Azure Monitor: The Unified Monitoring Platform
Azure MonitorThe central monitoring service in Azure that collects, analyzes, and acts on telemetry from cloud and on-premises environments. Collects two fundamental data types: metrics and logs. is the central monitoring service that collects, analyzes, and acts on telemetry from cloud and on-premises environments, gathering two fundamental data types: metrics and logs.
Platform metrics are numerical values automatically collected from Azure resources at regular intervals — no configuration is required. Stored in a time-series database and available for 93 days by default.
Logs (resource logs or diagnostic logs) contain structured or semi-structured records about operations. Unlike metrics, logs are not collected automatically — you must create a diagnostic setting to route them to a destination.
| Feature | Metrics | Logs |
|---|---|---|
| Collected automatically? | Yes (platform metrics) | No — requires diagnostic setting |
| Storage | Azure Monitor metrics store (93 days) | Log Analytics workspace |
| Query language | Metrics Explorer (visual) | KQL |
| Use case | Real-time dashboards, alerts | Deep analysis, auditing, troubleshooting |
| Retention | 93 days default | Configurable (30–730 days, default 30) |
Diagnostic Settings
A diagnostic settingA configuration that routes a resource's logs and metrics to one or more destinations: a Log Analytics workspace, an Event Hub (for streaming), or a Storage Account (for archiving). Up to five diagnostic settings per resource.
You must create a separate diagnostic setting for each resource you want to log — there is no global "turn on all logs" switch. The Activity Log also requires a diagnostic setting to be sent to Log Analytics.
Log Analytics and KQL Basics
KQL (Kusto Query Language)The query language used to analyze data in a Log Analytics workspace. Key operators: where (filter rows), project (select columns), summarize (aggregate), ago() (relative time), search (cross-table keyword search). is the query language used to analyze data in a Log Analytics workspace, with key operators: where, project, summarize, ago(), and search.
Example — find errors in the last hour:
Event
| where TimeGenerated > ago(1h)
| where EventLevelName == "Error"
| project TimeGenerated, Computer, EventLog, EventID, RenderedDescription
| summarize count() by Computer
Alert Rules, Action Groups, and Alert Processing Rules
An alert rule has three components:
- Signal — what is being monitored (metric value, log query result, or activity log event)
- Condition — the threshold or criteria that triggers the alert
- Action group — what happens when the alert fires
An action groupDefines the notifications and automated actions taken when an alert fires. Contains Notifications (Email, SMS, push, Voice) and Actions (Runbook, Function, Logic App, Webhook, Event Hub, ITSM).
An alert processing ruleApplies logic to already-fired alerts — for example, suppressing notifications during a maintenance window or adding an extra action group. Does NOT generate new alerts.
Azure Monitor Insights
| Insight | What it monitors | Key views |
|---|---|---|
| VM Insights | Azure VMs and VM scale sets | Performance tab (CPU, memory, disk, network), Map tab (requires Dependency Agent) |
| Storage Insights | Azure Storage accounts | Availability, performance, capacity, failures |
| Network Insights | All Azure network resources | Topology view, health/metrics, connectivity |
VM Insights requires the Azure Monitor Agent (AMA) and, for the Map feature, the Dependency Agent extension.
Azure Network Watcher
| Tool | Purpose |
|---|---|
| IP Flow Verify | Tests if traffic is allowed/denied at a VM; identifies which NSG rule matched |
| Next Hop | Shows the routing path for traffic from a VM |
| Connection Monitor | Ongoing connectivity and latency test between endpoints |
| Packet Capture | Captures network packets from a VM (requires Network Watcher Agent extension) |
| NSG Diagnostics | Tests NSG rules at VM, VMSS, or Application Gateway level |
| VPN Troubleshoot | Diagnoses VPN Gateway and connection issues |
Metrics vs. Logs — The Most Tested Distinction
Must Memorize
Platform metrics are collected automatically for all Azure resources at no cost. Only resource logs require a diagnostic setting. The default retention is 93 days for metrics and 30 days for Log Analytics workspace logs.
Diagnostic Setting Delay
Exam Trap
"You can view resource logs immediately in Log Analytics after enabling a diagnostic setting." → There is a delay of up to 15 minutes before logs appear in Log Analytics after a diagnostic setting is created.
