This chapter covers Azure Monitor from the perspective of an Azure developer preparing for the AZ-204 exam. You will learn how to collect, analyze, and act on telemetry from your applications and Azure resources using Azure Monitor's core components: Metrics, Logs, Alerts, and Application Insights. Approximately 10-15% of the AZ-204 exam questions touch on monitoring and diagnostics, making this a critical topic for achieving a passing score. Mastering these concepts ensures you can design resilient, observable cloud solutions that meet operational requirements.
Jump to a section
Imagine a large office building with hundreds of rooms, each with its own temperature sensor, motion detector, and door log. The building's security system (Azure Monitor) collects data from every sensor in real-time. It stores all events in a central database (Log Analytics workspace) and displays key metrics like average temperature and occupancy on a dashboard in the lobby (Metrics Explorer). When a sensor detects smoke (a metric threshold breach), the system triggers an alarm (alert) that pages the fire department (Action Group) via SMS and email. The system also allows the building manager to run ad-hoc queries, like "which rooms had doors opened after 10 PM last night?" using a powerful query language (Kusto Query Language). Just as the security system helps prevent disasters and optimize energy use, Azure Monitor helps developers detect issues, analyze performance, and automate responses in their cloud applications.
What is Azure Monitor and Why Does It Exist?
Azure Monitor is a comprehensive monitoring service for Azure resources and applications. It collects, analyzes, and acts on telemetry from cloud and on-premises environments. Its primary purpose is to maximize the availability and performance of your applications by providing a unified view of metrics, logs, and alerts. For developers, Azure Monitor enables you to understand how your application behaves in production, detect anomalies, and diagnose issues without requiring users to report them.
The Two Core Data Types: Metrics and Logs
Azure Monitor stores data in two fundamental types: - Metrics: Numerical values collected at regular intervals (e.g., CPU percentage, request count). They are lightweight, support near-real-time analysis, and are ideal for alerting on thresholds. Metrics are stored for 93 days (default) and can be visualized in Metrics Explorer. - Logs: Text-based records of events (e.g., application errors, audit logs). They are stored in a Log Analytics workspace and can be queried using Kusto Query Language (KQL). Logs have a default retention of 30 days (can be extended up to 730 days or more with pricing tiers).
Both data types can be correlated; for example, a metric spike in CPU can be correlated with a specific error log entry to pinpoint the cause.
Data Sources: What Can Be Monitored?
Azure Monitor can ingest data from multiple sources: - Azure Infrastructure: Metrics and logs from Azure VMs, App Services, Functions, SQL Database, etc. These are automatically collected at no extra cost for basic metrics. - Application Insights: An extension of Azure Monitor for application performance management (APM). It collects request rates, response times, dependency calls, exceptions, and custom telemetry from your code. It also supports distributed tracing and smart detection. - Custom Data: You can send custom metrics and logs using the Azure Monitor Data Collector API or the Azure Monitor Agent (AMA) for VMs. - Guest OS Monitoring: Collect performance counters and event logs from VMs using the Azure Monitor Agent or legacy Log Analytics agent.
Metrics Explorer: Visualizing Metrics
Metrics Explorer is a tool in the Azure portal that allows you to plot metrics from Azure resources. You can:
Select a resource (e.g., a specific VM or App Service).
Choose a metric namespace (e.g., CPU percentage, HTTP requests).
Apply aggregations (Average, Sum, Count, Min, Max).
Add filters and split by dimensions (e.g., Instance ID).
Set a time range (up to 30 days).
Key metrics for developers: - App Service: HTTP 5xx errors, request count, response time, memory, CPU. - Azure Functions: Function execution count, execution duration, errors. - Azure SQL Database: DTU/CPU usage, deadlocks, sessions count.
Log Analytics Workspace and Kusto Query Language (KQL)
Logs are stored in a Log Analytics workspace. Each workspace has a unique ID and key. You can query logs using KQL, which is similar to SQL but optimized for time-series and unstructured data. Example query for retrieving errors from an App Service:
AppExceptions
| where timestamp > ago(1h)
| summarize Count = count() by typeCommon KQL operators: where, summarize, project, extend, join, union. The exam expects you to know basic KQL syntax and understand what each operator does.
