This chapter covers Azure Monitor, the primary service for collecting, analyzing, and acting on telemetry from your Azure and on-premises environments. For the AZ-900 exam, understanding Azure Monitor is critical because it appears in the 'Monitoring and Reporting' section of the 'Azure Management Governance' domain, which accounts for roughly 10-15% of the exam. You will learn what Azure Monitor does, its core components, how it compares to other monitoring tools, and exactly what you need to know to pass the exam.
Jump to a section
Imagine you manage a large office building with hundreds of rooms, each with its own temperature, lighting, and security sensors. You need to know if a room is too hot, if a door is left open, or if the power usage spikes. Without a central dashboard, you'd have to walk around and check each room manually—impossible at scale. Azure Monitor is like installing a smart building management system that collects data from every sensor, displays real-time dashboards, and sends alerts when something goes wrong. It doesn't just show raw numbers; it aggregates, correlates, and analyzes the data to help you understand trends, like which floor uses the most energy or whether a cooling system is failing. When a sensor detects an anomaly—say a temperature spike in the server room—the system triggers an alert that can automatically turn on backup cooling or notify the facilities team via email or SMS. The key mechanism is that the system continuously ingests metrics and logs from all sensors, stores them in a centralized time-series database (like Azure Monitor Metrics and Log Analytics), and applies rules to detect issues. You can query this data to troubleshoot past incidents or set up automated responses. Without this, you'd be blind to problems until they escalate. Azure Monitor provides that unified observability for your cloud and on-premises resources.
What is Azure Monitor and What Business Problem Does It Solve?
Azure Monitor is a comprehensive monitoring service that collects, analyzes, and responds to telemetry data from your Azure resources, on-premises infrastructure, and other cloud environments. The primary business problem it solves is the lack of visibility into the health, performance, and availability of your applications and infrastructure. Without a centralized monitoring solution, IT teams would need to manually check logs, performance counters, and alerts from each resource individually—an impossible task at scale. Azure Monitor provides a single pane of glass to view all telemetry, set up alerts, and automate responses, enabling proactive issue resolution, capacity planning, and compliance auditing.
How Does Azure Monitor Work? Step-by-Step Mechanism
Azure Monitor operates in a pipeline: Collect → Store → Analyze → Act.
1. Collect: Telemetry data is collected from multiple sources: - Azure resources: Built-in metrics and logs from services like VMs, App Services, and databases. - Operating systems: Guest OS metrics and logs via the Azure Monitor Agent (AMA) or legacy Log Analytics agent. - Applications: Application performance data via Application Insights (part of Azure Monitor). - Custom sources: Data from on-premises servers, other clouds, or custom applications using the Azure Monitor HTTP Data Collector API. 2. Store: Data is stored in two types of data stores: - Metrics: Numeric time-series data (e.g., CPU percentage, disk I/O) stored in a time-series database optimized for fast queries and near real-time alerting. Metrics are kept for 93 days by default. - Logs: Text-based data (e.g., event logs, error messages, custom logs) stored in Log Analytics workspaces. Logs are retained for 30 days by default (configurable up to 730 days or longer with data archiving to Azure Storage).
3. Analyze: You can analyze data using: - Metrics Explorer: Interactive charting and pinning to dashboards. - Log Analytics: A powerful query language (Kusto Query Language, KQL) to search, filter, and aggregate log data. - Workbooks: Custom visualizations and reports combining metrics and logs. - Insights: Specialized monitoring experiences for specific services (e.g., VM Insights, Container Insights).
4. Act: You can set up alerts to notify you or trigger automated actions: - Metric alerts: Trigger when a metric crosses a threshold (e.g., CPU > 90%). - Log alerts: Trigger based on log search results (e.g., number of error events > 10 in 5 minutes). - Activity log alerts: Trigger when a specific Azure resource operation occurs (e.g., VM creation). Alerts can fire actions like sending email/SMS, calling a webhook, or triggering an Azure Automation runbook or Logic App.
Key Components of Azure Monitor
Azure Monitor Metrics: A time-series database for numeric data. Metrics are lightweight, high-frequency (up to 1-minute granularity for most resources), and ideal for near real-time monitoring and alerting.
