Merge pull request #213786 from bwren/prometheus-post-ignite

Prometheus post ignite updates

Author: jborsecnik

articles/azure-monitor/containers/container-insights-prometheus-metrics-addon.md

@@ -12,7 +12,6 @@ This article describes how to configure Container insights to send Prometheus me
 
 ## Prerequisites
 
-- The cluster must be [onboarded to Container insights](container-insights-enable-aks.md).
 - The cluster must use [managed identity authentication](container-insights-enable-aks.md#migrate-to-managed-identity-authentication).
 - The following resource providers must be registered in the subscription of the AKS cluster and the Azure Monitor Workspace.
   - Microsoft.ContainerService
@@ -26,6 +25,10 @@ Use any of the following methods to install the metrics addon on your cluster an
 
 Managed Prometheus can be enabled in the Azure portal through either Container insights or an Azure Monitor workspace.
 
+### Prerequisites
+
+- The cluster must be [onboarded to Container insights](container-insights-enable-aks.md).
+
 #### Enable from Container insights
 
 1. Open the **Kubernetes services** menu in the Azure portal and select your AKS cluster.
@@ -57,7 +60,7 @@ Use the following procedure to install the Azure Monitor agent and the metrics a
 #### Prerequisites
 
 - Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.
-- The aks-preview extension needs to be installed using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](https://learn.microsoft.com/cli/azure/azure-cli-extensions-overview).
+- The aks-preview extension needs to be installed using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/azure/azure-cli-extensions-overview).
 - Azure CLI version 2.41.0 or higher is required for this feature.
 
 #### Install metrics addon

articles/azure-monitor/essentials/azure-monitor-workspace-overview.md

@@ -4,7 +4,7 @@ description: Overview of Azure Monitor workspace, which is a unique environment
 author: bwren 
 ms.topic: conceptual
 ms.custom: ignite-2022
-ms.date: 05/09/2022
+ms.date: 10/05/2022
 ---
 
 # Azure Monitor workspace (preview)
@@ -21,16 +21,25 @@ The following table lists the contents of Azure Monitor workspaces. This table w
 | Prometheus metrics | Native platform metrics<br>Native custom metrics<br>Prometheus metrics |
 
 
-
 ## Workspace design
 A single Azure Monitor workspace can collect data from multiple sources, but there may be circumstances where you require multiple workspaces to address your particular business requirements. Azure Monitor workspace design is similar to [Log Analytics workspace design](../logs/workspace-design.md). There are several reasons that you may consider creating additional workspaces including the following.
 
-- If you have multiple Azure tenants, you'll usually create a workspace in each because several data sources can only send monitoring data to a workspace in the same Azure tenant.
-- Each workspace resides in a particular Azure region, and you may have regulatory or compliance requirements to store data in particular locations.
-- You may choose to create separate workspaces to define data ownership, for example by subsidiaries or affiliated companies.
+- Azure tenants. If you have multiple Azure tenants, you'll usually create a workspace in each because several data sources can only send monitoring data to a workspace in the same Azure tenant.
+- Azure regions. Each workspace resides in a particular Azure region, and you may have regulatory or compliance requirements to store data in particular locations.
+- Data ownership. You may choose to create separate workspaces to define data ownership, for example by subsidiaries or affiliated companies.
+- Workspace limits. See [Azure Monitor service limits](../service-limits.md#prometheus-metrics) for current capacity limits related to Azure Monitor workspaces.
+- Multiple environments. You may have Azure Monitor workspaces supporting different environments such as test, pre-production, and production.
+
+> [!NOTE]
+> You cannot currently query across multiple Azure Monitor workspaces.
+
+## Workspace limits
+These are currently only related to Prometheus metrics, since this is the only data currently stored in Azure Monitor workspaces. 
 
 Many customers will choose an Azure Monitor workspace design to match their Log Analytics workspace design. Since Azure Monitor workspaces currently only contain Prometheus metrics, and metric data is typically not as sensitive as log data, you may choose to further consolidate your Azure Monitor workspaces for simplicity.
 