Alerts: Proactive Notification
Azure Monitor Alerts proactively notify you when conditions are met. An alert consists of: - Alert Rule: Defines the condition (e.g., CPU > 90% for 5 minutes). - Action Group: Specifies who gets notified and how (e.g., email, SMS, webhook, Azure Function, ITSM connector). - Alert Processing Rules: Allow you to suppress alerts during maintenance windows.
Alert types: - Metric Alerts: Evaluate metric values at regular intervals (frequency 1 min to 24 hrs). They are stateful: when the condition is met, the alert fires; when resolved, it sends a resolved notification. - Log Alerts: Run a log query at a specified frequency (e.g., every 5 minutes) and fire if the result count or metric measurement exceeds a threshold. They are stateless by default but can be configured as stateful. - Activity Log Alerts: Trigger when specific events occur in the Azure Activity Log (e.g., resource creation, security events). - Smart Detection Alerts: Available via Application Insights, they automatically detect anomalies in failure rates, response times, and dependency durations using machine learning.
Application Insights: Deep Application Monitoring
Application Insights is a feature of Azure Monitor that provides application performance management (APM). It is instrumented by adding a NuGet package (for .NET) or SDK (for Node.js, Python, Java) to your application. Key capabilities: - Request Tracking: Automatically logs every HTTP request with duration, response code, and success/failure. - Dependency Tracking: Logs calls to external services (SQL, HTTP, Azure services) with duration and status. - Exceptions: Captures unhandled and custom exceptions with stack traces. - Distributed Tracing: Correlates requests across multiple services using a unique operation ID (traceparent header). - Live Metrics: Real-time monitoring of request rate, CPU, and memory without sampling. - Smart Detection: Proactively detects anomalies in failure rates, response times, and dependency durations. - Availability Tests: Ping tests or multi-step web tests from multiple locations to monitor uptime and responsiveness.
Log Analytics and Workbooks
Log Analytics is the main interface for querying log data. You can create: - Workbooks: Interactive reports that combine metrics, logs, and visualizations. They are useful for creating custom dashboards for operations teams. - Views: Custom visualizations using View Designer (legacy) or Workbook templates.
Autoscale Integration
Azure Monitor can trigger autoscale actions based on metrics. For example, you can create an autoscale rule for a Virtual Machine Scale Set that adds instances when CPU > 75% and removes instances when CPU < 25%. The rule must have a cool-down period (default 5 minutes) to avoid flapping.
Retention and Pricing
Metrics: 93 days free, then archived to storage (additional cost).
Logs: Default 31 days for pay-as-you-go workspaces; 30 days for free tier (limited data). Extended retention up to 730 days or more with commitment tiers.
Application Insights: Data retention is 90 days by default; can be extended to 730 days.
Alerts: Pay per alert rule per month (first 5 free).
Key SDKs and APIs
Application Insights SDK: For .NET, Java, Node.js, Python, etc. Provides telemetry initializers, telemetry processors, and sampling.
Azure Monitor Data Collector API: Allows sending custom logs and metrics to a Log Analytics workspace via HTTP POST.
Azure Monitor REST API: Query metrics and logs programmatically.
Azure CLI and PowerShell: Commands like az monitor metrics list and Get-AzMetric.
Step-by-Step: Enabling Application Insights for an ASP.NET Core App
Add the Microsoft.ApplicationInsights.AspNetCore NuGet package.
In appsettings.json, set the instrumentation key (or connection string).
In Startup.cs, call services.AddApplicationInsightsTelemetry();.
Deploy the app; telemetry automatically flows to the Azure portal.
Optionally, add custom events using TelemetryClient.TrackEvent("MyEvent").
Monitoring Azure Functions
For Azure Functions, you can enable Application Insights integration during creation or later. The host automatically logs function executions, duration, and errors. You can also add custom telemetry using the ILogger interface or TelemetryClient.
Common Pitfalls
Sampling: By default, Application Insights uses adaptive sampling for high-volume apps, which can cause missing data. You can configure sampling rate or disable it.
Instrumentation Key vs. Connection String: The connection string includes the instrumentation key and additional properties. It is the recommended approach for newer SDKs.
Log Analytics Workspace Region: Data is stored in the region where the workspace is created; consider compliance and latency.
Alert Evaluation Frequency: For metric alerts, the evaluation frequency can be as low as 1 minute, but log alerts have a minimum of 5 minutes.
Integration with Other Azure Services
Azure Dashboards: Pin metrics and logs from Azure Monitor to shared dashboards.