Azure Monitor Logs: Log Analytics workspaces store log data. Logs are verbose, can contain any text, and support complex queries. They are best for troubleshooting, auditing, and trend analysis.
Application Insights: An extension of Azure Monitor for application performance management (APM). It monitors web applications, detects anomalies, and provides distributed tracing.
Azure Monitor Agent (AMA): The new unified agent for collecting data from VMs and on-premises servers. It replaces the older Log Analytics agent and Diagnostics extension.
Data Collection Rules (DCRs): Define what data to collect from agents and where to send it.
Workbooks: Interactive documents that combine data from multiple sources into a single view.
Alerts: Rule-based notifications and automated actions.
Action Groups: Define the actions to take when an alert fires (e.g., email, SMS, webhook, ITSM integration).
Pricing Tiers
Azure Monitor uses a pay-as-you-go model with no upfront costs. Key pricing elements: - Metrics: Ingestion of platform metrics (from Azure resources) is free. Custom metrics cost $0.30 per million data points. - Logs: Data ingestion into Log Analytics costs $2.76 per GB for the first 5 GB/day (free tier: 5 GB/month). Data retention beyond 31 days costs $0.12 per GB/month. - Alerts: Metric alerts are free; log alerts cost based on log queries. - Application Insights: Pay-per-GB ingested, with a free tier of 1 GB/month.
Comparison to On-Premises Monitoring
In an on-premises environment, you might use tools like Microsoft System Center Operations Manager (SCOM) or Nagios. These require dedicated servers, manual configuration, and limited scalability. Azure Monitor is fully managed, scales automatically, and integrates with other Azure services. It also supports hybrid scenarios by collecting data from on-premises servers via the Azure Monitor Agent.
Azure Portal and CLI Touchpoints
- Azure Portal: Navigate to "Monitor" in the left-hand menu. Here you can view dashboards, metrics, logs, alerts, and workbooks. - Azure CLI: Use commands like:
az monitor metrics list --resource <resource-id> --metric "Percentage CPU"
az monitor log-analytics query --workspace <workspace-id> --query "Perf | where CounterName == '% Processor Time'"
az monitor alert create --name "HighCPU" --resource-group <rg> --condition "Percentage CPU > 90"Azure PowerShell: Similar cmdlets under the Az.Monitor module.
Concrete Business Scenarios
E-commerce Website: An online retailer uses Application Insights to monitor page load times, server requests, and failed logins. They set a metric alert on server response time > 2 seconds to trigger an auto-scaling action.
Financial Services: A bank uses Log Analytics to collect audit logs from all VMs. They run a nightly KQL query to detect unauthorized access attempts and generate compliance reports.
Manufacturing IoT: A factory uses Azure Monitor to collect telemetry from sensors on production lines. They use Metrics Explorer to track temperature and vibration, and set log alerts when error events exceed a threshold.
Enable Monitoring for Resources
When you create an Azure resource (e.g., a VM), Azure Monitor automatically collects platform-level metrics (like CPU and network) and activity logs. To collect guest OS metrics and logs, you must install the Azure Monitor Agent (AMA) on the VM. In the portal, you can enable monitoring by going to the VM's 'Monitoring' blade and selecting 'Enable guest-level monitoring'. Behind the scenes, Azure creates a Data Collection Rule (DCR) that defines what data to collect and where to send it (e.g., a Log Analytics workspace). By default, no guest-level monitoring is enabled to avoid unnecessary costs. You must explicitly choose to install the agent and configure a DCR. This step is critical because without it, you won't see in-guest metrics like memory usage or disk space.
Create a Log Analytics Workspace
A Log Analytics workspace is a container for log data. You can create one via the portal, CLI, or ARM template. The workspace is regional and must be in the same region as the resources you want to monitor for optimal performance. When you create a workspace, you specify a pricing tier (Pay-as-you-go or a reserved capacity tier). The workspace has a unique ID and keys that agents use to authenticate. You can have multiple workspaces for different environments (e.g., dev, test, prod) or consolidate all logs into one. Azure Monitor logs are stored in tables within the workspace. Common tables include 'Perf' (performance data), 'Event' (Windows event logs), and 'Heartbeat' (agent health). The workspace retention period defaults to 31 days but can be extended up to 730 days at additional cost.
