Merge pull request #201236 from Nawrock/kai-livestream-add-auth-limits

[AppInsights][v-kainawroth] Info about authenticated channel

Author: Court72

articles/azure-monitor/app/live-stream.md

@@ -1,20 +1,20 @@
 ---
-title: Diagnose with Live Metrics Stream - Azure Application Insights
+title: Diagnose with Live Metrics - Application Insights - Azure Monitor
 description: Monitor your web app in real time with custom metrics, and diagnose issues with a live feed of failures, traces, and events.
 ms.topic: conceptual
 ms.date: 05/31/2022
 ms.reviewer: sdash
 ms.devlang: csharp
 ---
 
-# Live Metrics Stream: Monitor & Diagnose with 1-second latency
+# Live Metrics: Monitor & Diagnose with 1-second latency
 
-Monitor your live, in-production web application by using Live Metrics Stream (also known as QuickPulse) from [Application Insights](./app-insights-overview.md). Select and filter metrics and performance counters to watch in real time, without any disturbance to your service. Inspect stack traces from sample failed requests and exceptions. Together with [Profiler](./profiler.md) and [Snapshot debugger](./snapshot-debugger.md), Live Metrics Stream provides a powerful and non-invasive diagnostic tool for your live web site.
+Monitor your live, in-production web application by using Live Metrics (also known as QuickPulse) from [Application Insights](./app-insights-overview.md). Select and filter metrics and performance counters to watch in real time, without any disturbance to your service. Inspect stack traces from sample failed requests and exceptions. Together with [Profiler](./profiler.md) and [Snapshot debugger](./snapshot-debugger.md), Live Metrics provides a powerful and non-invasive diagnostic tool for your live website.
 
 > [!NOTE]
-> Live Metrics only supports TLS 1.2. For more information refer to [Troubleshooting](#troubleshooting). 
+> Live Metrics only supports TLS 1.2. For more information, refer to [Troubleshooting](#troubleshooting). 
 
-With Live Metrics Stream, you can:
+With Live Metrics, you can:
 
 * Validate a fix while it's released, by watching performance and failure counts.
 * Watch the effect of test loads, and diagnose issues live.
@@ -29,31 +29,33 @@ With Live Metrics Stream, you can:
 Live Metrics are currently supported for ASP.NET, ASP.NET Core, Azure Functions, Java, and Node.js apps.
 
 > [!NOTE]
->  The number of monitored server instances displayed by Live Metrics Stream may be lower than the actual number of instances allocated for the application. This is because many modern web servers will unload applications that do not receive requests over a period of time in order to conserve resources. Since Live Metrics Stream only counts servers that are currently running the application, servers that have already unloaded the process will not be included in that total.
+> The number of monitored server instances displayed by Live Metrics may be lower than the actual number of instances allocated for the application. This is because many modern web servers will unload applications that do not receive requests over a period of time in order to conserve resources. Since Live Metrics only counts servers that are currently running the application, servers that have already unloaded the process will not be included in that total.
 
 ## Get started
 
 1. Follow language specific guidelines to enable Live Metrics.
    * [ASP.NET](./asp-net.md) - Live Metrics is enabled by default.
-   * [ASP.NET Core](./asp-net-core.md)- Live Metrics is enabled by default.
-   * [.NET/.NET Core Console/Worker](./worker-service.md)- Live Metrics is enabled by default.
-   * [.NET Applications - Enable using code](#enable-livemetrics-using-code-for-any-net-application).
+   * [ASP.NET Core](./asp-net-core.md) - Live Metrics is enabled by default.
+   * [.NET/.NET Core Console/Worker](./worker-service.md) - Live Metrics is enabled by default.
+   * [.NET Applications - Enable using code](#enable-live-metrics-using-code-for-any-net-application).
     * [Java](./java-in-process-agent.md) - Live Metrics is enabled by default.
    * [Node.js](./nodejs.md#live-metrics)
 
-2. In the [Azure portal](https://portal.azure.com), open the Application Insights resource for your app, and then open Live Stream.
+2. In the [Azure portal](https://portal.azure.com), open the Application Insights resource for your app, then open Live Stream.
 
 3. [Secure the control channel](#secure-the-control-channel) if you might use sensitive data such as customer names in your filters.
 
 > [!IMPORTANT]
-> Monitoring ASP.NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) applications require Application Insights version 2.8.0 or above. To enable Application Insights ensure it is both activated in the Azure Portal and that the Application Insights NuGet package is included. Without the NuGet package some telemetry is sent to Application Insights but that telemetry will not show in the Live Metrics Stream.
+> Monitoring ASP.NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) applications require Application Insights version 2.8.0 or above. To enable Application Insights ensure it is both activated in the Azure Portal and that the Application Insights NuGet package is included. Without the NuGet package some telemetry is sent to Application Insights but that telemetry will not show in Live Metrics.
 