Azure Logic Apps: Trigger workflows based on alerts.
Azure Automation: Runbooks can be triggered by alerts to perform remediation.
Event Hubs: Stream metrics and logs to third-party SIEM systems (e.g., Splunk) via diagnostic settings.
Summary of Key Values and Defaults
Metric retention: 93 days.
Log retention: 31 days (pay-as-you-go).
Alert evaluation frequency: 1 min for metric alerts, 5 min for log alerts.
Autoscale cool-down: 5 minutes.
Application Insights default sampling: Adaptive sampling at 5 events per second.
Diagnostic settings: Export to Storage, Event Hubs, or Log Analytics.
This deep understanding of Azure Monitor's mechanisms will help you answer scenario-based exam questions and design robust monitoring solutions.
Enable Diagnostic Settings on Resources
First, navigate to the resource (e.g., an App Service) in the Azure portal. Under 'Monitoring', select 'Diagnostic settings'. Click 'Add diagnostic setting' and choose the logs and metrics to collect. You can stream to a Log Analytics workspace, archive to a storage account, or stream to an Event Hub. For the exam, remember that diagnostic settings are the primary way to collect platform logs (e.g., App Service HTTP logs, Azure Function execution logs) and send them to Log Analytics. Without this, those logs are not available for querying.
Configure Log Analytics Workspace
Create a Log Analytics workspace in the same region as your resources to minimize latency and egress costs. The workspace has a unique ID and primary/secondary keys. When you enable diagnostic settings, you select this workspace as the destination. The workspace also stores custom logs sent via the Data Collector API. For security, manage access using Azure RBAC; you can grant Log Analytics Reader or Contributor roles. Retention can be set from 30 to 730 days (or more with commitment tiers).
Set Up Application Insights Instrumentation
To monitor a live application, instrument it with the Application Insights SDK. For a .NET Core app, add the NuGet package and configure the connection string in appsettings.json. The SDK automatically collects request telemetry, dependency telemetry, exceptions, and performance counters. You can add custom telemetry using TelemetryClient. For serverless apps like Azure Functions, enable Application Insights from the function app's 'Application Insights' blade. The instrumentation key (or connection string) links the app to an Application Insights resource, which is backed by a Log Analytics workspace.
Create Metric Alerts for Key Thresholds
In the Azure Monitor blade, go to 'Alerts' and click 'Create' > 'Alert rule'. Select the target resource (e.g., an App Service). Under 'Condition', choose a signal like 'HTTP 5xx Errors' and set a threshold (e.g., greater than 10 for the last 5 minutes). Configure an action group that sends an email to the operations team. Metric alerts are stateful: they fire when the condition is met and resolve when it returns to normal. You can also set up 'Dynamic thresholds' that use machine learning to detect anomalies.
Query Logs with Kusto Query Language
Use Log Analytics to query logs collected in the workspace. For example, to find all failed requests in the last hour, use: `AppRequests | where success == false and timestamp > ago(1h)`. You can also join tables, summarize counts, and create time charts. The exam expects you to understand basic KQL syntax, especially `where`, `summarize`, `project`, and `extend`. Practice writing queries that correlate data from different sources, e.g., join `AppExceptions` with `AppRequests` to find exceptions that occurred during a specific request.
Enterprise Scenario 1: E-Commerce Platform Monitoring
A large e-commerce company runs its website on Azure App Services with a SQL Database backend. They use Azure Monitor to track key metrics like page load time, checkout success rate, and database DTU consumption. They have set up metric alerts to notify the on-call engineer if the 95th percentile response time exceeds 3 seconds for 5 minutes. They also use Application Insights distributed tracing to diagnose slow transactions that span multiple microservices. When a promotional event causes a traffic spike, they rely on autoscale rules that add instances when CPU exceeds 80%. The operations team uses a workbook that combines live metrics, recent errors, and a map of dependencies to quickly identify bottlenecks. Common issues include misconfigured diagnostic settings that miss SQL Server audit logs, leading to compliance gaps.
Enterprise Scenario 2: Financial Services Regulatory Compliance
A bank uses Azure Monitor to meet strict audit requirements. They enable diagnostic settings for all Azure resources and stream logs to a Log Analytics workspace with 365-day retention. They use Azure Policy to enforce that all new resources have diagnostic settings enabled. The security team runs KQL queries daily to detect unauthorized access attempts. They have configured activity log alerts for any changes to network security groups. Application Insights tracks user transactions and exceptions, with smart detection alerting on unusual failure rates. A common mistake is forgetting to enable diagnostic settings for the Azure SQL Database, which means no audit logs are collected. The bank also uses Azure Monitor Workbooks to create compliance dashboards for regulators.
