Setup Azure Monitor for VMs with Custom Image

A few weeks ago i was configuring Azure Monitor for an environment full of Azure Virtual Desktop machines where a custom image was being used. To make sure all resources where aware of each other and required configurations where met i used Azure Policy. It took me a while to get everything up and running as expected, I’ll show you how to do it!

Things we will covering in this blogpost:

  • Log Analytics Workspace
  • Data Collection Rules
  • Managed identity
  • Azure Policy
  • Azure Monitor

Log Analytics Workspace

A Log Analytics Workspace is a dedicated environment within Azure Monitor where log and telemetry data from various sources (Azure resources, on-premises machines, or other cloud environments) is collected, stored, and queried. Therefor, a Log Analytics Workspace is required. All monitoring data (VM Insights and Event Logs) will be stored in this Log Analytics Workspace. This can either be created manually via the Azure Portal or by deploying the following ARM template.

Create the Log Analytics Workspace:

Verify the deployment and creation of your Log Analytics Workspace.

Data Collection Rules

A Data Collection Rule (DCR) in Azure is a configuration that defines how data is collected from Azure resources and sent to a data destination, typically Azure Monitor or Log Analytics. And this is exactly where i lost a lot of time. Combining VM Insights (Performance Metrics) and Event Logs in a single Data Collection Rule leads somehow to unexpected behavior. It’s important to split both into a single Data Collection Rule. The Data Collection Rules can be found as an ARM template here: AzureMonitor/Data Collection Rules at main · j0eyv/AzureMonitor (github.com).

  1. Go to Go to https://portal.azure.com -> Deploy a custom template
  2. Click on Build your own template in the editor -> Load file ->
  3. Select the template.json file which you have downloaded from my Github
  4. Select a Resource group and region
  5. Pick a desired name. For example dcr-performance or dcr-eventlogs
  6. Fill in the Log Analytics Workspace Resource ID. This can be found by opening the LAW -> JSON View -> Resource ID (see picture below)

Repeat this process twice. One time for the Event Log DCR and the second one for the Performance logs (VM Insights).

Note: This Resource ID is not required as it will be configured later via Azure Policy

Managed Identity

A Managed Identity i is a feature that allows Azure services to securely authenticate to other Azure resources without the need for managing credentials (like passwords or secrets). Create a user assigned managed identity by deploying the ARM template available here: AzureMonitor/Managed Identity at main · j0eyv/AzureMonitor (github.com)

  1. Go to Go to https://portal.azure.com -> Deploy a custom template
  2. Click on Build your own template in the editor -> Load file ->
  3. Select the template.json file which you have downloaded from my Github
  4. Select a Resource group and region
  5. Pick a desired name. For example id-monitor

Verify the creation of the Managed Identity.

Azure Policy

Now comes the fun part! Azure Policy allows you to enforce governance standards and ensure compliance across your Azure resources by defining and applying rules or conditions.

We now need to create a few custom policies via Azure Policy. Within Azure Policy there are many policies predefined for generic usage. For our use case we have modify a few of these predefined policies (definitions). We start by making a copy of built-in policies.

  1. Go to https://portal.azure.com -> Policy
  2. Go to Authoring -> Definitions
  3. Find the required policies -> Right mouse -> Duplicate definition
  4. Select the Definition location which is your desired subscription
  5. Give the policy a unique name. I recommend to use the default name with a prefix for example
  6. Click Save

Complete these steps for the following policies:

Note: The last policy (DCR/DCE) must be duplicated twice because we have 2 separate Data Collection Rules. I recommend to add Eventlogs and Performance in the name.

  • Assign Built-In User-Assigned Managed Identity to Virtual Machines
  • Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
  • Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint

Once completed it should look like this:

Policy modifications

We can now start modify the built-in policies so they fit in our infrastructure. By default the built-in policies will not work if we’re using a custom image. Therefor we need to modify these policies. I’ll describe a few methods for you. Once completed we will deploy these policies. In Azure Policy this is called Assignments. Lets do them one by one:

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint (performance)

There are many ways to include the virtual machines in this policy. The easiest method is to replace everything in the policy definition for my example, which can be found here: AzureMonitor/Azure Policy/azpolicy-dzr-performance.json at main · j0eyv/AzureMonitor (github.com) and simply modify line 8 so it includes your virtual machines. Replace shavd for your virtual machine name prefix.

Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint (eventlogs)

Do the same as you did above or simply duplicate this definition. Change the name to “Configure Windows Machines to be associated with a Data Collection Rule (Eventlogs)”.

Although the definition is exactly the same, I’ll have the example here: AzureMonitor/Azure Policy/azpolicy-dzr-eventlogs.json at main · j0eyv/AzureMonitor (github.com)

Assign Built-In User-Assigned Managed Identity to Virtual Machines

This policy does not need any modifications. It works by default and includes all machines which are captured by the policy. The policy is still create and available for reference here: AzureMonitor/Azure Policy/azpolicy-uami-vm.json at main · j0eyv/AzureMonitor (github.com)

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

This policy does not need any modifications. It works by default and includes all machines which are captured by the policy. The policy is still create and available for reference here: AzureMonitor/Azure Policy/azpolicy-uami-ama.json at main · j0eyv/AzureMonitor (github.com)

Policy Assignments

Finally we need to deploy the policy. This is called Policy Assignments. Follow the instructions below carefully.

Configure Windows Machines to be associated with a Data Collection Rule (Performance)

Basics: Leave everything default.

Parameters: Fill in the resource ID of the Data Collection Rule. This can be found by opening the Data Collection Rule and click on JSON View.

Remediation: Enable “Create a remediation task” and select “User assigned managed identity”. This should be the one created before.

Click Next -> Next -> Create.

Configure Windows Machines to be associated with a Data Collection Rule (Eventlogs)

Basics: Leave everything default.

Parameters: Fill in the resource ID of the Data Collection Rule. This can be found by opening the Data Collection Rule and click on JSON View.

Remediation: Enable “Create a remediation task” and select “User assigned managed identity”. This should be the one created before.

Click Next -> Next -> Create.

Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication

Basics: Leave everything default.

Parameters: Deselect the checkbox to see all parameters. Configure them as shown below. The resource ID from the managed identity can also be found by clicking the JSON View button.

Remediation: Enable “Create a remediation task” and select “User assigned managed identity”. This should be the one created before.

Click Next -> Next -> Create.

Assign Built-In User-Assigned Managed Identity to Virtual Machines

Basics: Leave everything default.

Parameters: Deselect the checkbox to see all parameters. Configure them as shown below. The resource ID from the managed identity can also be found by clicking the JSON View button.

Remediation: Enable “Create a remediation task” and select “User assigned managed identity”. This should be the one created before.

Click Next -> Next -> Create.

Monitor policy deployments

As soon as all (4) policies have been deployed by creating the assignments its time to wait. The policies will show as non-compliant or not started at the beginning. This can take so time as Azure Policy does not execute immediately.

We can speed up the process a little by executing the az cmdlet az policy state trigger-scan.

Under Remediation the current policy deployment status can be monitored.

Once all policies have been deployed your Overview would look like this:

Azure Monitor

As soon as everything is deployed and configured we can notice that VM Insights is enabled for our Virtual Machine. Very it yourself via Azure Monitor -> Insights -> Virtual Machines -> Overview. Once enabled we should be able to monitor our Virtual Machines.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =