Deploy Azure Monitor at scale by using Azure Policy

Although some Azure Monitor features are configured once or a limited number of times, others must be repeated for each resource that you want to monitor. This article describes methods for using Azure Policy to implement Azure Monitor at scale. The goal is to ensure that monitoring is consistently and accurately configured for all your Azure resources.

For example, you need to create a diagnostic setting for all your existing Azure resources and for each new resource that you create. You also need to have an agent installed and configured each time you create a virtual machine. You can use methods such as PowerShell or the Azure CLI to perform these actions, because these methods are available for all features of Azure Monitor. But by using Azure Policy, you can have logic in place that will automatically perform the appropriate configuration each time you create or modify a resource.

Azure Policy

This section provides a brief introduction to Azure Policy. You can use the Azure Policy service to assess and enforce organizational standards across your entire Azure subscription or management group with minimal effort. For complete details, see the Azure Policy documentation.

With Azure Policy, you can specify configuration requirements for any resources that are created and take one of these actions:

  • Identify resources that are out of compliance.
  • Block the resources from being created.
  • Add the required configuration.

Azure Policy works by intercepting calls to create a new resource or to modify an existing resource. It can respond with such effects as denying the request if it doesn't match with the properties expected in a policy definition, flagging it for noncompliance, or deploying a related resource. You can remediate existing resources with a deployIfNotExists or modify policy definition.

Azure Policy consists of the objects in the following table. For a more detailed explanation of each, see Azure Policy objects.

Item Description
Policy definition This object describes resource compliance conditions and the effect to take if a condition is met. It might be all resources of a particular type or only resources that match certain properties. The effect might be to simply flag the resource for compliance or to deploy a related resource. Policy definitions are written in JSON, as described in Azure Policy definition structure. Effects are described in Understand Azure Policy effects.
Policy initiative A group of policy definitions that should be applied together is called an initiative. For example, you might have one policy definition to send resource logs to a Log Analytics workspace and another to send resource logs to an event hub. Create an initiative that includes both policy definitions, and apply the initiative to resources instead of the individual policy definitions. Initiatives are written in JSON, as described in Azure Policy initiative structure.
Assignment A policy definition or initiative doesn't take effect until it's assigned to a scope. For example, assign a policy to a resource group to apply it to all resources created in that resource, or assign it to a subscription to apply it to all resources in that subscription. For more information, see Azure Policy assignment structure.

Built-in policy definitions for Azure Monitor

Azure Policy includes several prebuilt definitions related to Azure Monitor. You can assign these policy definitions to your existing subscription or use them as a basis to create your own custom definitions. For a complete list of the built-in policies in the Monitoring category, see Azure Policy built-in definitions for Azure Monitor.

To view the built-in policy definitions related to monitoring:

  1. Go to Azure Policy in the Azure portal.
  2. Select Definitions.
  3. For Type, select Built-in. For Category, select Monitoring.

Screenshot of the Azure Policy Definitions page in Azure portal showing a list of policy definitions for the Monitoring category and Built-in type.

Azure Monitor agent

The Azure Monitor agent collects monitoring data from the guest operating system of Azure virtual machines and delivers it to Azure Monitor. The Azure Monitor agent uses data collection rules to configure data to collect from other agents. Data collection rules enable manageability of collection settings at scale while still enabling unique, scoped configurations for subsets of machines.

Use the following policies and policy initiatives to automatically install the agent and associate it with a data collection rule, every time you create a virtual machine.

Built-in policy initiatives

View prerequisites for agent installation.

Policy initiatives for Windows and Linux virtual machines consist of individual policies that:

  • Install the Azure Monitor agent extension on the virtual machine.
  • Create and deploy the association to link the virtual machine to a data collection rule.

Partial screenshot from the Azure Policy Definitions page showing two built-in policy initiatives for configuring the Azure Monitor agent.

Built-in policies

You can choose to use the individual policies from their respective policy initiatives, based on your needs. For example, if you only want to automatically install the agent, use the first policy from the initiative as shown in the following example.

Partial screenshot from the Azure Policy Definitions page showing policies contained within the initiative for configuring the Azure Monitor agent.

Remediation

The initiatives or policies will apply to each virtual machine as it's created. A remediation task deploys the policy definitions in the initiative to existing resources, so you can configure the Azure Monitor agent for any resources that were already created.

When you create the assignment by using the Azure portal, you have the option of creating a remediation task at the same time. See Remediate non-compliant resources with Azure Policy for details on the remediation.

Screenshot that shows initiative remediation for the Azure Monitor agent.