Enterprise Scenario 3: IoT Solution at Scale
A manufacturing company collects telemetry from thousands of IoT devices using Azure IoT Hub. They use Azure Monitor to monitor IoT Hub operations (e.g., device-to-cloud messages, throttle events). They stream IoT Hub diagnostics to Log Analytics for long-term analysis. They also use custom metrics to track device health. Alerts are configured for high message latency. Application Insights is used to monitor the backend processing logic in Azure Functions. At scale, they need to manage data volume carefully to avoid high costs; they use sampling in Application Insights and set retention limits. Misconfigurations often involve setting too low a retention period for compliance or failing to set up alerts for critical thresholds like IoT Hub throttling.
AZ-204 Objective: Monitor and Optimize Azure Solutions (15-20%)
The AZ-204 exam tests your ability to configure monitoring for Azure applications. Specifically, objective 4.1 covers 'Monitor and analyze application performance using Application Insights and Azure Monitor'. You must know:
How to instrument applications with Application Insights SDK.
How to configure and query metrics and logs.
How to set up alerts and action groups.
How to use diagnostic settings to collect resource logs.
Common Wrong Answers and Why Candidates Choose Them
Confusing Metric Alerts with Log Alerts: Candidates often think metric alerts can query logs. Metric alerts only evaluate numerical metrics, not log queries. Log alerts evaluate KQL queries. Wrong answer: 'Create a metric alert to fire when the error count exceeds 10 in the last hour.' Correct: Use a log alert for that.
Selecting Storage Account for Diagnostic Settings Instead of Log Analytics: Diagnostic settings can send logs to a storage account, Event Hubs, or Log Analytics. Candidates choose storage because it's familiar. But for querying logs with KQL, you need Log Analytics. Storage is for archival only.
Misunderstanding Sampling: Candidates think sampling is always on and cannot be disabled. Actually, you can configure sampling (e.g., fixed rate or adaptive) in Application Insights. Adaptive sampling is default for ASP.NET Core apps. Wrong answer: 'All telemetry is always collected.' Correct: Sampling may drop some data.
Forgetting to Enable Diagnostic Settings: Many candidates assume platform logs are automatically collected. They are not; you must explicitly enable diagnostic settings for each resource.
Specific Numbers and Terms That Appear on the Exam
Metric retention: 93 days.
Log retention default: 31 days.
Alert evaluation frequency: 1 min for metric alerts, 5 min for log alerts.
Autoscale cool-down period: 5 minutes (default).
Application Insights connection string: Required for newer SDKs.
KQL operators: where, summarize, project, extend.
Action Group types: Email, SMS, Webhook, Azure Function, ITSM.
Edge Cases and Exceptions
Application Insights for Azure Functions: You must enable Application Insights integration from the function app's 'Application Insights' blade; it's not automatic.
Custom metrics via Application Insights: You can send custom metrics using TrackMetric(), but they are stored as log data, not as Azure Monitor metrics. To get them as native metrics, use the Azure Monitor Data Collector API.
Cross-region queries: Log Analytics workspaces can be queried across regions, but there may be data residency restrictions.
Alert statefulness: Metric alerts are stateful; log alerts are stateless by default. You can enable statefulness for log alerts by setting 'Number of violations to trigger' > 1.
How to Eliminate Wrong Answers
If the question involves querying logs, eliminate options that mention Metrics Explorer or metric alerts.
If the question involves real-time monitoring, prefer Metrics Explorer or Live Metrics over Log Analytics (which has latency).
If the question involves setting up monitoring for a new app, look for options that include instrumentation with Application Insights SDK.
If the question mentions cost or retention, recall the default values: 93 days for metrics, 31 days for logs.
Azure Monitor has two core data types: Metrics (numerical, 93-day retention) and Logs (text, 31-day default retention).
Application Insights is part of Azure Monitor; it provides application performance monitoring with distributed tracing and smart detection.
Diagnostic settings must be enabled per resource to collect platform logs to Log Analytics, Storage, or Event Hubs.
