The following instructions are used to connect Dynatrace to your Azure environment to enable cloud infrastructure monitoring.
Before you begin
The following are required to connect to your Azure environment:
- Sufficient permissions to register an application with your Azure AD tenant, and assign the application to a role in your Azure Subscription. Make sure you have the right permissions to perform these steps.
- An Azure Service Principal to access Azure APIs.
- Minimum Environment ActiveGate version 1.161 (GA)
- To get the latest enhancements and capabilities, see the Dynatrace release notes. It's recommended that you keep your versions up-to-date.
Create an Azure Service Principal
To create a Service Principal, you must register your application in the Azure Active Directory.
Dynatrace integration for Azure supports Azure Lighthouse, which allows Dynatrace to have multi-tenant access to Azure.
Following instructions explain the more common single-tenant access approach.
Go to the Azure Management Portal and click Azure Active Directory.
Click App registrations in the navigation pane of the selected Active Directory.
Click New application registration at the top of the App registrations blade, then type the name of your application.
Click Register. When the application is created, copy the Application (client) ID and Directory (tenant) ID, and place it where you can easily retrieve it. This ID is required to configure Dynatrace to connect to your Azure account.
Click Certificates & secrets, then click New client secret to create a new security key.
Type a Key description, then select a key duration in the Expires list.
Click Add to save the new key which displays the key value in the Value field. Highlight the value and copy it, and place it where you can easily retrieve it (along with your Client ID).
Important: This is your only chance to copy this value. You can't retrieve the key value after you leave the Key blade.
Create a new service principal using the following command:
az ad sp create-for-rbac --name YourServicePrincipalName
As of Azure CLI 2.0.68, a strong random password is automatically created. The password key is returned in the output. Make sure you copy this value; it can't be retrieved. If you forget the password, you have to reset the service principal credential.
For more details see Microsoft Documentation: Create an Azure service principal with Azure CLI
Alternatively you can also create your Service Principal using Powershell
Grant access permissions for your Service Principal
With the Azure Active Directory RBAC, you have full control on which scope Dynatrace can access your environment.
- Resource Groups
At a minimum, "reader" permissions are required for Dynatrace to monitor your services.
Grant access to an Azure Subscription
As an example, you can see how to grant permission for a single subscription.
Click All services > General > Subscriptions.
In the Subscriptions blade, select the subscription you're using.
Click Access control (IAM) in the subscription navigation pane.
Click Add, then select Reader as the role.
In the Select field, paste the description name or application (client) ID you created in Create an Azure Service Principal.
Select the application and click Save to grant the Service Principal access to your subscription.
Configure Dynatrace to connect to your Azure environment
To connect Dynatrace to your Azure environment, you have to provide an Azure Service Principal, which Dynatrace uses to access Azure APIs to capture telemetry and metadata.
In the desired Dynatrace environment, click Settings > Cloud and virtualization > Azure.
Type a descriptive name for the connection.
Enter the Client ID and Tenant ID you obtained when creating the Create an Azure Service Principal.
Enter the Secret Key, which is the key value obtained when creating the Create an Azure Service Principal.
Optionally define a tag-based filter for the services you want to capture service metrics from the Azure Monitor metrics API. The filter applies to resource- as well as resourcegroup-tags.
Optionally turn off automatic tag import. If turned on, resource tags are imported (resource group tags aren't imported).
Click Connect to add the connection information to the list of Azure connections. You can edit connection information at any time.
My Azure environment is successfully connected, what's next?
Once you have configured Dynatrace to connect to your Azure environment, Dynatrace immediately starts investigating the subscriptions and deployed services accessible for the service principal and starts monitoring them.
Estimate Azure consumption for metric queries from Azure Monitor
The table below shows the number of metrics captured for your Azure Services supported through the integration of Dynatrace with Azure Monitor.
|Azure service||Monitoring entity||Additional dimensions||Number of metrics|
|Load balancer1||Load balancer
Load balanced Virtual Machine
|Application Gateway||Application Gateway
Application Gateway - Backend Pool
Application Gateway - HTTP Status Group
|Cosmos DB||Cosmos DB||Azure region, Database name, Collection name||11|
|Redis Cache||Redis Cache||13|
|Azure SQL||Azure SQL Database
Azure SQL ElasticPool
|Azure Storage account||Azure Storage account
Azure Storage account
|Type (blob, table, etc.), Tier
|Virtual Machine||Virtual Machine||7|
|Virtual Machine Scale Sets||Virtual Machine Scale Sets||7|
|Azure AppServices||Azure AppService||AppService Plan instances||14|
|Azure Functions||Azure Functions||AppService Plan instances1||12|
1Functions based on Consumption Plan measure as 1 instance. 2Only Standard tier exposes Load balancer metrics via Azure Monitor metrics API.
Query interval is 5 minutes with a resolution of 1 minute. Azure Resource Manager may throttle API requests which will increase the interval to 10 or 15 minutes. For more details on request limits see Throttling Resource Manager requests
For more details on how Azure Monitor metric queries are metered and priced see Azure Pricing.
The integration accesses the following Azure API endpoints:
- Azure Monitor integration is only available for the public cloud, not the sovereign clouds (such as Azure Government) or Azure Stack.