Merge pull request #253726 from bwren/waf-containers

Containers best practices guide

Author: AnnaMHuff

articles/azure-monitor/best-practices-containers.md

@@ -0,0 +1,50 @@
+---
+title: Best practices for monitoring Kubernetes
+description: Provides a template for a Well-Architected Framework (WAF) article specific to monitoring Kubernetes with Azure Monitor.
+ms.topic: conceptual
+author: bwren
+ms.author: bwren
+ms.date: 03/29/2023
+ms.reviewer: bwren
+---
+
+# Best practices for monitoring Kubernetes with Azure Monitor
+This article provides best practices for monitoring the health and performance of your [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) and [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) clusters. The guidance is based on the five pillars of architecture excellence described in [Azure Well-Architected Framework](/azure/architecture/framework/).
+
+
+
+## Reliability
+In the cloud, we acknowledge that failures happen. Instead of trying to prevent failures altogether, the goal is to minimize the effects of a single failing component. Use the following information to best leverage Azure Monitor to ensure the reliability of your Kubernetes clusters and monitoring environment.
+
+[!INCLUDE [waf-containers-reliability](includes/waf-containers-reliability.md)]
+
+
+## Security
+Security is one of the most important aspects of any architecture. Azure Monitor provides features to employ both the principle of least privilege and defense-in-depth. Use the following information to monitor your Kubernetes clusters and ensure that only authorized users access collected data.
+
+[!INCLUDE [waf-containers-security](includes/waf-containers-security.md)]
+
+
+## Cost optimization
+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](usage-estimated-costs.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.
+
+> [!NOTE]
+> See [Optimize costs in Azure Monitor](best-practices-cost.md) for cost optimization recommendations across all features of Azure Monitor.
+
+[!INCLUDE [waf-containers-cost](includes/waf-containers-cost.md)]
+
+
+## Operational excellence
+Operational excellence refers to operations processes required keep a service running reliably in production. Use the following information to minimize the operational requirements for monitoring your Kubernetes clusters.
+
+[!INCLUDE [waf-containers-operation](includes/waf-containers-operation.md)]
+
+
+## Performance efficiency
+Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. Use the following information to monitor the performance of your Kubernetes clusters and ensure they're configured for maximum performance.
+
+[!INCLUDE [waf-containers-performance](includes/waf-containers-performance.md)]
+
+## Next step
+
+- [Get best practices for a complete deployment of Azure Monitor](best-practices.md).

articles/azure-monitor/best-practices-cost.md

@@ -40,28 +40,19 @@ This article describes [Cost optimization](/azure/architecture/framework/cost/)
 |:---|:---|
 | Collect only critical resource log data from Azure resources. | When you create [diagnostic settings](essentials/diagnostic-settings.md) to send [resource logs](essentials/resource-logs.md) for your Azure resources to a Log Analytics database, only specify those categories that you require. Since diagnostic settings don't allow granular filtering of resource logs, you can use a [workspace transformation](essentials/data-collection-transformations.md?#workspace-transformation-dcr) to further filter unneeded data for those resources that use a [supported table](logs/tables-feature-support.md). See [Diagnostic settings in Azure Monitor](essentials/diagnostic-settings.md#controlling-costs) for details on how to configure diagnostic settings and using transformations to filter their data. |
 
-## Virtual machines
+## Alerts
 
-[!INCLUDE [waf-vm-cost](includes/waf-vm-cost.md)]
+[!INCLUDE [waf-containers-cost](includes/waf-alerts-cost.md)]
 
-## Container insights
 
-### Design checklist
+## Virtual machines
 
-> [!div class="checklist"]
-> - Configure agent collection to remove unneeded data.
-> - Modify settings for collection of metric data.
-> - Limit Prometheus metrics collected.
-> - Configure Basic Logs.
-### Configuration recommendations
+[!INCLUDE [waf-vm-cost](includes/waf-vm-cost.md)]
+
+## Containers
 
