AZ-305 - Design a Solution for Logging and Monitoring
1. Azure Monitor Overview
Azure Monitor is the central platform for collecting, analyzing, and acting on telemetry data from Azure and on-premises environments. It provides a comprehensive solution for monitoring the availability, performance, and health of your applications and infrastructure.
Core Components of Azure Monitor
Azure Monitor Data Sources
Azure Monitor collects data from multiple tiers including application, operating system, Azure resources, Azure subscriptions, Azure tenants, and custom sources. All data is stored in one of two fundamental data stores: Metrics (time-series numerical data) and Logs (structured and semi-structured records stored in Log Analytics workspaces).
Metrics vs Logs
Metrics are lightweight numerical values collected at regular intervals. They are ideal for real-time alerting and fast detection of issues. Metrics are stored for 93 days by default.
Logs contain detailed records with different data types and complex structures. They are queried using Kusto Query Language (KQL). Logs support deep analysis and correlation across multiple data sources.
Azure Monitor Architecture
Azure Monitor follows a pipeline architecture: data sources emit telemetry, which flows through collection pipelines into data stores (Metrics database and Log Analytics workspace). From there, you can visualize data in dashboards and workbooks, analyze with KQL, respond with alerts and autoscale, and integrate with external systems via Event Hubs or partner solutions.
| Data Store | Data Type | Retention | Query Language |
|---|---|---|---|
| Metrics Database | Time-series numerical | 93 days (default) | Metrics Explorer |
| Log Analytics Workspace | Structured/semi-structured | 30 days to 2 years (configurable) | KQL (Kusto Query Language) |
2. Log Analytics Workspace
A Log Analytics workspace is the primary data store for Azure Monitor Logs. It provides a unique environment for log data collection, aggregation, and analysis. Every workspace has its own data repository, configuration, data sources, and connected solutions.
Workspace Design Considerations
Single vs Multiple Workspaces
Start with a single workspace to reduce management complexity. Use multiple workspaces when you need data isolation for compliance, geographic regions for data sovereignty, or when different teams need distinct access controls. A single workspace provides the best cross-resource query experience.
Access Control for Log Analytics
Log Analytics supports two access control modes:
- Workspace-context: Users can view all logs in the workspace they have permission to access. Queries are scoped to all data in all tables the user can access.
- Resource-context: Users access logs for specific resources they have permission to view, regardless of the table or workspace. Queries are scoped to data associated with that resource only.
Data Retention and Archiving
The default retention period for Log Analytics data is 30 days, but it can be extended up to 730 days (2 years). For longer retention, you can configure data export to Azure Storage or use the archive feature, which provides low-cost long-term retention with on-demand access via search jobs and restore operations.
Diagnostic Settings
Diagnostic settings determine where resource logs and metrics are sent. You can route data to a Log Analytics workspace, Azure Storage account, Event Hubs, or partner solutions. Each resource can have multiple diagnostic settings configured to send different categories of data to different destinations.
3. Application Insights
Application Insights is a feature of Azure Monitor that provides Application Performance Management (APM) for live web applications. It supports a wide range of platforms including .NET, Java, Node.js, and Python.
Key Features of Application Insights
Auto-Instrumentation vs SDK-Based
Auto-instrumentation (codeless attach) enables Application Insights without code changes. It is available for Azure App Service, Azure VMs, Azure Functions, and Kubernetes. SDK-based instrumentation requires adding the Application Insights SDK to your code but provides more customization options including custom events and telemetry.
Application Map
Application Map provides a visual layout of your distributed application topology. It shows the components (services), their dependencies, and health indicators such as average response time and failure rate. This helps you spot performance bottlenecks and failure hotspots across all components.
Smart Detection and Alerts
Application Insights includes smart detection that automatically warns you of potential performance problems and failure anomalies. It uses machine learning to analyze telemetry patterns and detect unusual behavior without requiring manual threshold configuration.
Monitoring VMs with Azure Monitor
VM insights is a feature of Azure Monitor that monitors the performance and health of virtual machines, including their running processes and dependencies. It supports Azure VMs, Azure VM scale sets, and on-premises machines.
Azure Monitor Agent (AMA)
The Azure Monitor Agent replaces the legacy Log Analytics agent (MMA/OMS) and Azure Diagnostics extension. AMA uses Data Collection Rules (DCRs) to define which data to collect and where to send it. A single VM can be associated with multiple DCRs, enabling flexible and granular data collection. AMA supports both Windows and Linux.