 [!INCLUDE [azure-monitor-log-analytics-rebrand](../../../includes/azure-monitor-instrumentation-key-deprecation.md)]
 
-### Enable LiveMetrics using code for any .NET application
+### Enable Live Metrics using code for any .NET application
 
-Even though LiveMetrics is enabled by default when onboarding using recommended instructions for .NET Applications, the following shows how to set up Live Metrics
-manually.
+> [!NOTE]
+> Live Metrics is enabled by default when onboarding using the recommended instructions for .NET Applications.
+
+How to manually set up Live Metrics:
 
 1. Install the NuGet package [Microsoft.ApplicationInsights.PerfCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.PerfCounterCollector)
 2. The following sample console app code shows setting up Live Metrics.
@@ -100,7 +102,7 @@ namespace LiveMetricsDemo
             while (true)
             {
                 // Send dependency and request telemetry.
-                // These will be shown in Live Metrics stream.
+                // These will be shown in Live Metrics.
                 // CPU/Memory Performance counter is also shown
                 // automatically without any additional steps.
                 client.TrackDependency("My dependency", "target", "http://sample",
@@ -116,7 +118,7 @@ namespace LiveMetricsDemo
 
 While the above sample is for a console app, the same code can be used in any .NET applications. If any other TelemetryModules are enabled which auto-collects telemetry, it's important to ensure the same configuration used for initializing those modules is used for Live Metrics module as well.
 
-## How does Live Metrics Stream differ from Metrics Explorer and Analytics?
+## How does Live Metrics differ from Metrics Explorer and Analytics?
 
 | |Live Stream | Metrics Explorer and Analytics |
 |---|---|---|
@@ -141,7 +143,7 @@ You can monitor a value different from Count. The options depend on the type of
 
 In addition to Application Insights telemetry, you can also monitor any Windows performance counter by selecting that from the stream options, and providing the name of the performance counter.
 
-Live metrics are aggregated at two points: locally on each server, and then across all servers. You can change the default at either by selecting other options in the respective drop-downs.
+Live Metrics are aggregated at two points: locally on each server, and then across all servers. You can change the default at either by selecting other options in the respective drop-downs.
 
 ## Sample Telemetry: Custom Live Diagnostic Events
 By default, the live feed of events shows samples of failed requests and dependency calls, exceptions, events, and traces. Select the filter icon to see the applied criteria at any point in time.
@@ -161,25 +163,32 @@ See the details of an item in the live feed by clicking it. You can pause the fe
 
 ## Filter by server instance
 
-If you want to monitor a particular server role instance, you can filter by server. To filter select the server name under *Servers*.
+If you want to monitor a particular server role instance, you can filter by server. To filter, select the server name under *Servers*.
 
 ![Sampled live failures](./media/live-stream/filter-by-server.png)
 
 ## Secure the control channel
 
-> [!NOTE]
-> Currently, you can only set up an authenticated channel using manual instrumentation (SDK) and cannot authenticate servers using Azure service integration (or auto instrumentation).
+Live Metrics custom filters allow you to control which of your application's telemetry is streamed to the Live Metrics view in Azure portal. The filters criteria is sent to the apps that are instrumented with the Application Insights SDK. The filter value could potentially contain sensitive information such as CustomerID. To keep this value secured and prevent potential disclosure to unauthorized applications, you have two options:
 
-The custom filters criteria you specify in Live Metrics portal are sent back to the Live Metrics component in the Application Insights SDK. The filters could potentially contain sensitive information such as customerIDs. You can make the channel secure with a secret API key in addition to the instrumentation key.
+- Recommended: Secure Live Metrics channel using [Azure AD authentication](./azure-ad-authentication.md#configuring-and-enabling-azure-ad-based-authentication)
+- Legacy (no longer recommended): Set up an authenticated channel by configuring a secret API key as explained below
+
+It is possible to try custom filters without having to set up an authenticated channel. Simply click on any of the filter icons and authorize the connected servers. Notice that if you choose this option, you will have to authorize the connected servers once every new session or when a new server comes online.
+
+> [!WARNING]
+> We strongly discourage the use of unsecured channels and will disable this option 6 months after you start using it. The “Authorize connected servers” dialog displays the date (highlighted below) after which this option will be disabled.
 
-### Create an API Key
+:::image type="content" source="media/live-stream/live-stream-auth.png" alt-text="Screenshot displaying the 'authorize connected servers' dialog." lightbox="media/live-stream/live-stream-auth.png":::
+
+### Legacy option: Create API key
 
 ![API key > Create API key](./media/live-stream/api-key.png)
 ![Create API Key tab. Select "authenticate SDK control channel" then "generate key"](./media/live-stream/create-api-key.png)
 
 ### Add API key to Configuration
 
-### ASP.NET
+#### ASP.NET
 
 In the applicationinsights.config file, add the AuthenticationApiKey to the QuickPulseTelemetryModule:
 