-| Recommendation | Benefit |
-|:---|:---|
-| Configure agent collection to remove unneeded data. |  Analyze the data collected by Container insights as described in [Controlling ingestion to reduce cost](containers/container-insights-cost.md#control-ingestion-to-reduce-cost) and adjust your configuration to stop collection of data in ContainerLogs you don't need. |
-| Modify settings for collection of metric data. |  You can reduce your costs by modifying the default collection settings Container insights uses for the collection of metric data. See [Enable cost optimization settings](containers/container-insights-cost-config.md) for details on modifying both the frequency that metric data is collected and the namespaces that are collected. |
-| Limit Prometheus metrics collected. | If you configured Prometheus metric scraping, then follow the recommendations at [Controlling ingestion to reduce cost](containers/container-insights-cost.md#prometheus-metrics-scraping) to optimize your data collection for cost. |
-| Configure Basic Logs. | [Convert your schema to ContainerLogV2](containers/container-insights-logging-v2.md) which is compatible with Basic logs and can provide significant cost savings as described in [Controlling ingestion to reduce cost](containers/container-insights-cost.md#configure-basic-logs). |
 
+[!INCLUDE [waf-containers-cost](includes/waf-vm-cost.md)]
 
 
 

articles/azure-monitor/includes/waf-containers-cost.md

@@ -0,0 +1,34 @@
+---
+author: bwren
+ms.author: bwren
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 03/30/2023
+---
+
+### Design checklist
+
+> [!div class="checklist"]
+> - Don't enable Container insights collection of Prometheus metrics.
+> - Configure agent collection to modify data collection in Container insights.
+> - Modify settings for collection of metric data by Container insights.
+> - Disable Container insights collection of metric data if you don't use the Container insights experience in the Azure portal.
+> - If you don't query the container logs table regularly or use it for alerts, configure it as basic logs.
+> - Limit collection of resource logs you don't need.
+> - Use resource-specific logging for AKS resource logs and configure tables as basic logs.
+> - Use OpenCost to collect details about your Kubernetes costs.
+
+### Configuration recommendations
+
+
+| Recommendation | Benefit |
+|:---|:---|
+| Don't enable Container insights collection of Prometheus metrics in Log Analytics workspace if you've enabled scraping of metrics with Prometheus.  | In addition to scraping Prometheus metrics from your cluster using [Azure Monitor managed service for Prometheus](../containers/prometheus-metrics-enable.md), you can configure Container insights to [collect Prometheus metrics in your Log Analytics workspace](../containers/container-insights-prometheus-logs.md). This is redundant with the data in Managed Prometheus and will result in additional cost. |
+| Configure agent to modify data collection in Container insights. |  Analyze the data collected by Container insights as described in [Controlling ingestion to reduce cost](../containers/container-insights-cost.md#control-ingestion-to-reduce-cost) and adjust your configuration to stop collection of data you don't need. |
+| Modify settings for collection of metric data by Container insights. | See [Enable cost optimization settings](../containers/container-insights-cost-config.md) for details on modifying both the frequency that metric data is collected and the namespaces that are collected by  Container insights. |
+| Disable Container insights collection of metric data if you don't use the Container insights experience in the Azure portal. | Container insights collects many of the same metric values as [Managed Prometheus](../containers/prometheus-metrics-enable.md). You can disable collection of these metrics by configuring Container insights to only collect **Logs and events** as described in [Enable cost optimization settings in Container insights](../containers/container-insights-cost-config.md#custom-data-collection). This configuration disables the Container insights experience in the Azure portal, but you can use Grafana to visualize Prometheus metrics and Log Analytics to analyze log data collected by Container insights. |
+| If you don't query the container logs table regularly or use it for alerts, configure it as basic logs. | [Convert your Container insights schema to ContainerLogV2](../containers/container-insights-logging-v2.md) which is compatible with Basic logs and can provide significant cost savings as described in [Controlling ingestion to reduce cost](../containers/container-insights-cost.md#configure-basic-logs). |
+| Limit collection of resource logs you don't need. | Control plane logs for AKS clusters are implemented as resource logs in Azure Monitor. [Create a diagnostic setting](../../aks/monitor-aks.md#resource-logs) to send this data to a Log Analytics workspace. See [Collect control plane logs for AKS clusters](../containers/monitor-kubernetes.md#collect-control-plane-logs-for-aks-clusters) for recommendations on which categories you should collect. | 
+| Use resource-specific logging for AKS resource logs and configure tables as basic logs. | AKS supports either Azure diagnostics mode or resource-specific mode for [resource logs](../../aks/monitor-aks.md#resource-logs). Specify resource logs to enable the option to configure the tables for [basic logs](../logs/basic-logs-configure.md), which provide a reduced ingestion charge for logs that you only occasionally query and don't use for alerting. |
+| Use OpenCost to collect details about your Kubernetes costs. | [OpenCost](https://www.opencost.io/docs/configuration/azure-prices) is an open-source, vendor-neutral CNCF sandbox project for understanding your Kubernetes costs and supporting your ability to for AKS cost visibility. It exports detailed costing data in addition to customer-specific Azure pricing to Azure storage to assist the cluster administrator in analyzing and categorizing costs. |
+

