Azure Government Monitoring + Management

This article outlines the monitoring and management services variations and considerations for the Azure Government environment.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Advisor

Advisor is generally available in Azure Government.

For more information, see Advisor public documentation.

Variations

The following Advisor recommendations are not currently available in Azure Government:

  • High Availability
    • Configure your VPN gateway to active-active for connection resilience
    • Create Azure Service Health alerts to be notified when Azure issues affect you
    • Configure Traffic Manager endpoints for resiliency
    • Use soft delete for your Azure Storage Account
  • Performance
    • Improve App Service performance and reliability
    • Reduce DNS time to live on your Traffic Manager profile to fail over to healthy endpoints faster
    • Improve SQL Data Warehouse performance
    • Use Premium Storage
    • Migrate your Storage Account to Azure Resource Manager
  • Cost
    • Buy reserved virtual machines instances to save money over pay-as-you-go costs
    • Eliminate unprovisioned ExpressRoute circuits
    • Delete or reconfigure idle virtual network gateways

The calculation used to recommend that you should right-size or shut down underutilized virtual machines is as follows in Azure Government:

Advisor monitors your virtual machine usage for 7 days and identifies low-utilization virtual machines. Virtual machines are considered low-utilization if their CPU utilization is 5% or less and their network utilization is less than 2% or if the current workload can be accommodated by a smaller virtual machine size. If you want to be more aggressive at identifying underutilized virtual machines, you can adjust the CPU utilization rule on a per subscription basis.

Automation

Automation is generally available in Azure Government.

For more information, see Automation public documentation.

Azure Migrate

Azure Migrate is generally available in Azure Government.

For more information, see Azure Migrate documentation.

Variations

The following Azure Migrate features are currently not available in Azure Government:

  • Dependency visualization functionality is not available in Azure Government as Azure Migrate depends on Service Map for dependency visualization which is currently unavailable in Azure Government.
  • You can only create assessments for Azure Government as target regions and using Azure Government offers.

Backup

Backup is generally available in Azure Government.

For more information, see Azure Government Backup.

Policy

Policy is generally available in Azure Government.

For more information, see Azure Policy.

Site Recovery

Azure Site Recovery is generally available in Azure Government.

For more information, see Site Recovery commercial documentation.

Variations

The following Site Recovery features are not currently available in Azure Government:

  • Email notification
Site Recovery Classic Resource Manager
VMware/Physical  GA GA
Hyper-V GA GA
Site to Site GA GA

The following URLs for Site Recovery are different in Azure Government:

Azure Public Azure Government Notes
*.hypervrecoverymanager.windowsazure.com *.hypervrecoverymanager.windowsazure.us Access to the Site Recovery Service
*.backup.windowsazure.com  *.backup.windowsazure.us Access to Protection Service
*.blob.core.windows.net *.blob.core.usgovcloudapi.net For storing the VM Snapshots
https://cdn.mysql.com/archives/mysql-5.5/mysql-5.5.37-win32.msi https://cdn.mysql.com/archives/mysql-5.5/mysql-5.5.37-win32.msi To download MySQL

Monitor

Azure Monitor is generally available in Azure Government.

For more information, see Monitor commercial documentation.

Variations

The following sections detail differences and workarounds for features of Azure Monitor in Azure Government:

Action Groups

Action Groups are generally available in Azure Government with no differences from commercial Azure.

Activity Log Alerts

Activity Log Alerts are generally available in Azure Government with no differences from commercial Azure.

Alerts Experience

The unified alerts UI experience is available for metric and log alerts in Azure Government.

Autoscale

Autoscale is generally available in Azure Government.

If you are using PowerShell/ARM/REST calls to specify settings, set the "Location" of the Autoscale to "USGov Virginia" or "USGov Iowa". The resource targeted by Autoscale can exist in any region. An example of the setting is below:

