Monitoring in the ALZ
Here we will walk through a common use-case where one or more Virtual Machines need to be monitored.
Monitoring a VM
Install the AMA (VM Built with ALZ VM Module)
1.) When passing your VM configuration to the module, ensure that monitor = true is set on each VM that you wish to monitor. Setting this provisions the Azure Monitor Agent on the VM and associates it to the appropriate Data Collection Rule for your Spoke.
Install the AMA (VM Built any other way)
1.) Install the Azure Monitor Agent on the VM(s) you wish to monitor. There are a variety of ways to accomplish this but in the absence of a more automated method it can simply be enabled and installed using the Azure Portal. See the Microsoft documentation on installation here
During the installation process, you will be asked to create a Data Collection Rule. At this point, rather then creating a new one, you should use the existing Data Collection Rule that already exists in your Spoke. It’s deployed as standard to all Spokes and is called MSVMI-azure-monitor-agent. Associating your Azure Monitor Agent install to this Data Collection Rule ensures that the logs it generated will be sent to the correct Log Analytics Workspace.
OPTIONAL: Install the MMA
2.) Due to some issues with the current release of the Azure Monitor Agent (AMA), if you want to have the capability to monitor Windows services, registry keys or files, then you’ll also need to install the Microsoft Monitoring Agent (MMA) extension on your VM alongside the AMA. If you’re using the VM module, this will be handled for you when you just set monitor = true in the same way you would for the AMA installation as noted above.
If you’re building a VM any other way, please see this documentation
Once installed, navigate to the VM in the portal and select the Change Tracking blade from the left hand side, under the Operations Menu. Click “Enable”.
Visualise the logs in a Dashboard
1.) Navigate to the Azure Workbooks blade in the portal and locate the VM monitoring workbook for your Spoke. These workbooks are available to users who have reader writes on the Spoke subscription. The naming convention is as follows:
ALZ - VM Monitor <SPOKE_IDENTIFIER>
For example, in the EUCS Spoke, the Workbook is called:
ALZ - VM Monitor EUCS
This workbook is pre-loaded with queries and can be used as a template by creating a new copy of it. It’s not recommended to use this Workbook directly without first making a copy as it is maintained by the ALZ team and is defined in code. Any changes made to this via the Portal could be lost at any time without warning.
2.) Make a copy of this Workbook by opening it, selecting “Edit” and then selecting “Save As”. Name it as you like and open this new copy of the Workbook.
3.) From here, you can select the VM’s you wish to monitor and which timespan you wish to visualise using the dropdown selectors at the top of the Workbook. This copied Workbook can be expanded to include new queries or metrics as needed. Once you’ve populated the dropdown selections, click the “Save” icon.
Grant View only access
The Spoke Owners can delegate the monitoring of their resources to other individuals.
Spoke Owner is a designated thing and each Spoke has one and that they are provided by the requesting party at the time of Spoke creation.
Each spoke comes provisioned with a few custom Azure AD groups which are added as members to Azure Built-in RBAC roles.
E.g. for spoke MoJ-OFFICIAL-Prod-Spoke-XeroxPrint a custom AAD group Mojo-Azure-Subscription-XeroxPrint_MonitoringReader is created and added to the Built-in RBAC role Monitoring Reader.
In order for spoke owners to delegate the monitoring of their resources they need to use Azure portal to add the respective users as members of their spoke specific AAD group.
Once a user is added to the Mojo-Azure-Subscription-<WorkloadID>_MonitoringReader RBAC role , they will be able to login to Azure Portal and visualize the logs in the Dashboard created as described previously.
Steps:
1.) Login to Azure portal with an account which has owner rights on the spoke/workload
Note: A workload is basically a subscription in Azure Landing Zone.
2.) Select “Subscriptions” and then the “Access Control (IAM)” blade from the left hand menu.
3.) On the Right hand you will see Role assignments
4.) In the search filters, select Scope and set it to This Resource
5.) Locate the Built-in RBAC role you want to delegate your users to and expand the role.
6.) You will see groups starting with Mojo-Azure-Subscription-xxxx. Click on the group visible as Mojo-Azure-Subscription-<WorkloadID>_MonitoringReader.
7.) On the Group screen that follows, click Members
8.) Click Add Members ( You should have this as enabled as you are the group owner).
9.) In the resulting User Search box , type in the email address of the person this role needs to be delegated to.
10.) Add more users if required and then click OK to save the changes.
Follow these steps to grant any other type of Azure RBAC right to required user accounts.
Monitoring something else
Anything that can send logs to a Log Analytics Workspace can be monitored using Azure Monitor. This includes most Azure resources and services, which can usually be configured with a series of “Diagnostic Settings” that specify which Log Analytics Workspace to send logs to and what kinds of event to send. Once logs are being collected, they can be queried and visualised using a Workbook.
Alerting
Alerts in Azure can be configured using thresholds on Metric values or query results, which makes them easy to use in conjunction with resources that are sending logs to a Log Analytics Workspace. Once configured, they are linked to an Action Group which then determines what action to take (Send an email or SMS, restart a server etc…)
At current time, ALZ do not provide any alerts on a Spoke as standard due to the bespoke nature of defining an alert threshold. Often, useful alerting requires application or service specific knowledge to configure.
The ALZ team maintain a Github repository here that aims to centralise the configuration of alerting for all teams across all Workloads and environments in the Landing Zone.
Coming soon
- Access for users who don’t use the Azure Portal via PowerBI. In the meantime, you can get started with consuming ALZ logs in PowerBI immediately using this documentation
- Integration with ServiceNow for automatic creation and assignment of tickets
Templated standard alerting that can be used as basis for more tailored alerts and actions