In addition to monitoring your Azure workloads using OneAgent, Dynatrace provides integration with Azure Monitor which adds infrastructure monitoring to gain insight even into serverless application scenarios.
The integration uses Azure Monitor metrics for service insights, as well as Azure Resource Manager (ARM) to gather metadata.
- Automatic discovery of subscriptions and resources with full access control through Azure Active Directory from a single resource up to the account level
- Support for Azure Lighthouse, which provides cross-account access using a single service principal
- Insight into additional Azure metadata (for example, API endpoints used for service dependencies or virtual machine resource tags)
- Insight into service metrics using the Azure Monitor metrics API
- Selective monitoring of Azure services using tags
- Automatic handling of API request throttling to support monitoring for large-scale environments
- Azure overview page for easy out-of-the-box insight into a variety of Azure services with no additional effort
- Consumption of Azure Alerts, which are automatically transformed into events that are leveraged by Davis Assistant for precise root-cause analysis
Azure Monitor integration is available for the public cloud, not for sovereign clouds (such as Azure Government) or Azure Stack.
- Sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure Subscription.
- An Azure service principal to access Azure APIs.
- ActiveGate version 1.161+ (GA).
- See the Dynatrace release notes for the latest enhancements and capabilities. We recommend that you keep your versions up to date.
Create an Azure service principal
To create a service principal, you must register your application in the Azure Active Directory.
Note: Dynatrace integration for Azure supports Azure Lighthouse, which allows Dynatrace to have multi-tenant access to Azure.
The instructions below refer to a common single-tenant access approach.
- Go to the Azure Management Portal and select Azure Active Directory.
- Select App registrations in the navigation pane of the selected Active Directory.
- Select New application registration at the top of the App registrations blade, and type the name of your application.
- Select Register.
- Copy the Application (client) ID, and save it for future retrieval. This ID is required to configure Dynatrace to connect to your Azure account.
- Select Certificates & secrets > New client secret to create a new security key.
- Type a key description and select a key duration in the Expires list.
- Select Add to save the new key, which displays the key value in the Value field. Copy the value and save it for future retrieval (along with your Client ID).
Important: This is your only chance to copy this value. You can't retrieve the key value after you leave the Key blade.
Example of a command to create a new service principal:
az ad sp create-for-rbac --name YourServicePrincipalName --role reader --scopes /subscriptions/YoursubScriptionID1/subscriptions/YourSubscriptionID2
Note: To list all subscriptions, run the following command:
az account list --o tsv --query .id
As of Azure CLI 2.0.68, a strong random password is automatically created. The password key is returned in the output. Make sure you save this value. If you forget the password, you have to reset the service principal credentials.
For more details, see Create an Azure service principal with Azure CLI.
For the PowerShell alternative, see Create an Azure service principal with Azure PowerShell.
Grant access permissions for your service principal
You need at least
reader permissions for Dynatrace to monitor your services.
Grant access to an Azure subscription
- On Azure Portal, select All services > General > Subscriptions.
- In the Subscriptions blade, enter your subscription.
- Select Access control (IAM) in the subscription navigation pane.
- Select Add and enter the Reader role.
- In the Select field, paste the description name or application (client) ID obtained when creating the Azure service principal.
- Select the application and Save to grant the service principal access to your subscription.
Configure Dynatrace to connect to your Azure environment
To connect Dynatrace to your Azure environment, you have to provide an Azure service principal, which Dynatrace uses to access Azure APIs to capture telemetry and metadata.
In the desired Dynatrace environment, click Settings > Cloud and virtualization > Azure.
Type a descriptive name for the connection.
Tenant IDobtained when creating the Azure service principal.
Secret Keyobtained when creating the Azure service principal.
Optional If there are services for which you want to capture service metrics from the Azure Monitor metrics API, you need to define a tag-based filter for those specific services.
Optional Turn off automatic tag import. If turned on, resource tags are imported (resource group tags aren't imported).
Select Connect to add the connection information to the list of Azure connections. You can edit connection information at any time.
Note: The integration accesses the following Azure API endpoints, so they need to be available from your environment:
After you have configured Dynatrace to connect to your Azure environment, Dynatrace immediately starts investigating the subscriptions and deployed services accessible for the service principal and starts monitoring them.