Collect Data with Azure Monitor Agent
The Azure Monitor Agent (AMA) is installed on VMs (Windows or Linux) to collect telemetry. You can install it via the portal, Azure Policy, or manually. After installation, the agent connects to the Log Analytics workspace specified in the DCR. The DCR tells the agent which performance counters and events to collect. For example, you can configure it to collect CPU, memory, disk, and network counters every 60 seconds, and Windows Application event logs. The agent sends data to the workspace using HTTPS. AMA is the recommended agent because it supports both Windows and Linux, is more secure, and allows centralized configuration via DCRs. It replaces the older Log Analytics agent (OMS agent) and Diagnostics extension. For on-premises servers, you can install AMA and connect it to Azure via Azure Arc.
Create Alerts and Action Groups
Alerts proactively notify you when conditions are met. First, create an Action Group that defines what happens when an alert fires (e.g., send an email to 'ops@contoso.com', call a webhook, or trigger an Azure Function). Then, create an alert rule. For example, a metric alert on a VM's CPU percentage: condition is 'greater than 90' for 5 minutes, severity 'Sev 2', action group 'OpsTeam'. When the condition is met, Azure Monitor evaluates the metric every 1 minute (for metric alerts). If the condition persists for the duration (5 minutes), the alert fires and the action group is triggered. Log alerts are evaluated at a specified frequency (e.g., every 5 minutes) based on a KQL query. Activity log alerts trigger on specific Azure operations, like 'Delete VM'. Alerts can also be suppressed during maintenance windows.
Analyze Data with Log Analytics
Log Analytics is the query tool for analyzing log data. Write Kusto Query Language (KQL) queries to filter, aggregate, and visualize data. For example, to find top CPU-consuming VMs: `Perf | where CounterName == '% Processor Time' | where CounterValue > 90 | summarize avgCPU = avg(CounterValue) by Computer | top 10 by avgCPU desc`. You can save queries, create dashboards, and export results. Log Analytics also supports cross-resource queries (query multiple workspaces or Application Insights resources). You can access Log Analytics from the Azure Monitor menu or directly from the Log Analytics workspace. The query results can be pinned to Azure dashboards for real-time visibility. For exam purposes, know that Log Analytics uses KQL, not SQL, and that it is a key component of Azure Monitor.
Scenario 1: Retail Website Performance Monitoring
A large e-commerce company runs its website on Azure App Services and Azure SQL Database. They need to ensure the site is responsive during Black Friday traffic. The team uses Application Insights (part of Azure Monitor) to monitor page load times, server responses, and dependency calls (e.g., database queries). They configure a metric alert on 'Server Response Time' exceeding 2 seconds for 5 minutes, which triggers an action group that sends an email to the DevOps team and auto-scales the App Service plan. They also set up a log alert on failed requests to detect errors. During a flash sale, a sudden spike in traffic causes response times to increase. The alert fires, and the auto-scaling action adds more instances, preventing downtime. Cost: Application Insights ingestion costs ~$0.276 per GB, and with moderate traffic, the monthly bill is about $100. If they hadn't set up monitoring, they might have missed the issue and lost revenue.
Scenario 2: Compliance Auditing in Healthcare
A hospital network must comply with HIPAA, requiring audit logs of all access to patient data. They collect Windows security event logs from all VMs using the Azure Monitor Agent and store them in a Log Analytics workspace. They use KQL queries to detect failed logon attempts and unauthorized access to sensitive folders. They set up a log alert that triggers when more than 10 failed logons occur in 5 minutes from a single IP, sending a text to the security team. They also create a workbook that displays a compliance dashboard showing recent access patterns. The workspace retains logs for 365 days to meet regulatory requirements, costing about $0.12 per GB/month for retention. Without Azure Monitor, they would have to manually parse logs from each server, which is error-prone and time-consuming.
Scenario 3: Hybrid Infrastructure Monitoring
A manufacturing company has on-premises servers and Azure VMs. They use Azure Arc to manage on-premises machines and install the Azure Monitor Agent on all servers. They create a single Log Analytics workspace to collect performance data from both environments. They set up metric alerts for disk space below 20% on critical servers. When a server runs low on disk, the alert triggers an Automation runbook that runs a cleanup script. They also use VM Insights to visualize the health and performance of all VMs in a single map. This hybrid setup allows them to monitor everything from one place. Common mistake: forgetting to install the agent on all servers, leading to blind spots. Cost: Data ingestion from 50 servers at ~1 GB/day costs about $84/month.
