Enable Azure Monitor for containers

This article provides an overview of the options that are available for setting up Azure Monitor for containers to monitor the performance of workloads that are deployed to Kubernetes environments and hosted on:

You can also monitor the performance of workloads that are deployed to self-managed Kubernetes clusters hosted on:

You can enable Azure Monitor for containers for a new deployment or for one or more existing deployments of Kubernetes by using any of the following supported methods:

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Prerequisites

Before you start, make sure that you've met the following requirements:

  • You have a Log Analytics workspace.

    Azure Monitor for containers supports a Log Analytics workspace in the regions that are listed in Products available by region.

    You can create a workspace when you enable monitoring for your new AKS cluster, or you can let the onboarding experience create a default workspace in the default resource group of the AKS cluster subscription.

    If you choose to create the workspace yourself, you can create it through:

    For a list of the supported mapping pairs to use for the default workspace, see Region mapping for Azure Monitor for containers.

  • You are a member of the Log Analytics contributor group for enabling container monitoring. For more information about how to control access to a Log Analytics workspace, see Manage workspaces.

  • You are a member of the Owner group on the AKS cluster resource.

    Note

    As part of the ongoing transition from Microsoft Operations Management Suite to Azure Monitor, the Operations Management Suite Agent for Windows or Linux will be referred to as the Log Analytics agent for Windows and Log Analytics agent for Linux.

  • To view the monitoring data, you need to have Log Analytics reader role in the Log Analytics workspace, configured with Azure Monitor for containers.

  • Prometheus metrics aren't collected by default. Before you configure the agent to collect the metrics, it's important to review the Prometheus documentation to understand what data can be scraped and what methods are supported.

Supported configurations

Azure Monitor for containers officially supports the following configurations:

Network firewall requirements

The following table lists the proxy and firewall configuration information that's required for the containerized agent to communicate with Azure Monitor for containers. All network traffic from the agent is outbound to Azure Monitor.

Agent resource Port
*.ods.opinsights.azure.com 443
*.oms.opinsights.azure.com 443
dc.services.visualstudio.com 443
*.monitoring.azure.com 443
login.microsoftonline.com 443

The following table lists the proxy and firewall configuration information for Azure China 21Vianet:

Agent resource Port Description
*.ods.opinsights.azure.cn 443 Data ingestion
*.oms.opinsights.azure.cn 443 OMS onboarding
dc.services.visualstudio.com 443 For agent telemetry that uses Azure Public Cloud Application Insights

The following table lists the proxy and firewall configuration information for Azure US Government:

Agent resource Port Description
*.ods.opinsights.azure.us 443 Data ingestion
*.oms.opinsights.azure.us 443 OMS onboarding
dc.services.visualstudio.com 443 For agent telemetry that uses Azure Public Cloud Application Insights

Components

Your ability to monitor performance relies on a containerized Log Analytics agent for Linux that's specifically developed for Azure Monitor for containers. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.

The agent version is microsoft/oms:ciprod04202018 or later, and it's represented by a date in the following format: mmddyyyy.

Note

With the general availability of Windows Server support for AKS, an AKS cluster with Windows Server nodes has a preview agent installed as a daemonset pod on each individual Windows server node to collect logs and forward it to Log Analytics. For performance metrics, a Linux node that's automatically deployed in the cluster as part of the standard deployment collects and forwards the data to Azure Monitor on behalf all Windows nodes in the cluster.

When a new version of the agent is released, it's automatically upgraded on your managed Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS). To track which versions are released, see agent release announcements.

Note

If you've already deployed an AKS cluster, you've enabled monitoring by using either the Azure CLI or a provided Azure Resource Manager template, as demonstrated later in this article. You can't use kubectl to upgrade, delete, redeploy, or deploy the agent.

The template needs to be deployed in the same resource group as the cluster.

To enable Azure Monitor for containers, use one of the methods that's described in the following table:

Deployment state Method Description
New Kubernetes cluster Create an AKS cluster by using the Azure CLI You can enable monitoring for a new AKS cluster that you create by using the Azure CLI.
Create an AKS cluster by using Terraform You can enable monitoring for a new AKS cluster that you create by using the open-source tool Terraform.
Create an OpenShift cluster by using an Azure Resource Manager template You can enable monitoring for a new OpenShift cluster that you create by using a preconfigured Azure Resource Manager template.
Create an OpenShift cluster by using the Azure CLI You can enable monitoring when you deploy a new OpenShift cluster by using the Azure CLI.
Existing Kubernetes cluster Enable monitoring of an AKS cluster by using the Azure CLI You can enable monitoring for an AKS cluster that's already deployed by using the Azure CLI.
Enable for AKS cluster using Terraform You can enable monitoring for an AKS cluster that's already deployed by using the open-source tool Terraform.
Enable for AKS cluster from Azure Monitor You can enable monitoring for one or more AKS clusters that are already deployed from the multi-cluster page in Azure Monitor.
Enable from AKS cluster You can enable monitoring directly from an AKS cluster in the Azure portal.
Enable for AKS cluster using an Azure Resource Manager template You can enable monitoring for an AKS cluster by using a preconfigured Azure Resource Manager template.
Enable for hybrid Kubernetes cluster You can enable monitoring for the AKS engine that's hosted on Azure Stack or for a Kubernetes cluster that's hosted on-premises.
Enable for Arc enabled Kubernetes cluster. You can enable monitoring for your Kubernetes clusters that are hosted outside of Azure and enabled with Azure Arc.
Enable for OpenShift cluster using an Azure Resource Manager template You can enable monitoring for an existing OpenShift cluster by using a preconfigured Azure Resource Manager template.
Enable for OpenShift cluster from Azure Monitor You can enable monitoring for one or more OpenShift clusters that are already deployed from the multicluster page in Azure Monitor.

Next steps

Now that you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on Azure Kubernetes Service (AKS), Azure Stack, or another environment. To learn how to use Azure Monitor for containers, see View Kubernetes cluster performance.