Merge pull request #261427 from sunasing/sunasing-br-1215

Update Remote write documentation with AzureGovernment configuration

Author: v-ccolin

articles/azure-monitor/containers/media/prometheus-remote-write-managed-identity/dce-ingestion-url.png

@@ -30,15 +30,13 @@ The node resource group of the AKS cluster contains resources that you will requ
 ## Get the client ID of the user assigned identity
 You will require the client ID of the identity that you're going to use. Note this value for use in later steps in this process.
 
-Get the **Client ID** from the **Overview** page of your [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
-
-:::image type="content" source="media/prometheus-remote-write-managed-identity/client-id.png" alt-text="Screenshot showing client ID on overview page of managed identity." lightbox="media/prometheus-remote-write-managed-identity/client-id.png":::
-
-Instead of creating your own ID, you can use one of the identities created by AKS, which are listed in [Use a managed identity in Azure Kubernetes Service](../../aks/use-managed-identity.md). This article uses the `Kubelet` identity. The name of this identity is `<AKS-CLUSTER-NAME>-agentpool` and located in the node resource group of the AKS cluster.
+Instead of creating your own ID, you can use one of the identities created by AKS, which are listed in [Use a managed identity in Azure Kubernetes Service](../../aks/use-managed-identity.md). This article uses the `Kubelet` identity. The name of this identity is `<AKS-CLUSTER-NAME>-agentpool` and is located in the node resource group of the AKS cluster.
 
 :::image type="content" source="media/prometheus-remote-write-managed-identity/resource-group-details.png" alt-text="Screenshot showing list of resources in the node resource group." lightbox="media/prometheus-remote-write-managed-identity/resource-group-details.png":::
 
+Click on the `<AKS-CLUSTER-NAME>-agentpool` managed identity and copy the **Client ID** from the **Overview** page. To learn more about managed identity, visit [Managed Identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
 
+:::image type="content" source="media/prometheus-remote-write-managed-identity/client-id.png" alt-text="Screenshot showing client ID on overview page of managed identity." lightbox="media/prometheus-remote-write-managed-identity/client-id.png":::
 
 ## Assign Monitoring Metrics Publisher role on the data collection rule to the managed identity
 The managed identity requires the *Monitoring Metrics Publisher* role on the data collection rule associated with your Azure Monitor workspace.
@@ -84,7 +82,7 @@ This step isn't required if you're using an AKS identity since it will already h
 
 ## Deploy Side car and configure remote write on the Prometheus server
 
-1. Copy the YAML below and save to a file. This YAML assumes you're using 8081 as your listening port. Modify that value if you use a different port.
+1. Copy the YAML below and save to a file. This YAML uses 8081 as the listening port but you can modify that value if you wish to use a different port.
 
     [!INCLUDE[managed-identity-yaml](../includes/prometheus-sidecar-remote-write-managed-identity-yaml.md)]
 
@@ -98,8 +96,11 @@ This step isn't required if you're using an AKS identity since it will already h
     | `<MANAGED-IDENTITY-CLIENT-ID>` | **Client ID** from the **Overview** page for the managed identity |
     | `<CLUSTER-NAME>` | Name of the cluster Prometheus is running on |
 
+> [!IMPORTANT]
+> For Azure Government cloud, use *"https://monitor.azure.us//.default"* as the value for *INGESTION_AAD_AUDIENCE* in the yaml.
+
 3. Open Azure Cloud Shell and upload the YAML file.
-4. Use helm to apply the YAML file to update your Prometheus configuration with the following CLI commands. 
+4. Use helm to apply the YAML file to update your Prometheus configuration with the following CLI commands.
 