$rule1 = New-AzAutoscaleRule -MetricName "Requests" -MetricResourceId "/subscriptions/S1/resourceGroups/RG1/providers/Microsoft.Web/sites/WebSite1" -Operator GreaterThan -MetricStatistic Average -Threshold 10 -TimeGrain 00:01:00 -ScaleActionCooldown 00:05:00 -ScaleActionDirection Increase -ScaleActionScaleType ChangeCount -ScaleActionValue "1"
$rule2 = New-AzAutoscaleRule -MetricName "Requests" -MetricResourceId "/subscriptions/S1/resourceGroups/RG1/providers/Microsoft.Web/sites/WebSite1" -Operator GreaterThan -MetricStatistic Average -Threshold 10 -TimeGrain 00:01:00 -ScaleActionCooldown 00:10:00 -ScaleActionDirection Increase -ScaleActionScaleType ChangeCount -ScaleActionValue "2"
$profile1 = New-AzAutoscaleProfile -DefaultCapacity 2 -MaximumCapacity 10 -MinimumCapacity 2 -Rules $rule1, $rule2 -Name "MyProfile"
$webhook_scale = New-AzAutoscaleWebhook -ServiceUri https://example.com?mytoken=mytokenvalue
$notification1= New-AzAutoscaleNotification -CustomEmails myname@company.com -SendEmailToSubscriptionAdministrator -SendEmailToSubscriptionCoAdministrators -Webhooks $webhook_scale
Add-AzAutoscaleSetting -Location "USGov Virginia" -Name "MyScaleVMSSSetting" -ResourceGroup sdubeys-usgv -TargetResourceId /subscriptions/s1/resourceGroups/rg1/providers/Microsoft.Web/serverFarms/ServerFarm1 -AutoscaleProfiles $profile1 -Notifications $notification1

If you are interested in implementing autoscale on your resources, use PowerShell/ARM/Rest calls to specify the settings.

For more information on using PowerShell, see public documentation.

Metrics

Metrics are generally available in Azure Government. However, multi-dimensional metrics are supported only via the REST API. The ability to show multi-dimensional metrics is in preview in the Azure Government portal.

Metric Alerts

The first generation of metrics alerts is generally available in both Azure Government and commercial Azure. The first generation is called Alerts (Classic). The second generation of metric alerts (also called the unified alerts experience) is now also available, but with a reduced set of resource providers compared to the public cloud. More will be added over time.

The resources currently supported in the second generation alerts experience are:

  • Microsoft.Compute/virtualMachines
  • Microsoft.OperationalInsights/workspaces
  • Microsoft.PowerBIDedicated/capacities
  • Microsoft.Storage/accounts

You can still use classic alerts for resources not yet available in the second generation of alerts.

When using PowerShell/ARM/Rest calls to create metric alerts, you will need to set the "Location" of the metric alert to "USGov Virginia" or "USGov Iowa". An example of the setting is below:

$actionEmail = New-AzAlertRuleEmail -CustomEmail myname@company.com
$actionWebhook = New-AzAlertRuleWebhook -ServiceUri https://example.com?token=mytoken
Add-AzMetricAlertRule -Name vmcpu_gt_1 -Location "USGov Virginia" -ResourceGroup myrg1 -TargetResourceId /subscriptions/s1/resourceGroups/myrg1/providers/Microsoft.ClassicCompute/virtualMachines/my_vm1 -MetricName "Percentage CPU" -Operator GreaterThan -Threshold 1 -WindowSize 00:05:00 -TimeAggregationOperator Average -Actions $actionEmail, $actionWebhook -Description "alert on CPU > 1%"

For more information on using PowerShell, see public documentation.

Application Insights

Note

Codeless agent/extension based monitoring for Azure App Services is currently not supported. As soon as this functionality becomes available this article will be updated.

This section describes the supplemental configuration that is required to use Application Insights in Azure Government. To learn more about Azure Monitor and Application Insights checkout the full documentation.

Enable Application Insights for ASP.NET & ASP.NET Core with Visual Studio

Currently for Azure Government customers, the only way to enable Application Insights via the traditional Add Applications Insights Telemetry button in Visual Studio requires a small manual workaround. Customers experiencing the associated issue may see error messages like "There is no Azure subscription associated with this account or "The selected subscription does not support Application Insights even though the microsoft.insights resource provider has a status of registered for the subscription. To mitigate this issue, you must perform the following steps:

  1. Switch Visual Studio to target the Azure Government cloud.

  2. Create (or if already existing set) the User Environment variable for AzureGraphApiVersion as follows: (To create a User Environment variable go to Control Panel > System > Advanced system settings > Advanced > Environment Variables.)

    Variable name: AzureGraphApiVersion Variable value: 2014-04-01

  3. Make the appropriate Application Insights SDK endpoint modifications for either ASP.NET or ASP.NET Core depending on your project type.

Snapshot Debugger

Snapshot Debugger is now available for Azure Government customers. To use Snapshot Debugger the only additional prerequisite is to insure that you are using Snapshot Collector version 1.3.5 or later. Then simply follow the standard Snapshot Debugger documentation.

SDK endpoint modifications

In order to send data from Application Insights to the Azure Government region, you will need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications.