articles/azure-monitor/includes/waf-containers-operation.md

@@ -0,0 +1,27 @@
+---
+author: bwren
+ms.author: bwren
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 03/30/2023
+---
+
+### Design checklist
+
+> [!div class="checklist"]
+> - Review guidance for monitoring all layers of your Kubernetes environment.
+> - Use Azure Arc-enabled Kubernetes to monitor your clusters outside of Azure. 
+> - Use Azure managed services for cloud native tools.
+> - Integrate AKS clusters into your existing monitoring tools.
+> - Use Azure policy to enable data collection from your Kubernetes cluster.
+
+
+### Configuration recommendations
+
+| Recommendation | Benefit |
+|:---|:---|
+| Review guidance for monitoring all layers of your Kubernetes environment. | [Monitor your Kubernetes cluster performance with Container insights](../containers/container-insights-analyze.md) includes guidance and best practices for monitoring your entire Kubernetes environment from the network, cluster, and application layers. |
+| Use Azure Arc-enabled Kubernetes to monitor your clusters outside of Azure.  | [Azure Arc-enabled Kubernetes](../containers/container-insights-enable-arc-enabled-clusters.md) allows your Kubernetes clusters running in other clouds to be monitored using the same tools as your AKS clusters, including Container insights and Azure Monitor managed service for Prometheus. |
+| Use Azure managed services for cloud native tools. | [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) and [Azure managed Grafana](../../managed-grafana/overview.md) support all the features of the cloud native tools Prometheus and Grafana without having to operate their underlying infrastructure. You can quickly provision these tools and onboard your Kubernetes clusters with minimal overhead. These services allow you to access an extensive library of community rules and dashboards to monitor your Kubernetes environment. |
+| Integrate AKS clusters into your existing monitoring tools. | If you have an existing investment in Prometheus and Grafana, integrate your AKS clusters and Azure managed services into your existing environment using the guidance in [Monitor Kubernetes clusters using Azure services and cloud native tools](../containers/monitor-kubernetes.md). |
+| Use Azure policy to enable data collection from your Kubernetes cluster. | Use [Azure Policy](../../governance/policy/overview.md) to enable data collection for enabling [Prometheus metrics](../essentials/prometheus-metrics-enable.md?tabs=azurepolicy), [Container insights](../containers/container-insights-enable-aks-policy.md), and [diagnostic settings](../essentials/diagnostic-settings-policy.md). This ensures that any new clusters are automatically monitored and enforces their monitoring configuration. |