+
+
 ## Create an Azure Monitor workspace
 In addition to the methods below, you may be given the option to create a new Azure Monitor workspace in the Azure portal as part of a configuration that requires one. For example, when you configure Azure Monitor managed service for Prometheus, you can select an existing Azure Monitor workspace or create a new one.
 

articles/azure-monitor/essentials/media/prometheus-grafana/grafana-system-identity.png

@@ -0,0 +1,132 @@
+---
+title: Use Azure Monitor managed service for Prometheus (preview) as data source for Grafana
+description: Details on how to configure Azure Monitor managed service for Prometheus (preview) as data source for both Azure Managed Grafana and self-hosted Grafana in an Azure virtual machine.
+author: bwren 
+ms.topic: conceptual
+ms.date: 09/28/2022
+---
+
+# Use Azure Monitor managed service for Prometheus (preview) as data source for Grafana using managed system identity 
+
+[Azure Monitor managed service for Prometheus (preview)](prometheus-metrics-overview.md) allows you to collect and analyze metrics at scale using a [Prometheus](https://aka.ms/azureprometheus-promio)-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for both [Azure Managed Grafana](../../managed-grafana/overview.md) and [self-hosted Grafana](https://grafana.com/) running in an Azure virtual machine using managed system identity authentication.
+
+
+## Azure Managed Grafana 
+The following sections describe how to configure Azure Monitor managed service for Prometheus (preview) as a data source for Azure Managed Grafana.
+
+> [!IMPORTANT]
+> This section describes the manual process for adding an Azure Monitor managed service for Prometheus data source to Azure Managed Grafana. You can achieve the same functionality by linking the Azure Monitor workspace and Grafana workspace as described in [Link a Grafana workspace](azure-monitor-workspace-overview.md#link-a-grafana-workspace).
+
+### Configure system identify
+Your Grafana workspace requires the following:
+
+- System managed identity enabled
+- *Monitoring Data Reader* role for the Azure Monitor workspace
+
+Both of these settings are configured by default when you created your Grafana workspace. Verify these settings on the **Identity** page for your Grafana workspace.
+
+:::image type="content" source="media/prometheus-grafana/grafana-system-identity.png" alt-text="Screenshot of Identity page for Azure Managed Grafana." lightbox="media/prometheus-grafana/grafana-system-identity.png":::
+
+
+**Configure from Grafana workspace**<br>
+Use the following steps to allow access all Azure Monitor workspaces in a resource group or subscription:
+
+1. Open the **Identity** page for your Grafana workspace in the Azure portal.
+2. If **Status** is **No**, change it to **Yes**.
+3. Click **Azure role assignments** to review the existing access in your subscription.
+4. If **Monitoring Data Reader** is not listed for your subscription or resource group:
+   1. Click **+ Add role assignment**. 
+   2. For **Scope**, select either **Subscription** or **Resource group**.
+   3. For **Role**, select **Monitoring Data Reader**.
+   4. Click **Save**.
+
+
+**Configure from Azure Monitor workspace**<br>
+Use the following steps to allow access to only a specific Azure Monitor workspace:
+
+1. Open the **Access Control (IAM)** page for your Azure Monitor workspace in the Azure portal.
+2. Click **Add role assignment**.
+3. Select **Monitoring Data Reader** and click **Next**.
+4. For **Assign access to**, select **Managed identity**.
+5. Click **+ Select members**.
+6. For **Managed identity**, select **Azure Managed Grafana**.
+7. Select your Grafana workspace and then click **Select**.
+8. Click **Review + assign** to save the configuration.
+
+### Create Prometheus data source
+
+Azure Managed Grafana supports Azure authentication by default.
+
+1. Open the **Overview** page for your Azure Monitor workspace in the Azure portal.
+2. Copy the **Query endpoint**, which you'll need in a step below.
+3. Open your Azure Managed Grafana workspace in the Azure portal.
+4. Click on the **Endpoint** to view the Grafana workspace.
+5. Select **Configuration** and then **Data source**.