     ```azurecli
     # set context to your cluster 

articles/azure-monitor/containers/prometheus-remote-write-managed-identity.md

@@ -34,11 +34,11 @@ Use the following methods to verify that Prometheus data is being sent into your
 
 ### kubectl commands
 
-Use the following command to view your container log. Remote write data is flowing if the output has non-zero value for `avgBytesPerRequest` and `avgRequestDuration`.
+Use the following command to view logs from the side car container. Remote write data is flowing if the output has non-zero value for `avgBytesPerRequest` and `avgRequestDuration`.
 
 ```azurecli
-kubectl logs <Prometheus-Pod-Name> <Azure-Monitor-Side-Car-Container-Name>
-# example: kubectl logs prometheus-prometheus-kube-prometheus-prometheus-0 prom-remotewrite --namespace <namespace>
+kubectl logs <Prometheus-Pod-Name> <Azure-Monitor-Side-Car-Container-Name> --namespace <namespace-where-Prometheus-is-running>
+# example: kubectl logs prometheus-prometheus-kube-prometheus-prometheus-0 prom-remotewrite --namespace monitoring
 ```
 
 The output from this command should look similar to the following:
@@ -75,19 +75,21 @@ The output from this command should look similar to the following:
 ```
 
 ### Hitting your ingestion quota limit
-With remote write you will typically get started using the remote write endpoint shown on the Azure Monitor workspace overview page. Behind the scenes, this uses a system Data Collection Rule (DCR) and system Data Collection Endpoint (DCE). These resources have an ingestion limit covered in the [Azure Monitor service limits](../service-limits.md#prometheus-metrics) document. You may hit these limits if you setup remote write for several clusters all sending data into the same endpoint in the same Azure Monitor workspace. If this is the case you can [create additional DCRs and DCEs](https://aka.ms/prometheus/remotewrite/dcrartifacts) and use them to spread out the ingestion loads across a few ingestion endpoints.
+With remote write you will typically get started using the remote write endpoint shown on the Azure Monitor workspace overview page. Behind the scenes, this uses a system Data Collection Rule (DCR) and system Data Collection Endpoint (DCE). These resources have an ingestion limit covered in the [Azure Monitor service limits](../service-limits.md#prometheus-metrics) document. You may hit these limits if you set up remote write for several clusters all sending data into the same endpoint in the same Azure Monitor workspace. If this is the case you can [create additional DCRs and DCEs](https://aka.ms/prometheus/remotewrite/dcrartifacts) and use them to spread out the ingestion loads across a few ingestion endpoints.
 
 The INGESTION-URL uses the following format: 
-https\://\<Metrics-Ingestion-URL>/dataCollectionRules/\<DCR-Immutable-ID>/streams/Microsoft-PrometheusMetrics/api/v1/write?api-version=2021-11-01-preview 
+https\://\<**Metrics-Ingestion-URL**>/dataCollectionRules/\<**DCR-Immutable-ID**>/streams/Microsoft-PrometheusMetrics/api/v1/write?api-version=2021-11-01-preview 
 
-Metrics-Ingestion-URL: can be obtained by viewing DCE JSON body with API version 2021-09-01-preview or newer. 
+**Metrics-Ingestion-URL**: can be obtained by viewing DCE JSON body with API version 2021-09-01-preview or newer. See screenshot below for reference.
 
-DCR-Immutable-ID: can be obtained by viewing DCR JSON body or running the following command in the Azure CLI: 
+:::image type="content" source="media/prometheus-remote-write-managed-identity/dce-ingestion-url.png" alt-text="Screenshot showing how to get the metrics ingestion URL." lightbox="media/prometheus-remote-write-managed-identity/dce-ingestion-url.png":::
+
+**DCR-Immutable-ID**: can be obtained by viewing DCR JSON body or running the following command in the Azure CLI: 
 
 ```azureccli
 az monitor data-collection rule show --name "myCollectionRule" --resource-group "myResourceGroup" 
 ```
-  
+
 ## Next steps
 
 - [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md).

articles/azure-monitor/containers/prometheus-remote-write.md

@@ -59,6 +59,8 @@ prometheus:
         value: userAssigned
       - name: AZURE_CLIENT_ID
         value: <MANAGED-IDENTITY-CLIENT-ID>
+      - name: INGESTION_AAD_AUDIENCE
+        value: https://monitor.azure.us//.default
       # Optional parameter
       - name: CLUSTER
         value: <CLUSTER-NAME>