Alert Processing Rules vs. Alert Rules
Must Memorize
- Alert rule: Defines the condition and generates alerts
- Action group: Defines what happens when an alert fires (notifications + actions)
- Alert processing rule: Acts on alerts that have already fired — suppresses or adds actions. Does NOT generate new alerts.
IP Flow Verify vs. Next Hop
Exam Trap
"IP Flow Verify tests routing issues." → IP Flow Verify tests NSG filtering (allowed/denied). For routing issues (wrong next hop, black holes), use Next Hop instead. These are different tools for different problems.
VM Insights Agent Requirements
Exam Trap
"VM Insights works out of the box with no agent required." → VM Insights requires the Azure Monitor Agent (AMA) for performance data and the Dependency Agent for the Map (dependency) view. Neither is installed by default on a VM.
Log Analytics Retention
Exam Trap
"Log Analytics retains data for 93 days by default." → The default retention for a Log Analytics workspace is 30 days (7 days on the free tier). 93 days is the retention period for metrics in the Azure Monitor metrics store — not for logs.
Configure a Diagnostic Setting
- In the Azure portal, navigate to the resource you want to monitor (e.g., a Virtual Machine).
- In the left menu under Monitoring, select Diagnostic settings.
- Select Add diagnostic setting.
- Enter a Diagnostic setting name.
- Under Logs, check the log categories you want to collect (or use the allLogs category group).
- Under Destination details, check Send to Log Analytics workspace, then select your workspace.
- Select Save.
Create an Alert Rule with an Action Group
- In the Azure portal, search for and open Azure Monitor.
- Under Alerts, select + Create > Alert rule.
- On the Scope tab, click + Select scope and pick your resource.
- On the Condition tab, select a signal (e.g., Percentage CPU), set the threshold and evaluation frequency.
- On the Actions tab, select + Create action group.
- On the action group blade, fill in the Basics (name, resource group).
- On the Notifications tab, add an email address (Type: Email/SMS/Push/Voice).
- On the Actions tab, optionally add a runbook or Logic App.
- Select Review + create for the action group, then complete the alert rule on the Details tab.
Run a KQL Query in Log Analytics
- In the Azure portal, navigate to your Log Analytics workspace.
- In the left menu, select Logs (under General).
- Close the Queries hub if it appears.
- In the query editor, type your KQL query (e.g.,
Heartbeat | summarize count() by Computer). - Set the time range at the top (e.g., Last 24 hours).
- Select Run.
Use Network Watcher IP Flow Verify
- In the Azure portal, search for Network Watcher and open it.
- Under Network diagnostic tools, select IP flow verify.
- Select your Subscription, Resource group, Virtual machine, and Network interface.
- Enter the Protocol (TCP/UDP), Direction (Inbound/Outbound), Local port, Remote IP address, and Remote port.
- Select Check to see whether the traffic is Allowed or Denied and which NSG rule is responsible.
AZ-104 Exam Focus
Exam Trap
"Platform metrics are collected but you need to configure them first." → Platform metrics are collected automatically for all Azure resources. Only resource logs require a diagnostic setting.
Exam Trap
"You can view resource logs immediately in Log Analytics after enabling a diagnostic setting." → There is a delay of up to 15 minutes before logs appear after a diagnostic setting is created.
Exam Trap
"An action group sends the alert notification and generates the alert." → An action group defines what happens when an alert fires. The alert rule defines the condition. An alert processing rule modifies already-fired alerts — it does not generate new alerts.
Exam Trap
"IP Flow Verify tests routing issues." → IP Flow Verify tests NSG filtering (allowed/denied). For routing issues, use Next Hop.
Exam Trap
"VM Insights works out of the box with no agent required." → VM Insights requires the Azure Monitor Agent (AMA) for performance data and the Dependency Agent for the Map view.
Exam Trap
"Log Analytics retains data for 93 days by default." → Log Analytics default retention is 30 days. 93 days is the retention for Azure Monitor metrics, not logs.
Question — click to flip
Q: Do Azure platform metrics need a diagnostic setting to be collected?
Question — click to flip
Q: What is the default retention period for a Log Analytics workspace?
Question — click to flip
Q: What is the difference between an alert rule and an alert processing rule?
Question — click to flip
Q: Which Network Watcher tool should you use to diagnose a routing problem (wrong next hop)?
Question — click to flip
Q: What agents are required for VM Insights?
Question — click to flip
Q: What KQL operator filters rows to show only the last 30 minutes of data?