
already exist in Observability Platform (for example, job
). When this occurs,
Observability Platform adds the prefix exported_
to the source labels to prevent
conflicts.
Find Azure metrics in Metrics Explorer
Use Metrics Explorer to find and review the status of your ingested metrics.
-
All Azure metrics start with the prefix
azure_
. Search for this prefix to display all Azure metrics in the platform. -
Search supports substrings. For example, if the original Azure metric name contains a substring like
storageAccounts
, searching for the substring returns the Azure metric, along with other metrics containing the substring.