Diagnostic settings

Diagnostic settings collect resource logs and metrics from Azure resources and route them to multiple locations. A typical location is a Log Analytics workspace, which allows you to analyze the data with log queries and log alerts. Use Azure Policy to automatically create a diagnostic setting each time you create a resource.

Each Azure resource type has a unique set of categories that need to be listed in the diagnostic setting. Because of this, each resource type requires a separate policy definition. Some resource types have built-in policy definitions that you can assign without modification. For other resource types, you need to create a custom definition.

Built-in policy definitions for Azure Monitor

There are two built-in policy definitions for each resource type: one to send to a Log Analytics workspace and another to send to an event hub. If you need only one location, assign that policy for the resource type. If you need both, assign both policy definitions for the resource.

For example, the following image shows the built-in diagnostic setting policy definitions for Azure Data Lake Analytics.

Partial screenshot from the Azure Policy Definitions page showing two built-in diagnostic setting policy definitions for Data Lake Analytics.

Custom policy definitions

For resource types that don't have a built-in policy, you need to create a custom policy definition. You could do this manually in the Azure portal by copying an existing built-in policy and then modifying it for your resource type. It's more efficient, though, to create the policy programmatically by using a script in the PowerShell Gallery.

The script Create-AzDiagPolicy creates policy files for a particular resource type that you can install by using PowerShell or the Azure CLI. Use the following procedure to create a custom policy definition for diagnostic settings:

  1. Ensure that you have Azure PowerShell installed.

  2. Install the script by using the following command:

    Install-Script -Name Create-AzDiagPolicy
    
  3. Run the script by using the parameters to specify where to send the logs. You'll be prompted to specify a subscription and resource type.

    For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub, use the following command:

    Create-AzDiagPolicy.ps1 -ExportLA -ExportEH -ExportDir ".\PolicyFiles"  
    

    Alternatively, you can specify a subscription and resource type in the command. For example, to create a policy definition that sends logs to a Log Analytics workspace and an event hub for SQL Server databases, use the following command:

    Create-AzDiagPolicy.ps1 -SubscriptionID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -ResourceType Microsoft.Sql/servers/databases  -ExportLA -ExportEH -ExportDir ".\PolicyFiles"  
    
  4. The script creates separate folders for each policy definition. Each folder contains three files named azurepolicy.json, azurepolicy.rules.json, and azurepolicy.parameters.json. If you want to create the policy manually in the Azure portal, you can copy and paste the contents of azurepolicy.json because it includes the entire policy definition. Use the other two files with PowerShell or the Azure CLI to create the policy definition from a command line.

    The following examples show how to install the policy definition from both PowerShell and the Azure CLI. Each example includes metadata to specify a category of Monitoring to group the new policy definition with the built-in policy definitions.

    New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json -mode All -Metadata '{"category":"Monitoring"}'
    
    az policy definition create --name 'deploy-diag-setting-sql-database--workspace' --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace'  --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json' --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json' --subscription 'AzureMonitor_Docs' --mode All
    

Initiative

Rather than create an assignment for each policy definition, a common strategy is to create an initiative that includes the policy definitions to create diagnostic settings for each Azure service. Create an assignment between the initiative and a management group, subscription, or resource group, depending on how you manage your environment. This strategy offers the following benefits:

  • Create a single assignment for the initiative instead of multiple assignments for each resource type. Use the same initiative for multiple monitoring groups, subscriptions, or resource groups.
  • Modify the initiative when you need to add a new resource type or destination. For example, your initial requirements might be to send data only to a Log Analytics workspace, but later you want to add an event hub. Modify the initiative instead of creating new assignments.

For details on creating an initiative, see Create and assign an initiative definition. Consider the following recommendations:

  • Set Category to Monitoring to group it with related built-in and custom policy definitions.
  • Instead of specifying the details for the Log Analytics workspace and the event hub for policy definitions included in the initiative, use a common initiative parameter. This parameter allows you to easily specify a common value for all policy definitions and change that value if necessary.

Screenshot that shows settings for initiative definition.

Assignment

Assign the initiative to an Azure management group, subscription, or resource group, depending on the scope of your resources to monitor. A management group is useful for scoping policy, especially if your organization has multiple subscriptions.

Screenshot of the settings for the Basics tab in the Assign initiative section of the Diagnostic settings to Log Analytics workspace in the Azure portal.

By using initiative parameters, you can specify the workspace or any other details once for all of the policy definitions in the initiative.

Screenshot that shows initiative parameters on the Parameters tab.