Monitoring Storage Accounts
Azure Monitor provides built-in monitoring for Azure Storage with metrics such as availability, latency, and transaction counts. You can enable Storage Analytics logging to capture detailed per-request logging for blobs, queues, and tables. Diagnostic settings allow you to route these logs to Log Analytics for advanced analysis.
4. Azure Monitor Alerts and Metrics
Azure Monitor alerts proactively notify you when conditions are found in your monitoring data. They allow you to identify and address issues before the users of your system notice them.
Alert Types
| Alert Type | Based On | Use Case |
|---|---|---|
| Metric alerts | Metric values crossing a threshold | CPU usage exceeds 90% for 5 minutes |
| Log search alerts | Log Analytics query results | Error count exceeds 100 in 15 minutes |
| Activity log alerts | Azure activity log events | VM is deallocated or a resource is deleted |
| Smart detection alerts | Application Insights anomaly detection | Unusual rise in failed request rate |
Action Groups
Action Groups
Action groups define a collection of notification preferences and actions to take when an alert fires. Actions can include email, SMS, voice call, push notification, Azure Function, Logic App, webhook, ITSM connector, and Automation Runbook. A single action group can be reused across multiple alert rules.
Alert Processing Rules
Alert processing rules allow you to apply processing on fired alerts. You can use them to suppress notifications during planned maintenance windows, add action groups to alerts at scale, or apply filtering logic. They are applied after the alert is fired but before any action group is triggered.
5. Kusto Query Language (KQL)
KQL is the query language used to analyze log data in Azure Monitor Log Analytics, Azure Data Explorer, Microsoft Sentinel, and other Azure services. Understanding KQL is essential for effective monitoring and troubleshooting.
Essential KQL Operators
AppRequests
| where TimeGenerated > ago(24h)
| where Success == false
| summarize ErrorCount = count() by OperationName
| order by ErrorCount desc
| take 10
Common KQL Operators
where - Filters rows based on a condition. summarize - Aggregates groups of rows. join - Merges rows from two tables. project - Selects specific columns. extend - Creates calculated columns. render - Renders results as a chart. ago() - Returns a timespan relative to now.
Cross-Resource Queries
KQL supports querying across multiple Log Analytics workspaces using the workspace() function and across Application Insights resources using the app() function. This enables centralized analysis even when data is distributed across multiple workspaces or resources.
6. Microsoft Sentinel for Security Monitoring
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution built on top of Azure Monitor and Log Analytics.
Sentinel Key Capabilities
Data Connectors
Sentinel provides built-in connectors to ingest data from Microsoft solutions (Azure AD, Microsoft 365, Defender), third-party security products, and custom sources via Syslog, CEF, or REST API. Data connectors funnel security data into the Sentinel workspace for analysis.
Analytics Rules and Incidents
Sentinel uses analytics rules to correlate alerts into incidents. Built-in rule templates leverage Microsoft security research. Custom rules use KQL to detect specific threat patterns. When a rule triggers, it creates an incident that security analysts can investigate, assign, and track through resolution.
Automation with Playbooks
Sentinel playbooks are built on Azure Logic Apps and enable automated response to security incidents. They can run automatically when an alert or incident is created, or be triggered manually by analysts. Playbooks can perform actions such as blocking IP addresses, disabling user accounts, isolating VMs, or creating tickets in external ITSM systems.
Workbooks and Hunting
Sentinel workbooks provide interactive dashboards for security monitoring and investigation. Threat hunting uses KQL queries to proactively search for security threats before alerts are triggered. Bookmarks allow analysts to save interesting query results for later investigation or to create incidents from hunting findings.