+6. Click **Add data source** and then **Prometheus**.
+7. For **URL**,  paste in the query endpoint for your Azure Monitor workspace.
+8. Select **Azure Authentication** to turn it on.
+9. For **Authentication** under **Azure Authentication**, select **Managed Identity**.
+10. Scroll to the bottom of the page and click **Save & test**.
+
+:::image type="content" source="media/prometheus-grafana/prometheus-data-source.png" alt-text="Screenshot of configuration for Prometheus data source." lightbox="media/prometheus-grafana/prometheus-data-source.png":::
+
+
+## Self-managed Grafana
+The following sections describe how to configure Azure Monitor managed service for Prometheus (preview) as a data source for self-managed Grafana on an Azure virtual machine.
+### Configure system identify
+Azure virtual machines support both system assigned and user assigned identity. The following steps configure system assigned identity.
+
+**Configure from Azure virtual machine**<br>
+Use the following steps to allow access all Azure Monitor workspaces in a resource group or subscription:
+
+1. Open the **Identity** page for your virtual machine in the Azure portal.
+2. If **Status** is **No**, change it to **Yes**.
+3. Click **Azure role assignments** to review the existing access in your subscription.
+4. If **Monitoring Data Reader** is not listed for your subscription or resource group:
+   1. Click **+ Add role assignment**. 
+   2. For **Scope**, select either **Subscription** or **Resource group**.
+   3. For **Role**, select **Monitoring Data Reader**.
+   4. Click **Save**.
+
+**Configure from Azure Monitor workspace**<br>
+Use the following steps to allow access to only a specific Azure Monitor workspace:
+
+1. Open the **Access Control (IAM)** page for your Azure Monitor workspace in the Azure portal.
+2. Click **Add role assignment**.
+3. Select **Monitoring Data Reader** and click **Next**.
+4. For **Assign access to**, select **Managed identity**.
+5. Click **+ Select members**.
+6. For **Managed identity**, select **Virtual machine**.
+7. Select your Grafana workspace and then click **Select**.
+8. Click **Review + assign** to save the configuration.
+
+
+
+
+### Create Prometheus data source
+
+Versions 9.x and greater of Grafana support Azure Authentication, but it's not enabled by default. To enable this feature, you need to update your Grafana configuration. To determine where your Grafana.ini file is and how to edit your Grafana config, please review this document from Grafana Labs. Once you know where your configuration file lives on your VM, make the following update:
+
+
+1. Locate and open the *Grafana.ini* file on your virtual machine.
+2. Under the `[auth]` section of the configuration file, change the `azure_auth_enabled` setting to `true`.
+3. Open the **Overview** page for your Azure Monitor workspace in the Azure portal.
+4. Copy the **Query endpoint**, which you'll need in a step below.
+5. Open your Azure Managed Grafana workspace in the Azure portal.
+6. Click on the **Endpoint** to view the Grafana workspace.
+7. Select **Configuration** and then **Data source**.
+8. Click **Add data source** and then **Prometheus**.
+9. For **URL**,  paste in the query endpoint for your Azure Monitor workspace.
+10. Select **Azure Authentication** to turn it on.
+11. For **Authentication** under **Azure Authentication**, select **Managed Identity**.
+12. Scroll to the bottom of the page and click **Save & test**.
+
+:::image type="content" source="media/prometheus-grafana/prometheus-data-source.png" alt-text="Screenshot of configuration for Prometheus data source." lightbox="media/prometheus-grafana/prometheus-data-source.png":::
+
+
+
+## Next steps
+
+- [Collect Prometheus metrics for your AKS cluster](../containers/container-insights-prometheus-metrics-addon.md).
+- [Configure Prometheus alerting and recording rules groups](prometheus-rule-groups.md).
+- [Customize scraping of Prometheus metrics](prometheus-metrics-scrape-configuration.md).

articles/azure-monitor/essentials/media/prometheus-grafana/prometheus-data-source.png

@@ -23,7 +23,7 @@ Azure Monitor managed service for Prometheus can currently collect data from any
 
