LM Cloud

2b. Adding your Azure environment into LogicMonitor

Adding your Azure account into LogicMonitor for monitoring is quite easy, and includes the following steps:

Required setup (instructions below):

Additional, optional setup:

 For a list of Azure services monitored, see this page.

Adding your Azure account into LogicMonitor:

1. Add Cloud Account from the Devices page in LogicMonitor:


Enter a meaningful name and description for your Azure environment - this will determine how it is displayed in LogicMonitor. Once done, proceed to the Permissions section:



2. Provide credentials for an Azure AD application that LogicMonitor will use to monitor your resources

LogicMonitor collects metrics for your Azure resources via the Azure Monitor (Insights) ARM API.  As such, you will need to set up an Azure Active Directory (AAD) application that LogicMonitor can use to make requests to the Azure Monitor ARM API.  Note that because LogicMonitor is using ARM APIs, only ARM based resources are monitored - this excludes resources such as Azure Classic VMs. 

All API requests need to be authenticated via AAD, which is why you'll need to create an AAD application for LogicMonitor.  That application will need reader permissions associated with the resources you want monitored in LogicMonitor.  Typically, these permissions are set at the subscription level, but you can also set them at the resource group level.  The following steps provide instruction for creating an application and assigning the necessary permissions at the subscription level.

1) In the AAD section of your Azure portal, select 'App registrations' under the Manage menu & Add a new application:




The Name of the application is how you will see it displayed throughout your Azure portal, but does not have any specific requirements.

The Supported Account Type can be 'Accounts in this organizational directory only'

The Redirect URL can be left empty.

2) Grab the Application (client) Id and the Directory (tenant) Id for the new application you created, and specify those as the client Id and tenant Id respectively in LogicMonitor:


3) Once you've saved the application and copied Ids into LogicMonitor, navigate to the Certificate & Secrets section, and add a 'New Client Secret'. You'll need to specify a useful description, and select how long the keys should be valid for:


Grab the Client Secret Value and provide it as the Azure Secret Key in LogicMonitor.

4) Now that you have an application with a set of API Keys, you'll need to give this application access to the resources you want monitored.  In Azure, you can assign permission at the resource group level or the subscription level.  Usually, assigning permissions at the subscription level is easiest & provides the most value.  For each subscription you want to assign the application permission to, you'll need to navigate to the subscription's Access control (IAM) and add the application as a user with a minimum of Reader permissions:




If you have multiple subscriptions that you want to add into monitoring, you'll need to add the application with a reader role to each one.  For a large number of subscriptions, you may consider doing this via PowerShell.  For example, the following PowerShell script will add an AAD application for LogicMonitor & add the application as a reader to each subscription available to the user that runs the script: 

# Authenticate to all Azure subscriptions that the user has access to
Login-AzureRmAccount

# Password for the service principal
$pwd = "{service-principal-password}"

# Create a new Azure AD application
$azureAdApplication = New-AzureRmADApplication `
             -DisplayName "LogicMonitor" `
             -HomePage "https://lmtest.logicmonitor.com" `
             -IdentifierUris "https://lmtest.logicmonitor.com" `
             -Password $pwd

# Create a new service principal associated with the designated application
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId

# Assign Reader role to the newly created service principal for each subscription
Get-AzureRmSubscription | ForEach-Object {
  Set-AzureRmContext -SubscriptionId $_.SubscriptionId
  New-AzureRmRoleAssignment -RoleDefinitionName Reader `
            -ServicePrincipalName $azureAdApplication.ApplicationId.Guid
}

3. Select Azure Subscriptions

Once you've filled our your Azure account information (tenant ID, client id and secret key), you can select the Get Available Subscriptions button to select subscriptions for monitoring.  All subscriptions available to LogicMonitor based on the permissions you've configured will be listed.  If you don't see one or more subscriptions you expect to see, ensure that the application you created in Azure has reader permissions for those subscriptions.

3. Select Azure Subscriptions

4. Configure Azure Services to be monitored

Next, in the Azure Services section of the dialog, you will need to set your default service settings.


These settings include which regions services should be discovered from, what tag filters (if any) should be applied, and whether or not deleted instances should be automatically removed.

The Auto-Discovery Frequency indicates how often LogicMonitor will check for new Azure resources in your account. You can override this setting for the VM service if desired.

If you specify a Tag Filter, only Azure resources that meet the filter criteria will be added to your LogicMonitor account. Note that:

- You can use glob expressions with the tag filter (e.g. tag value = prod*)
- Resources will be discovered if they contain one or more tags specified with an include operation but not any of the exclude tags
- The tag filter is case sensitive

If you choose to automatically remove dead instances, you can further select whether this should happen immediately or after a specified period of time during which no data is received for the instance.

Disabling alerting for terminated instances ensures you will not receive any alerts once instances are terminated, if they are not scheduled to be automatically deleted.  While LogicMonitor intelligently and automatically stops Azure Monitor API data collection once instances are terminated, this option will ensure you do not receive alerts for traditional Collector DataSources like Ping.

Beyond the default services configuration, all services will be auto-selected.  This means LogicMonitor will attempt to discover resources for all supported Azure services (if no resources are found, you'll just see an empty group for that service).  You can de-select services if desired, but there are no negative impacts of leaving unused services selected for discovery. If you'd like to monitor only certain Azure instances for a particular service, you can tag those instances from your Azure portal & apply a tag filter to that service in LogicMonitor (by toggling the configuration from default to custom for that service).

For example, you might add an Azure tag with a key value pair of monitoring:true to the Event Hubs you'd like to monitor, and then add a Tag Filter in LogicMonitor such that only Event Hubs with tags matching monitoring:true are added into monitoring.

For the VM service, you can additionally enable monitoring via a local Collector and configure how discovered instances are named.

5. Configure Azure Billing

Optionally set up monitoring for your Azure spend via the instructions on this page.

6. Done!

LogicMonitor will search for and auto-discover Azure resources using our NetScan functionality. A new device group will be created for each Azure Service selected, and each resource discovered for that Azure Service will be added as a LogicMonitor device in that device group. For example, if LogicMonitor discovers 4 Application Gateways for an Azure Account, an Application Gateway group will be created and 4 devices will be added to this group. Each Azure resource will get a system.categories value that identifies the type of resource (e.g. Application Gateway, VM, VM Scale Set, etc.)

After you've added your Azure Account to LogicMonitor, you can force a NetScan to run and detect any new Azure resources in your account by selecting 'Manage' for your Azure Account group in LogicMonitor and then selecting 'save'.

Notes:

  • If you manually delete an Azure 'device' in LogicMonitor and don't change the configuration for discovering instances in your Azure account, that instance will be re-discovered as a device. Make sure to de-select the appropriate region or service, or add a tag filter to ensure that only Azure resources you'd like to monitor are being discovered.
  • If you move resources to different resource groups and/or subscriptions, the Azure resource IDs will change & LogicMonitor will be unable to recognize the moved resources as the same resources that were monitored prior to the move. As a result, the existing monitored resources will be detected as dead and the moved resources will be discovered as new.