What AZ-900 Tests on Azure Monitor (Objective 3.3)
The objective 'Describe monitoring and reporting options in Azure' includes Azure Monitor, Azure Service Health, and Azure Advisor. For Azure Monitor specifically, the exam expects you to know:
The purpose of Azure Monitor: collect, analyze, and act on telemetry from cloud and on-premises environments.
The core components: Metrics, Logs, Alerts, Action Groups, Application Insights, and Log Analytics.
The difference between Azure Monitor and Azure Service Health: Azure Monitor is for your resources' performance and availability; Azure Service Health is for Azure service outages and planned maintenance.
The difference between Azure Monitor and Azure Advisor: Azure Monitor monitors current state; Azure Advisor gives proactive recommendations.
How to enable monitoring: via the portal, CLI, or automatically for some resources.
Common Wrong Answers and Why Candidates Choose Them
'Azure Monitor only monitors Azure resources.' Wrong. It can also monitor on-premises and other clouds via agents and the Data Collection API. Candidates assume it's Azure-only because of the name.
'Azure Monitor and Azure Service Health are the same.' Wrong. Service Health monitors Azure services themselves; Monitor monitors your own resources. Candidates confuse the two because both have 'health' in the context.
'Log Analytics is a separate service from Azure Monitor.' Wrong. Log Analytics is a feature of Azure Monitor. Candidates think it's independent because it has its own portal blade.
'You must use the Log Analytics agent to collect data.' Wrong. The Azure Monitor Agent (AMA) is the recommended agent now. The older agent is still supported but not the primary focus.
Specific Terms and Values That Appear on the Exam
Metrics: Numerical time-series data, retained 93 days.
Logs: Text data in Log Analytics workspaces, retained 30 days by default.
Action Group: Defines the notification actions (email, SMS, webhook, ITSM).
Application Insights: APM tool for web applications.
Log Analytics Workspace: Container for log data.
Kusto Query Language (KQL): Query language for logs.
Azure Monitor Agent (AMA): Current agent for collecting data.
Edge Cases and Tricky Distinctions
Activity Log vs. Metrics vs. Logs: Activity log records control-plane events (who created a VM). Metrics are performance counters. Logs are any text data. The exam may ask where to find a specific type of data.
Alerts: Know that metric alerts are near real-time (evaluation every 1 min), log alerts are evaluated every 5 minutes or more.
Free tier: Log Analytics offers 5 GB of free data ingestion per month. Metrics are free for platform metrics.
Memory Trick
'M.A.L.A.' = Metrics, Alerts, Logs, Application Insights. These are the four key features of Azure Monitor you need to remember. For the exam, if a question asks about monitoring performance, think Metrics. If it asks about troubleshooting, think Logs. If it asks about proactive notification, think Alerts. If it asks about web app performance, think Application Insights.
Azure Monitor is the central monitoring service for collecting, analyzing, and acting on telemetry from Azure and on-premises resources.
It consists of Metrics (numeric time-series data, retained 93 days) and Logs (text data in Log Analytics workspaces, retained 30 days by default).
Application Insights is part of Azure Monitor and is used for application performance monitoring (APM).
Alerts can be metric-based (near real-time) or log-based (evaluated every 5 minutes) and can trigger multiple actions via Action Groups.
The Azure Monitor Agent (AMA) is the recommended agent for collecting guest OS data from VMs and on-premises servers.
Log Analytics uses Kusto Query Language (KQL) to query log data.
Azure Monitor is different from Azure Service Health (which monitors Azure services) and Azure Advisor (which gives proactive recommendations).
Platform metrics are free; log ingestion costs $2.76/GB with a free tier of 5 GB/month.
You can monitor hybrid environments using Azure Arc and the Azure Monitor Agent.
For the exam, remember 'M.A.L.A.' (Metrics, Alerts, Logs, Application Insights) as the key features.
These come up on the exam all the time. Here's how to tell them apart.
Azure Monitor
Monitors the performance and availability of your own Azure and on-premises resources.
