Configure BYOS for Application Insights Profiler and Snapshot Debugger

When you use Application Insights Profiler or Snapshot Debugger, artifacts generated by your application are uploaded by default into Azure Storage accounts over the public internet. For these artifacts and storage accounts, Microsoft controls and covers the cost for:

  • Processing and analysis.
  • Encryption-at-rest and lifetime management policies.

Meanwhile, when you configure your own storage account (BYOS), artifacts are uploaded into a storage account that only you control and cover the cost for:

  • The encryption-at-rest policy and the Lifetime management policy.
  • Network access.

Note

BYOS is required if you're enabling Azure Private Link or customer-managed keys.

In this guide, you learn how to:

  • Grant Diagnostic Services access to your storage account.
  • Link your storage account with your Application Insights resource.
  • Learn how your storage account is accessed.

Prerequisites

  • Verify you've created your storage account in the same location as your Application Insights resource.
  • If you've enabled Private Link, allow connection to our Trusted Microsoft Service from your virtual network.

Grant Diagnostic Services access to your storage account

A BYOS storage account is linked to an Application Insights resource. Start by granting the Storage Blob Data Contributor role to the Microsoft Entra application named Diagnostic Services Trusted Storage Access via the Access Control (IAM) page in your storage account.

  1. Select Access control (IAM).

  2. Select Add > Add role assignment to open the Add role assignment page.

  3. Assign the following role.

    Setting Value
    Role Storage Blob Data Contributor
    Assign access to User, group, or service principal
    Members Diagnostic Services Trusted Storage Access

    Screenshot that shows the Add role assignment page in the Azure portal.

    Once assigned, you can see the role under the Role assignments section. Screenshot that shows the IAM screen after Role assignments.

Note

If you're also using Private Link, one more configuration is required to allow connection to our Trusted Microsoft Service from your virtual network. For more information, see Storage network security documentation.

You have three options for configuring BYOS for code-level diagnostics like Profiler and Snapshot Debugger:

  • Azure PowerShell cmdlets
  • The Azure CLI
  • Azure Resource Manager templates

Before you begin, install Azure PowerShell 4.2.0 or greater.

  1. Install the Application Insights PowerShell extension.

    Install-Module -Name Az.ApplicationInsights -Force
    
  2. Sign in with your Azure account subscription.

    Connect-AzAccount -Subscription "{subscription_id}"
    

    For more information on how to sign in, see the Connect-AzAccount documentation.

  3. Remove any previous storage account linked to your Application Insights resource.

    Pattern:

    Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" | Remove-AzApplicationInsightsLinkedStorageAccount
    

    Example:

    Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai" | Remove-AzApplicationInsightsLinkedStorageAccount
    
  4. Connect your storage account with your Application Insights resource.

    Pattern:

    $storageAccount = Get-AzStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{storage_account_name}"
    Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" | New-AzApplicationInsightsLinkedStorageAccount -LinkedStorageAccountResourceId $storageAccount.Id
    

    Example:

    $storageAccount = Get-AzStorageAccount -ResourceGroupName "byos-test" -Name "byosteststoragewestus2"
    Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai" | New-AzApplicationInsightsLinkedStorageAccount -LinkedStorageAccountResourceId $storageAccount.Id
    

Troubleshooting

This section offers troubleshooting tips for common issues in configuring BYOS.

Scenario: Template schema '{schema_uri}' isn't supported

You've received an error similar to the following example:

New-AzResourceGroupDeployment : 11:53:49 AM - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'Template schema
'https://schema.management.azure.com/schemas/2020-01-01/deploymentTemplate.json#' is not supported. Supported versions are
'2014-04-01-preview,2015-01-01,2018-05-01,2019-04-01,2019-08-01'. Please see https://aka.ms/arm-template for usage details.'.

Solutions

  • Make sure that the $schema property of the template is valid. It must follow this pattern:

    https://schema.management.azure.com/schemas/{schema_version}/deploymentTemplate.json#
    
  • Make sure that the schema_version of the template is within valid values: 2014-04-01-preview, 2015-01-01, 2018-05-01, 2019-04-01, 2019-08-01.

Scenario: No registered resource provider found for location '{location}'

You've received an error similar to the following example:

New-AzResourceGroupDeployment : 6:18:03 PM - Resource microsoft.insights/components 'byos-test-westus2-ai' failed with message '{
  "error": {
    "code": "NoRegisteredProviderFound",
    "message": "No registered resource provider found for location 'westus2' and API version '2020-03-01-preview' for type 'components'. The supported api-versions are '2014-04-01,
2014-08-01, 2014-12-01-preview, 2015-05-01, 2018-05-01-preview'. The supported locations are ', eastus, southcentralus, northeurope, westeurope, southeastasia, westus2, uksouth,
canadacentral, centralindia, japaneast, australiaeast, koreacentral, francecentral, centralus, eastus2, eastasia, westus, southafricanorth, northcentralus, brazilsouth, switzerlandnorth,
australiasoutheast'."
  }
}'

Solutions

  • Make sure that the apiVersion of the resource microsoft.insights/components is 2015-05-01.
  • Make sure that the apiVersion of the resource linkedStorageAccount is 2020-03-01-preview.

Scenario: Storage account location should match Application Insights component location

You've received an error similar to the following example:

New-AzResourceGroupDeployment : 1:01:12 PM - Resource microsoft.insights/components/linkedStorageAccounts 'byos-test-centralus-ai/serviceprofiler' failed with message '{
  "error": {
    "code": "BadRequest",
    "message": "Storage account location should match AI component location",
    "innererror": {
      "trace": [
        "System.ArgumentException"
      ]
    }
  }
}'

Solution

Make sure that the location of the Application Insights resource is the same as the storage account.

Frequently asked questions

This section provides answers to common questions about configuring BYOS for Profiler and Snapshot Debugger.

If I've enabled Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?

No, it won't.

Does BYOS work with encryption-at-rest and customer-managed keys?

Yes. To be precise, BYOS is a requirement to have Profiler/Snapshot Debugger enabled with customer-manager keys.

Does BYOS work in an environment isolated from the internet?

Yes. BYOS is a requirement for isolated network scenarios.

Yes, it's possible.

If I've enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?

Yes, you can, but we don't currently support data migration from your BYOS.

Yes.

How is my storage account accessed?

  1. Agents running in your virtual machines or Azure App Service upload artifacts (profiles, snapshots, and symbols) to blob containers in your account.

    This process involves contacting Profiler or Snapshot Debugger to obtain a shared access signature token to a new blob in your storage account.

  2. Profiler or Snapshot Debugger:

    • Analyzes the incoming blob.
    • Write back the analysis results and log files into blob storage.

    Depending on available compute capacity, this process might occur anytime after upload.

  3. When you view Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.

Next steps