.NET with applicationinsights.config

<ApplicationInsights>
  ...
  <TelemetryModules>
    <Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse.QuickPulseTelemetryModule, Microsoft.AI.PerfCounterCollector">
      <QuickPulseServiceEndpoint>https://quickpulse.applicationinsights.us/QuickPulseService.svc</QuickPulseServiceEndpoint>
    </Add>
  </TelemetryModules>
    ...
  <TelemetryChannel>
     <EndpointAddress>https://dc.applicationinsights.us/v2/track</EndpointAddress>
  </TelemetryChannel>
  ...
  <ApplicationIdProvider Type="Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId.ApplicationInsightsApplicationIdProvider, Microsoft.ApplicationInsights">
    <ProfileQueryEndpoint>https://dc.applicationinsights.us/api/profiles/{0}/appId</ProfileQueryEndpoint>
  </ApplicationIdProvider>
  ...
</ApplicationInsights>

.NET Core

Modify the appsettings.json file in your project as follows to adjust the main endpoint:

"ApplicationInsights": {
    "InstrumentationKey": "instrumentationkey",
    "TelemetryChannel": {
      "EndpointAddress": "https://dc.applicationinsights.us/v2/track"
    }
  }

The values for Live Metrics and the Profile Query Endpoint can only be set via code. To override the default values for all endpoint values via code, make the following changes in the ConfigureServices method of the Startup.cs file:

using Microsoft.ApplicationInsights.Extensibility.Implementation.ApplicationId;
using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.QuickPulse; //place at top of Startup.cs file

   services.ConfigureTelemetryModule<QuickPulseTelemetryModule>((module, o) => module.QuickPulseServiceEndpoint="https://quickpulse.applicationinsights.us/QuickPulseService.svc");

   services.AddSingleton(new ApplicationInsightsApplicationIdProvider() { ProfileQueryEndpoint = "https://dc.applicationinsights.us/api/profiles/{0}/appId" }); 

   services.AddSingleton<ITelemetryChannel>(new ServerTelemetryChannel() { EndpointAddress = "https://dc.applicationinsights.us/v2/track" });

    //place in ConfigureServices method. If present, place this prior to   services.AddApplicationInsightsTelemetry("instrumentation key");

Java

Modify the applicationinsights.xml file to change the default endpoint address.

<?xml version="1.0" encoding="utf-8"?>
<ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings">
  <InstrumentationKey>ffffeeee-dddd-cccc-bbbb-aaaa99998888</InstrumentationKey>
  <TelemetryModules>
    <Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebRequestTrackingTelemetryModule"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebSessionTrackingTelemetryModule"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebUserTrackingTelemetryModule"/>
  </TelemetryModules>
  <TelemetryInitializers>
    <Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebOperationIdTelemetryInitializer"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebOperationNameTelemetryInitializer"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebSessionTelemetryInitializer"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebUserTelemetryInitializer"/>
    <Add type="com.microsoft.applicationinsights.web.extensibility.initializers.WebUserAgentTelemetryInitializer"/>
  </TelemetryInitializers>
  <!--Add the following Channel value to modify the Endpoint address-->
  <Channel type="com.microsoft.applicationinsights.channel.concrete.inprocess.InProcessTelemetryChannel">
  <EndpointAddress>https://dc.applicationinsights.us/v2/track</EndpointAddress>
  </Channel>
</ApplicationInsights>

Spring Boot

Modify the application.properties file and add:

azure.application-insights.channel.in-process.endpoint-address= https://dc.applicationinsights.us/v2/track

Node.js

var appInsights = require("applicationinsights");
appInsights.setup('INSTRUMENTATION_KEY');
appInsights.defaultClient.config.endpointUrl = "https://dc.applicationinsights.us/v2/track"; // ingestion
appInsights.defaultClient.config.profileQueryEndpoint = "https://dc.applicationinsights.us/api/profiles/{0}/appId"; // appid/profile lookup
appInsights.defaultClient.config.quickPulseHost = "https://quickpulse.applicationinsights.us/QuickPulseService.svc"; //live metrics
appInsights.Configuration.start();

The endpoints can also be configured through environment variables:

Instrumentation Key: “APPINSIGHTS_INSTRUMENTATIONKEY”
Profile Endpoint: “https://dc.applicationinsights.us/api/profiles/{0}/appId”
Live Metrics Endpoint: "https://quickpulse.applicationinsights.us/QuickPulseService.svc"