Collects metrics, logs, and activity data.
Provides alerts on resource conditions (e.g., CPU > 90%).
Used for day-to-day operational monitoring.
Data comes from your resources.
Azure Service Health
Monitors the health of Azure services themselves (e.g., Azure SQL, Azure Storage).
Provides information about service outages, planned maintenance, and health advisories.
Alerts you when Azure services are degraded or unavailable.
Used to understand Azure platform issues affecting you.
Data comes from Azure infrastructure.
Azure Monitor
Reactive: shows current state and alerts on issues.
Focuses on performance, availability, and diagnostics.
Data is real-time or near real-time.
Used for troubleshooting and monitoring.
Provides dashboards and log queries.
Azure Advisor
Proactive: gives recommendations to improve reliability, security, cost, and performance.
Focuses on best practices and optimization.
Recommendations are based on historical analysis.
Used for cost saving and security improvements.
Provides a list of actionable recommendations.
Mistake
Azure Monitor can only monitor Azure VMs.
Correct
Azure Monitor can monitor any Azure resource, on-premises servers (via Azure Monitor Agent and Azure Arc), other clouds, and custom applications using the Data Collector API.
Mistake
Azure Monitor and Azure Service Health are the same service.
Correct
Azure Monitor monitors your own resources' performance and availability. Azure Service Health monitors the health of Azure services themselves and provides information about outages and planned maintenance.
Mistake
Log Analytics is a separate product independent of Azure Monitor.
Correct
Log Analytics is a core feature of Azure Monitor. It is the tool used to query and analyze log data stored in Log Analytics workspaces.
Mistake
You must manually enable monitoring for every Azure resource.
Correct
Platform-level metrics and activity logs are automatically collected for most Azure resources. Guest-level monitoring (OS metrics) requires installing the Azure Monitor Agent.
Mistake
Azure Monitor alerts can only send email notifications.
Correct
Alerts can trigger multiple actions via Action Groups, including email, SMS, webhooks, Azure Functions, Logic Apps, Automation runbooks, and ITSM tickets.
Azure Monitor monitors the performance and availability of your own resources (VMs, apps, databases). Azure Service Health monitors the health of Azure services themselves and notifies you about outages, planned maintenance, and advisories. For example, if your VM is slow, use Azure Monitor. If Azure SQL is down in your region, use Azure Service Health. On the exam, they often ask which service to use for a given scenario.
Metrics are retained for 93 days by default. Logs in a Log Analytics workspace are retained for 31 days by default (configurable up to 730 days). You can also archive log data to Azure Storage for longer retention (e.g., for compliance). On the exam, know these default values.
Metric alerts are based on numeric time-series data (e.g., CPU > 90%) and can evaluate as frequently as every 1 minute. They are near real-time. Log alerts are based on log search queries (e.g., count of errors > 10 in 5 minutes) and are evaluated at a slower frequency (every 5 minutes or more). Metric alerts are simpler and faster; log alerts are more flexible. The exam may ask which alert type is appropriate for a given scenario.
Platform-level metrics (CPU, network, disk I/O) and activity logs are automatically collected without an agent. To collect guest OS metrics (like memory usage, disk space, or event logs), you must install the Azure Monitor Agent (AMA) on the VM. The exam may test this distinction.
A Log Analytics workspace is a container for log data in Azure Monitor. It has a unique ID and keys, and it is regional. All log data from agents and other sources is sent to a workspace. You can have multiple workspaces for different environments. The workspace defines data retention and pricing. On the exam, know that logs are stored in workspaces and queried using KQL.
Yes. You can install the Azure Monitor Agent on on-premises servers and connect them to Azure via Azure Arc. The agent sends data to a Log Analytics workspace just like Azure VMs. This enables hybrid monitoring. The exam may include scenarios where you need to monitor both cloud and on-premises.
Azure Monitor is reactive: it shows you the current state of your resources and alerts you when something is wrong. Azure Advisor is proactive: it analyzes your resource configurations and gives recommendations to improve reliability, security, cost, and performance. For example, Azure Monitor can alert you that a VM is running at 100% CPU; Azure Advisor might recommend resizing the VM to a larger size.
You've just covered Azure Monitor — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?