articles/azure-monitor/includes/waf-containers-performance.md

@@ -0,0 +1,22 @@
+---
+author: bwren
+ms.author: bwren
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 03/30/2023
+---
+
+### Design checklist
+
+> [!div class="checklist"]
+> - Enable collection of Prometheus metrics for your cluster.
+> - Enable Container insights to track performance of your cluster.
+> - Enable recommended Prometheus alerts.
+
+### Configuration recommendations
+
+| Recommendation | Benefit |
+|:---|:---|
+| Enable collection of Prometheus metrics for your cluster. | [Prometheus](https://prometheus.io) is a cloud-native metrics solution from the Cloud Native Compute Foundation and the most common tool used for collecting and analyzing metric data from Kubernetes clusters. [Enable Prometheus](../containers/prometheus-metrics-enable.md) on your cluster with [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) if you don't already have a Prometheus environment. Use [Azure Managed Grafana](../../managed-grafana/overview.md) to analyze the Prometheus data collected.<br><br>See [Customize scraping of Prometheus metrics in Azure Monitor managed service for Prometheus](../containers/prometheus-metrics-scrape-configuration.md) to collect additional metrics beyond the [default configuration](../containers/prometheus-metrics-scrape-default.md). |
+| Enable Container insights to track performance of your cluster. | When you [enable Container insights](../containers/prometheus-metrics-enable.md) for your Kubernetes cluster, you can use [views](../containers/container-insights-analyze.md) and [workbooks](../containers/container-insights-reports.md) to track the performance of the components of your cluster. This data may overlap with data collected by Prometheus. See [Cost optimization](../best-practices-containers.md#cost-optimization) for recommendations regarding cost. |
+| Enable recommended Prometheus alerts. | [Alerts](../alerts/alerts-overview.md) in Azure Monitor proactively notify you when issues are detected.  Start with a set of [recommended Prometheus alert rules](../containers/container-insights-metric-alerts.md#enable-prometheus-alert-rules) that detect the most common availability and performance issues with your cluster. Potentially add [log query alerts](../containers/container-insights-log-alerts.md) using data collected by Container insights. |

articles/azure-monitor/includes/waf-containers-reliability.md

@@ -0,0 +1,28 @@
+---
+author: bwren
+ms.author: bwren
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 03/30/2023
+---
+
+
+### Design checklist
+
+> [!div class="checklist"]
+> - Enable scraping of Prometheus metrics for your cluster. 
+> - Enable Container insights for collection of logs and performance data from your cluster.
+> - Create diagnostic settings to collect control plane logs for AKS clusters.
+> - Enable recommended Prometheus alerts.
+> - Ensure the availability of the Log Analytics workspace supporting Container insights.
+
+
+### Configuration recommendations
+
+| Recommendation | Benefit |
+|:---|:---|
+| Enable scraping of Prometheus metrics for your cluster. | [Enable Prometheus](../containers/prometheus-metrics-enable.md) on your cluster with [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) if you don't already have a Prometheus environment. Use [Azure Managed Grafana](../../managed-grafana/overview.md) to analyze the Prometheus data collected. See [Customize scraping of Prometheus metrics in Azure Monitor managed service for Prometheus](../containers/prometheus-metrics-scrape-configuration.md) to collect additional metrics beyond the [default configuration](../containers/prometheus-metrics-scrape-default.md). |
+| Enable Container insights for collection of logs and performance data from your cluster. | [Container insights](../containers/container-insights-overview.md) collects stdout/stderr logs, performance metrics, and Kubernetes events from each node in your cluster. It provides dashboards and reports for analyzing this data, including the availability of your nodes and other components. Use [Log Analytics](../logs/log-analytics-overview.md) to identify any availability errors in your collected logs.  |
+| Create diagnostic settings to collect control plane logs for AKS clusters. | AKS implements control planes logs as [resource logs](../essentials/resource-logs.md) in Azure Monitor. [Create a diagnostic setting](../essentials/diagnostic-settings.md) to send these logs to your Log Analytics workspace so you can use [log queries](../logs/log-query-overview.md) to identify errors and issues affecting availability. |
+| Enable recommended Prometheus alerts. | [Alerts](../alerts/alerts-overview.md) in Azure Monitor proactively notify you when issues are detected.  Start with a set of [recommended Prometheus alert rules](../containers/container-insights-metric-alerts.md#enable-prometheus-alert-rules) that detect the most common availability and performance issues with your cluster. Potentially add [log query alerts](../containers/container-insights-log-alerts.md) using data collected by Container insights. |
+| Ensure the availability of the Log Analytics workspace supporting Container insights. | Container insights relies on a Log Analytics workspace. See [Best practices for Azure Monitor Logs](../best-practices-logs.md#reliability) for recommendations to ensure the reliability of the workspace. |