JavaScript

<script type="text/javascript">
var sdkInstance="appInsightsSDK";window[sdkInstance]="appInsights";var aiName=window[sdkInstance],aisdk=window[aiName]||function(e){function n(e){i[e]=function(){var n=arguments;i.queue.push(function(){i[e].apply(i,n)})}}var i={config:e};i.initialize=!0;var a=document,t=window;setTimeout(function(){var n=a.createElement("script");n.src=e.url||"https://az416426.vo.msecnd.net/next/ai.2.min.js",a.getElementsByTagName("script")[0].parentNode.appendChild(n)});try{i.cookie=a.cookie}catch(e){}i.queue=[],i.version=2;for(var r=["Event","PageView","Exception","Trace","DependencyData","Metric","PageViewPerformance"];r.length;)n("track"+r.pop());n("startTrackPage"),n("stopTrackPage");var o="Track"+r[0];if(n("start"+o),n("stop"+o),!(!0===e.disableExceptionTracking||e.extensionConfig&&e.extensionConfig.ApplicationInsightsAnalytics&&!0===e.extensionConfig.ApplicationInsightsAnalytics.disableExceptionTracking)){n("_"+(r="onerror"));var s=t[r];t[r]=function(e,n,a,t,o){var c=s&&s(e,n,a,t,o);return!0!==c&&i["_"+r]({message:e,url:n,lineNumber:a,columnNumber:t,error:o}),c},e.autoExceptionInstrumented=!0}return i}
(
	{
	instrumentationKey:"INSTRUMENTATION_KEY",
	endpointUrl: "https://dc.applicationinsights.us/v2/track"
  }
);
window[aiName]=aisdk,aisdk.queue&&0===aisdk.queue.length&&aisdk.trackPageView({});
</script>

Firewall exceptions

The Azure Application Insights service uses a number of IP addresses. You might need to know these addresses if the app that you are monitoring is hosted behind a firewall.

Note

Although these addresses are static, it's possible that we will need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhooks, which require inbound firewall rules.

Outgoing ports

You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK and/or Status Monitor to send data to the portal:

Purpose URL IP Ports
Telemetry dc.applicationinsights.us 23.97.4.113 443

Azure Monitor logs

Azure Monitor logs is generally available in Azure Government.

Note

This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.

Variations

  • Solutions that are available in Azure Government include:
    • Network Performance Monitor (NPM) - NPM is a cloud-based network monitoring solution for public and hybrid cloud environments. Organizations use NPM to monitor network availability across on-premises and cloud environments. Endpoint Monitor - a subcapability of NPM, monitors network connectivity to applications.

The following Azure Monitor logs features and solutions are not currently available in Azure Government.

  • Solutions that are in preview in Microsoft Azure, including:
    • Service Map
    • Windows 10 Upgrade Analytics solution
    • Application Insights solution
    • Azure Networking Security Group Analytics solution
    • Azure Automation Analytics solution
    • Key Vault Analytics solution
  • Solutions and features that require updates to on-premises software, including:
    • Surface Hub solution
  • Features that are in preview in global Azure, including:
    • Export of data to Power BI
  • Azure metrics and Azure diagnostics

The URLs for Azure Monitor logs are different in Azure Government:

Azure Public Azure Government Notes
mms.microsoft.com oms.microsoft.us Log Analytics workspaces portal
workspaceId.ods.opinsights.azure.com workspaceId.ods.opinsights.azure.us Data collector API
*.ods.opinsights.azure.com *.ods.opinsights.azure.us Agent communication - configuring firewall settings
*.oms.opinsights.azure.com *.oms.opinsights.azure.us Agent communication - configuring firewall settings
*.blob.core.windows.net *.blob.core.usgovcloudapi.net Agent communication - configuring firewall settings
portal.loganalytics.io portal.loganalytics.us Advanced Analytics Portal - configuring firewall settings
api.loganalytics.io api.loganalytics.us Advanced Analytics Portal - configuring firewall settings
docs.loganalytics.io docs.loganalytics.us Advanced Analytics Portal - configuring firewall settings
*.azure-automation.net *.azure-automation.us Azure Automation - configuring firewall settings
N/A *.usgovtrafficmanager.net Azure Traffic Manager - configuring firewall settings

The following Azure Monitor logs features behave differently in Azure Government:

Frequently asked questions

  • Can I migrate data from Azure Monitor logs in Microsoft Azure to Azure Government?
    • No. It is not possible to move data or your workspace from Microsoft Azure to Azure Government.
  • Can I switch between Microsoft Azure and Azure Government workspaces from the Operations Management Suite portal?
    • No. The portals for Microsoft Azure and Azure Government are separate and do not share information.

For more information, see Azure Monitor logs public documentation.

Scheduler

For information on this service and how to use it, see Azure Scheduler Documentation.

Azure portal

The Azure Government portal can be accessed here.

Azure Resource Manager

For information on this service and how to use it, see Azure Resource Manager Documentation.

Next steps