Key Terms
| Term | Definition |
|---|---|
| Azure Monitor | Central platform for collecting, analyzing, and acting on telemetry data from Azure and on-premises environments. |
| Log Analytics Workspace | The unique environment in Azure Monitor for storing and querying log data using KQL. |
| Application Insights | APM feature of Azure Monitor for monitoring live web application performance and usage. |
| KQL (Kusto Query Language) | The query language used to analyze log data in Azure Monitor, Sentinel, and Azure Data Explorer. |
| Data Collection Rule (DCR) | Defines what data to collect from Azure Monitor Agent and where to send it. |
| Action Group | A collection of notification preferences and actions executed when an alert fires. |
| Microsoft Sentinel | Cloud-native SIEM/SOAR solution built on Azure Monitor for security monitoring and automated response. |
| Smart Detection | Machine learning feature in Application Insights that automatically detects performance anomalies. |
Exam Tips
- Know the difference between Metrics and Logs: Metrics are lightweight numerical time-series data ideal for real-time alerting. Logs are rich structured records queried with KQL for deep analysis.
- Understand workspace design: Start with a single Log Analytics workspace unless regulatory, geographic, or access-control requirements demand separation.
- Azure Monitor Agent (AMA) is the future: AMA with Data Collection Rules replaces the legacy Log Analytics agent (MMA). Expect questions about DCR-based data collection.
- Application Insights supports codeless and SDK-based instrumentation: Know when each approach is appropriate. Codeless is simpler but SDK provides more customization.
- Understand alert types: Metric alerts for threshold-based monitoring, log search alerts for KQL-based conditions, activity log alerts for control-plane events.
- Sentinel builds on Log Analytics: It uses the same workspace and KQL queries but adds SIEM/SOAR capabilities including analytics rules, incidents, playbooks, and threat hunting.
Practice Questions
Question 1
Your organization needs to monitor the performance of a .NET web application running on Azure App Service. You need real-time performance monitoring with minimal code changes. What should you use?
A. Azure Monitor Metrics only
B. Application Insights with auto-instrumentation
C. Log Analytics workspace with custom KQL queries
D. Microsoft Sentinel analytics rules
Answer: B
Application Insights auto-instrumentation (codeless attach) provides comprehensive APM for Azure App Service with minimal configuration and no code changes. It captures request rates, response times, dependency calls, exceptions, and page views automatically.
Question 2
You have resources deployed across multiple Azure regions with different compliance requirements. Some regions require data to remain within geographic boundaries. How should you design your Log Analytics workspace architecture?
A. Use a single workspace in one region and enable geo-replication
B. Create separate workspaces per region to meet data sovereignty requirements
C. Use Azure Storage accounts in each region instead of Log Analytics
D. Deploy Microsoft Sentinel in each region without Log Analytics
Answer: B
When data sovereignty or compliance requirements mandate that log data stays within a specific geographic region, you should create separate Log Analytics workspaces in each region. Cross-workspace queries can still be used for centralized analysis when needed.
Question 3
You need to send an automated response when a critical alert fires, including sending an email to the operations team, creating a ticket in ServiceNow, and running an Azure Automation runbook. What should you configure?
A. A single alert processing rule
B. An action group with multiple actions attached to the alert rule
C. A Microsoft Sentinel playbook
D. An Azure Logic App triggered by a webhook
Answer: B
Action groups define a collection of notification preferences and actions. A single action group can include email notifications, ITSM connectors (ServiceNow), and Automation Runbooks. The action group is then associated with the alert rule to trigger all actions when the alert fires.
Question 4
You need to collect performance counters and Windows event logs from a fleet of Azure VMs and send different data types to different Log Analytics workspaces. What should you use?
A. Legacy Log Analytics agent with multiple workspace connections
B. Azure Monitor Agent with multiple Data Collection Rules
C. Azure Diagnostics extension with multiple storage accounts
D. Application Insights SDK installed on each VM
Answer: B
The Azure Monitor Agent (AMA) uses Data Collection Rules (DCRs) to define what data to collect and where to send it. A single VM can have multiple DCRs, each routing different data types to different destinations, providing the flexibility needed for this scenario.
Question 5
Your security team needs to detect and respond to threats across your Azure environment automatically. They need to correlate security alerts from multiple sources, investigate incidents, and trigger automated responses. What solution should you recommend?
A. Azure Monitor with metric alerts and action groups
B. Application Insights with smart detection
C. Microsoft Sentinel with analytics rules and playbooks
D. Log Analytics workspace with scheduled KQL queries
Answer: C
Microsoft Sentinel is the cloud-native SIEM/SOAR solution designed for security monitoring. It correlates alerts into incidents using analytics rules, supports investigation with hunting queries and workbooks, and automates response with playbooks built on Azure Logic Apps.
AZ-305 Designing Azure Infrastructure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.