@@ -189,7 +198,7 @@ In the applicationinsights.config file, add the AuthenticationApiKey to the Quic
 </Add>
 ```
 
-### ASP.NET Core
+#### ASP.NET Core
 
 For [ASP.NET Core](./asp-net-core.md) applications, follow the instructions below.
 
@@ -213,7 +222,7 @@ public void ConfigureServices(IServiceCollection services)
 
 More information on configuring ASP.NET Core applications can be found in our guidance on [configuring telemetry modules in ASP.NET Core](./asp-net-core.md#configuring-or-removing-default-telemetrymodules).
 
-### WorkerService
+#### WorkerService
 
 For [WorkerService](./worker-service.md) applications, follow the instructions below.
 
@@ -231,20 +240,12 @@ Next, add the following line before the call `services.AddApplicationInsightsTel
 
 More information on configuring WorkerService applications can be found in our guidance on [configuring telemetry modules in WorkerServices](./worker-service.md#configuring-or-removing-default-telemetrymodules).
 
-### Azure Function Apps
+#### Azure Function Apps
 
 For Azure Function Apps (v2), securing the channel with an API key can be accomplished with an environment variable.
 
 Create an API key from within your Application Insights resource and go to **Settings > Configuration** for your Function App. Select **New application setting** and enter a name of `APPINSIGHTS_QUICKPULSEAUTHAPIKEY` and a value that corresponds to your API key.
 
-Securing the control channel is not necessary if you recognize and trust all the connected servers. This option is made available so that you can try custom filters without having to set up an authenticated channel. If you choose this option you will have to authorize the connected servers once every new session or when a new server comes online. We strongly discourage the use of unsecured channels and will disable this option 6 months after you start using it. To use custom filters without a secure channel simply click on any of the filter icons and authorize the connected servers. The “Authorize connected servers” dialog displays the date (highlighted below) after which this option will be disabled.
-
-:::image type="content" source="media/live-stream/live-stream-auth.png" alt-text="Screenshot displaying the authorize connected servers dialog." lightbox="media/live-stream/live-stream-auth.png":::
-
-> [!NOTE]
-> We strongly recommend that you set up the authenticated channel before entering potentially sensitive information like CustomerID in the filter criteria.
->
-
 ## Supported features table
 
 | Language                         | Basic Metrics       | Performance metrics | Custom filtering    | Sample telemetry    | CPU split by process |
@@ -261,14 +262,14 @@ Basic metrics include request, dependency, and exception rate. Performance metri
  \* PerfCounters support varies slightly across versions of .NET Core that do not target the .NET Framework:
 
 - PerfCounters metrics are supported when running in Azure App Service for Windows. (AspNetCore SDK Version 2.4.1 or higher)
-- PerfCounters are supported when app is running in ANY Windows machines (VM or Cloud Service or On-prem etc.) (AspNetCore SDK Version 2.7.1 or higher), but for apps targeting .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.
+- PerfCounters are supported when app is running in ANY Windows machines (VM or Cloud Service or on-premises etc.) (AspNetCore SDK Version 2.7.1 or higher), but for apps targeting .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.
 - PerfCounters are supported when app is running ANYWHERE (Linux, Windows, app service for Linux, containers, etc.) in the latest versions, but only for apps targeting .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.
 
 ## Troubleshooting
 
-Live Metrics Stream uses different IP addresses than other Application Insights telemetry. Make sure [those IP addresses](./ip-addresses.md) are open in your firewall. Also check the [outgoing ports for Live Metrics Stream](./ip-addresses.md#outgoing-ports) are open in the firewall of your servers.
+Live Metrics uses different IP addresses than other Application Insights telemetry. Make sure [those IP addresses](./ip-addresses.md) are open in your firewall. Also check the [outgoing ports for Live Metrics](./ip-addresses.md#outgoing-ports) are open in the firewall of your servers.
 
-As described in the [Azure TLS 1.2 migration announcement](https://azure.microsoft.com/updates/azuretls12/), Live Metrics now only supports TLS 1.2. If you are using an older version of TLS , Live Metrics will not display any data. For applications based on .NET Framework 4.5.1 refer to [How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net) to support newer TLS version.
+As described in the [Azure TLS 1.2 migration announcement](https://azure.microsoft.com/updates/azuretls12/), Live Metrics now only supports TLS 1.2. If you are using an older version of TLS, Live Metrics will not display any data. For applications based on .NET Framework 4.5.1, refer to [How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net) to support newer TLS version.
 
 > [!WARNING]
 > Currently, authenticated channel only supports manual SDK instrumentation. The authenticated channel cannot be configured with auto-instrumentation (used to be known as "codeless attach").
@@ -278,8 +279,8 @@ As described in the [Azure TLS 1.2 migration announcement](https://azure.microso
 1. Verify you are using the latest version of the NuGet package [Microsoft.ApplicationInsights.PerfCounterCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.PerfCounterCollector)
 2. Edit the `ApplicationInsights.config` file
     * Verify that the connection string points to the Application Insights resource you are using
-    * Locate the `QuickPulseTelemetryModule` configuration option; if it is not there add it
-    * Locate the `QuickPulseTelemetryProcessor` configuration option; if it is not there add it
+    * Locate the `QuickPulseTelemetryModule` configuration option; if it is not there, add it
+    * Locate the `QuickPulseTelemetryProcessor` configuration option; if it is not there, add it
 
  ```xml
 <TelemetryModules>