Metric alerts evaluate numeric thresholds every 1 minute; log alerts evaluate KQL queries every 5 minutes.
Action groups define notification methods: email, SMS, webhook, Azure Function, ITSM, etc.
Autoscale rules have a default cool-down period of 5 minutes to prevent flapping.
Kusto Query Language (KQL) is used to query log data; common operators: where, summarize, project, extend.
Application Insights uses adaptive sampling by default (5 events/sec); can be configured or disabled.
Instrumentation key is being replaced by connection string in newer SDKs.
Log Analytics workspace region determines data residency; choose region carefully for compliance.
These come up on the exam all the time. Here's how to tell them apart.
Metrics
Numerical values collected at regular intervals (e.g., CPU %, request count).
Lightweight and near-real-time (latency ~1-2 minutes).
Stored for 93 days by default.
Ideal for threshold-based alerting and dashboards.
Cannot be queried with KQL; use Metrics Explorer.
Logs
Text-based records of events (e.g., errors, traces).
Heavier and may have higher latency (up to 5 minutes for ingestion).
Default retention 31 days (configurable up to 730 days).
Ideal for detailed analysis and correlation using KQL.
Can be queried with KQL in Log Analytics.
Mistake
Azure Monitor automatically collects all logs from all resources.
Correct
You must enable diagnostic settings for each resource to collect platform logs and metrics. Only basic metrics are collected automatically.
Mistake
Application Insights and Azure Monitor are separate services.
Correct
Application Insights is a feature of Azure Monitor. It is integrated and uses the same underlying Log Analytics workspace.
Mistake
Log Analytics and Application Insights have separate retention settings.
Correct
Application Insights data is stored in a Log Analytics workspace, so retention is controlled by the workspace's retention policy (default 31 days) unless you use the classic Application Insights resource (which has 90-day default).
Mistake
Metric alerts can evaluate log queries.
Correct
Metric alerts only evaluate numeric metrics. To evaluate log queries, you must use log alerts.
Mistake
You cannot disable sampling in Application Insights.
Correct
You can configure sampling type (adaptive, fixed rate) or disable it entirely in the Application Insights configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, go to your App Service, then under 'Settings' select 'Application Insights'. Click 'Turn on Application Insights' and either create a new resource or link to an existing one. The app will be instrumented with the Application Insights site extension, which collects telemetry without code changes. For more control, you can add the SDK to your code and configure the connection string.
A metric alert evaluates a numerical metric (e.g., CPU > 90%) at a regular frequency (minimum 1 minute). It is stateful: it fires when the condition is met and resolves when it returns to normal. A log alert runs a KQL query at a specified frequency (minimum 5 minutes) and fires based on the number of results or a metric measurement. Log alerts are stateless by default (can be configured as stateful). Use metric alerts for real-time threshold monitoring and log alerts for complex logic or log-based conditions.
Metrics are retained for 93 days by default. Logs in a Log Analytics workspace have a default retention of 31 days (pay-as-you-go) or 30 days (free tier). You can extend log retention up to 730 days (or more with commitment tiers). Application Insights data (classic) retains 90 days by default. For longer retention, you can export logs to Azure Storage.
Yes, Application Insights data is stored in a Log Analytics workspace, so you can query it using KQL in the Log Analytics interface. The tables have names like 'requests', 'exceptions', 'traces', etc. You can also query across multiple workspaces using the 'union' operator.
Adaptive sampling is a feature that automatically reduces the volume of telemetry collected from high-traffic applications to manage cost and performance. It aims to keep the telemetry rate at a target (default 5 events per second) by sampling a representative subset of requests. It is enabled by default for ASP.NET Core apps. You can disable it or switch to fixed-rate sampling in the configuration.
You can send custom metrics using the Application Insights SDK's TrackMetric() method, but these are stored as log data, not as Azure Monitor metrics. To send native custom metrics, use the Azure Monitor Data Collector API (for logs) or the custom metrics API (preview) which requires registering your application as a custom metric namespace.
A Log Analytics workspace is a container for log data from various Azure resources. An Application Insights resource is a specialized instance for application monitoring, but since 2019, new Application Insights resources are backed by a Log Analytics workspace. The workspace stores all telemetry, and you can query it with KQL. The Application Insights resource provides additional features like smart detection, availability tests, and usage analytics.
You've just covered Azure Monitor for Application Developers — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?