 
 ## Grafana integration
-The primary method for visualizing Prometheus metrics is [Azure Managed Grafana](../../managed-grafana/overview.md). Connect your Azure Monitor workspace to a Grafana workspace so that it can be used as a data source in a Grafana dashboard. You then have access to multiple prebuilt dashboards that use Prometheus metrics and the ability to create any number of custom dashboards.
+The primary method for visualizing Prometheus metrics is [Azure Managed Grafana](../../managed-grafana/overview.md). [Connect your Azure Monitor workspace to a Grafana workspace](azure-monitor-workspace-overview.md#link-a-grafana-workspace) so that it can be used as a data source in a Grafana dashboard. You then have access to multiple prebuilt dashboards that use Prometheus metrics and the ability to create any number of custom dashboards.
 
 ## Alerts
 Azure Monitor managed service for Prometheus adds a new Prometheus alert type for creating alerts using PromQL queries. You can view fired and resolved Prometheus alerts in the Azure portal along with other alert types. Prometheus alerts are configured with the same [alert rules](https://aka.ms/azureprometheus-promio-alertrules) used by Prometheus. For your AKS cluster, you can use a [set of predefined Prometheus alert rules]

articles/azure-monitor/essentials/prometheus-grafana.md

@@ -223,24 +223,36 @@ items:
     - name: Prometheus metrics
       items: 
       - name: Overview
+        displayName: Prometheus
         href: essentials/prometheus-metrics-overview.md
       - name: Rule groups
+        displayName: Prometheus
         href: essentials/prometheus-rule-groups.md
+      - name: Configure Grafana
+        displayName: Prometheus
+        href: essentials/prometheus-grafana.md
       - name: Troubleshoot collection
+        displayName: Prometheus
         href: essentials/prometheus-metrics-troubleshoot.md
       - name: Customize collection
         items:
         - name: Default configuration
+          displayName: Prometheus
           href: essentials/prometheus-metrics-scrape-default.md
         - name: High scale
+          displayName: Prometheus
           href: essentials/prometheus-metrics-scrape-scale.md
         - name: Custom configuration
+          displayName: Prometheus
           href: essentials/prometheus-metrics-scrape-configuration.md
         - name: Create and validate custom scrape config
+          displayName: Prometheus
           href: essentials/prometheus-metrics-scrape-validate.md
         - name: Minimal ingestion profile
+          displayName: Prometheus
           href: essentials/prometheus-metrics-scrape-configuration-minimal.md
         - name: Send to multiple metric workspaces
+          displayName: Prometheus
           href: essentials/prometheus-metrics-multiple-workspaces.md
     - name: Metrics explorer
       items:

articles/azure-monitor/essentials/prometheus-metrics-overview.md

@@ -43,23 +43,21 @@ Prometheus queries are created using PromQL and can be authored in either Azure
 
 
 **Query pre-parsing limits**<br>
-Based on query time range and request type over a 30-second window.<br>
-Each value is per user (Azure AD or System Identity).
+Based on query time range and request type over a 30-second window.
 
 | Limit | Value |
 |:---|:---|
-| Query hours per Azure Managed Grafana Workspace | 30,000 |
+| Query hours per user (Azure AD, managed identity, Azure Managed Grafana Workspace) | 30,000 |
 | Query hours per Azure Monitor workspace | 60,000 |
 | Query hours per Azure tenant | 600,000 |
 
 
 **Query post-parsing limits**<br>
-Based on query time range and range vectors in query over a 30-second window.<br>
-Each value is per user (Azure AD or System Identity).
+Based on query time range and range vectors in query over a 30-second window.
 
 | Limit | Value |
 |:---|:---|
-| Query hours per Azure Managed Grafana Workspace | 2,000,000 |
+| Query hours per user (Azure AD, managed identity, Azure Managed Grafana Workspace) | 2,000,000 |
 | Query hours per Azure Monitor workspace | 2,000,000 |
 | Query hours per Azure tenant | 20,000,000 |