Set up monitoring notifications with Azure Alerts
After setting up Azure Monitor integration, you can start setting up monitoring notifications with Azure Alerts.
Azure Alerts is a unified notification hub for all types of important conditions found in Azure monitoring data. The integration of Azure Alerts enables you to consume alerts, which are automatically transformed into events that are leveraged by Davis AI for deeper insights.
To set up monitoring notifications with Azure Alerts
- Generate an API token with access scope
Data ingest, e.g.: metrics and events.
To generate an API token
- Go to Settings > Integration > Dynatrace API, and select Generate token.
- Enter a name for your token.
- Enable the Data ingest, e.g.: metrics and events permission.
- Select Generate.
Note: You can assign multiple permissions to a single token, or you can generate several tokens, each with different access levels, and use them accordingly. Check your organization's security policies for best practices.
- Configure one or more designated ActiveGates.
Note: The ActiveGate designated to consume Azure Alerts doesn't have to be the same ActiveGate that runs the Azure Monitor integration.
Configure a valid TLS certificate (no self-signed certificate) for the ActiveGate to communicate via HTTPS. For details, see how to configure custom SSL certificate for an ActiveGate.
Add the following lines to your ActiveGate
custom.propertiesfile and restart the ActiveGate after applying the configuration.
[azure_monitoring] event_servlet = true
- Give access to ActiveGate for Azure Alerts source IP addresses.
For more details, see source IP address ranges in Azure documentation.
- Set up Azure Alert Rules.
Azure Alerts are consumed via webhooks that are configured in your Azure Alert Rules. The alerts are mapped to the closest known matching entity. This means that they either map to their related Azure resource entity or, as a fallback, to the Azure subscription of the resource.
To define action rules, use the settings below.
Enable the common alert schema
For more information, see Webhook rules in Azure documentation.
The following alert types are supported.
Metric alerts are complementary to Dynatrace integration of Azure Monitor metrics.
Metric alerts enable you to retrieve metric-based events without the need to push the metrics to Dynatrace. This is helpful in reducing API and network pressure, especially in cases where you might not need the metric (for example, for charting purposes).
The event type is defined based on alert Severity:
- Sev-0 (Critical):
- Sev-1 (Error):
- Sev-2 (Warning):
- Default (Informational):
Dynatrace supports three types of activity notifications.
Activity Log Resource Health
The event type is defined based on severity Level:
See Configure resource health alerts using Azure portal in Azure documentation for more information.
Activity Log Service Health
The event type is defined based on IncidentType:
- Incident or Security + Error:
See Create activity log alerts on service notifications using the Azure portal in Azure documentation for more information.
Activity Log Administrative
- Default: CUSTOM_ANNOTATION
Estimate Azure consumption for metric queries from Azure Monitor
The table below shows the number of metrics captured for your Azure Services supported through the integration of Dynatrace with Azure Monitor.
|Azure service||Monitoring entity||Additional dimensions||Number of metrics|
|Load balancer1||Load balancer
Load balanced Virtual Machine
|Application Gateway||Application Gateway
Application Gateway - Backend Pool
Application Gateway - HTTP Status Group
|Cosmos DB||Cosmos DB||Azure region, Database name, Collection name||11|
|Redis Cache||Redis Cache||13|
|Azure SQL||Azure SQL Database
Azure SQL ElasticPool
|Azure Storage account||Azure Storage account
Azure Storage account
|Type (blob, table, etc.), Tier
|Virtual Machine||Virtual Machine||7|
|Virtual Machine Scale Sets||Virtual Machine Scale Sets||7|
|Azure AppServices||Azure AppService||AppService Plan instances||14|
|Azure Functions||Azure Functions||AppService Plan instances1||12|
1Functions based on consumption plan measure as one instance. 2Only standard tier exposes load balancer metrics via Azure Monitor metrics API.
The query interval is 5 minutes with a resolution of 1 minute. Azure Resource Manager might throttle API requests, which will increase the interval to 10 or 15 minutes. For more details on request limits, see Throttling Resource Manager requests.