Remediation

The initiative will apply to each virtual machine as it's created. A remediation task deploys the policy definitions in the initiative to existing resources, so you can create diagnostic settings for any resources that were already created.

When you create the assignment by using the Azure portal, you have the option of creating a remediation task at the same time. See Remediate non-compliant resources with Azure Policy for details on the remediation.

Screenshot that shows initiative remediation for a Log Analytics workspace.

VM insights

VM insights is the primary tool in Azure Monitor for monitoring virtual machines. Enabling VM insights installs both the Log Analytics agent and the Dependency agent. Rather than perform these tasks manually, use Azure Policy to have each virtual machine configured as you create it.

Note

VM insights includes a feature called VM insights Policy Coverage that helps you discover and remediate noncompliant VMs in your environment. You can use this feature instead of working directly with Azure Policy for Azure VMs and for hybrid virtual machines connected with Azure Arc. For Azure virtual machine scale sets, you must create the assignment by using Azure Policy.

VM insights includes the following built-in initiatives that install both agents to enable full monitoring.

Name Description
Enable VM insights Installs the Log Analytics agent and Dependency agent on Azure VMs and hybrid VMs connected with Azure Arc.
Enable Azure Monitor for virtual machine scale sets Installs the Log Analytics agent and Dependency agent on Azure virtual machine scale sets.

Virtual machines

Instead of creating assignments for these initiatives by using the Azure Policy interface, VM insights includes a feature that allows you to inspect the number of virtual machines in each scope to determine whether the initiative has been applied. You can then configure the workspace and create any required assignments by using that interface.

For details of this process, see Enable VM insights by using Azure Policy.

Screenshot that shows a VM insights policy.

Virtual machine scale sets

To use Azure Policy to enable monitoring for virtual machine scale sets, assign the Enable Azure Monitor for Virtual Machine Scale Sets initiative to an Azure management group, subscription, or resource group, depending on the scope of your resources to monitor. A management group is useful for scoping policy, especially if your organization has multiple subscriptions.

Screenshot of the Assign initiative page in Azure portal. Initiative definition is set to Enable Azure Monitor for Virtual Machine Scale Sets.

Select the workspace that the data will be sent to. This workspace must have the VMInsights solution installed, as described in Configure Log Analytics workspace for VM insights.

Screenshot that shows selecting a workspace.

Create a remediation task if you have existing virtual machine scale sets that need to be assigned this policy.

Screenshot that shows creating a remediation task.

Log Analytics agent

You might have scenarios where you want to install the Log Analytics agent but not the Dependency agent. There is no built-in initiative for just the agent, but you can create your own based on the built-in policy definitions provided by VM insights. The following table lists the policies.

Note

There would be no reason to deploy the Dependency agent on its own, because it requires the Log Analytics agent to deliver its data to Azure Monitor.

Name Description
Audit Log Analytics agent deployment – VM image (OS) unlisted Report VMs as noncompliant if the VM image (OS) isn't defined in the list and the agent isn't installed.
Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Linux VMs if the VM image (OS) is defined in the list and the agent isn't installed.
Deploy Log Analytics agent for Windows VMs Deploy Log Analytics agent for Windows VMs if the VM image (OS) is defined in the list and the agent isn't installed.
[Preview]: Log Analytics agent should be installed on your Linux Azure Arc machines Report hybrid Azure Arc machines as noncompliant for Linux VMs if the VM image (OS) is defined in the list and the agent isn't installed.
[Preview]: Log Analytics agent should be installed on your Windows Azure Arc machines Report hybrid Azure Arc machines as noncompliant for Windows VMs if the VM image (OS) is defined in the list and the agent isn't installed.
[Preview]: Deploy Log Analytics agent to Linux Azure Arc machines Deploy Log Analytics agent for Linux hybrid Azure Arc machines if the VM image (OS) is defined in the list and the agent isn't installed.
[Preview]: Deploy Log Analytics agent to Windows Azure Arc machines Deploy Log Analytics agent for Windows hybrid Azure Arc machines if the VM image (OS) is defined in the list and the agent isn't installed.
Audit Dependency agent deployment in virtual machine scale sets – VM image (OS) unlisted Report virtual machine scale set as noncompliant if the VM image (OS) isn't defined in the list and the agent isn't installed.
Audit Log Analytics agent deployment in virtual machine scale sets – VM image (OS) unlisted Report virtual machine scale set as noncompliant if the VM image (OS) isn't defined in the list and the agent isn't installed.
Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is defined in the list and the agent isn't installed.
Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets if the VM image (OS) is defined in the list and the agent isn't installed.

Next steps