Merge pull request #205577 from bwren/ci-ama

AMA on Container insights

Author: Maggiemouse1

articles/azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md

@@ -32,6 +32,8 @@ ms.reviewer: aul
 - To view the monitoring data, you need to have [Log Analytics Reader](../logs/manage-access.md#azure-rbac) role assignment on the Log Analytics workspace.
 - The following endpoints need to be enabled for outbound access in addition to the ones mentioned under [connecting a Kubernetes cluster to Azure Arc](../../azure-arc/kubernetes/quickstart-connect-cluster.md#meet-network-requirements).
 
+    **Azure public cloud**
+
     | Endpoint | Port |
     |----------|------|
     | `*.ods.opinsights.azure.com` | 443 |
@@ -40,14 +42,30 @@ ms.reviewer: aul
     | `*.monitoring.azure.com` | 443 |
     | `login.microsoftonline.com` | 443 |
 
+    The following table lists the additional firewall configuration required for managed identity authentication.
+
+    |Agent resource| Purpose | Port |
+    |--------------|------|---|
+    | `global.handler.control.monitor.azure.com` | Access control service | 443 |
+    | `<cluster-region-name>.handler.control.monitor.azure.com` | Fetch data collection rules for specific AKS cluster | 443 |
+
+    **Azure Government cloud**
+
     If your Azure Arc-enabled Kubernetes resource is in Azure US Government environment, following endpoints need to be enabled for outbound access:
 
     | Endpoint | Port |
     |----------|------|
     | `*.ods.opinsights.azure.us` | 443 |
     | `*.oms.opinsights.azure.us` | 443 |
     | `dc.services.visualstudio.com` | 443 |
-    
+
+    The following table lists the additional firewall configuration required for managed identity authentication.
+
+    |Agent resource| Purpose | Port |
+    |--------------|------|---|
+    | `global.handler.control.monitor.azure.cn` | Access control service | 443 |
+    | `<cluster-region-name>.handler.control.monitor.azure.cn` | Fetch data collection rules for specific AKS cluster | 443 |
+
 
 - If you are using an Arc enabled cluster on AKS, and previously installed [monitoring for AKS](./container-insights-enable-existing-clusters.md), please ensure that you have [disabled monitoring](./container-insights-optout.md) before proceeding to avoid issues during the extension install
 
@@ -81,7 +99,9 @@ Run the following commands to locate the full Azure Resource Manager identifier
     >[!TIP]
     > This `id` can also be found in the *Overview* blade of the Log Analytics workspace through the Azure portal.
 
-## Create extension instance using Azure CLI
+## Create extension instance 
+
+## [CLI](#tab/create-cli)
 
 ### Option 1 - With default values
 
@@ -94,6 +114,13 @@ This option uses the following defaults:
 az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers
 ```
 
+To use [managed identity authentication (preview)](container-insights-onboard.md#authentication), add the `configuration-settings` parameter as in the following:
+
+```azurecli
+az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true
+```
+
+
 ### Option 2 - With existing Azure Log Analytics workspace
 
 You can use an existing Azure Log Analytics workspace in any subscription on which you have *Contributor* or a more permissive role assignment.
@@ -120,10 +147,11 @@ If the Azure Arc-enabled Kubernetes cluster is on Azure Stack Edge, then a custo
 az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.logsettings.custommountpath=/home/data/docker
 ```
 
+
 >[!NOTE]
 > If you are explicitly specifying the version of the extension to be installed in the create command, then ensure that the version specified is >= 2.8.2.
 
-## Create extension instance using Azure portal
+## [Azure portal](#tab/create-portal)
 
 >[!IMPORTANT]
 >  If you are deploying Azure Monitor on a Kubernetes cluster running on top of Azure Stack Edge, then the Azure CLI option needs to be followed instead of the Azure portal option as a custom mount path needs to be set for these clusters.    
@@ -138,7 +166,9 @@ az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
 
 4. You can now choose the [Log Analytics workspace](../logs/quick-create-workspace.md) to send your metrics and logs data to.
 
-5. Select the 'Configure' button to deploy the Azure Monitor Container Insights cluster extension.
+5. To use managed identity authentication, select the *Use managed identity (preview)* checkbox.
+
+6. Select the 'Configure' button to deploy the Azure Monitor Container Insights cluster extension.
 
 ### Onboarding from Azure Monitor blade
 
@@ -148,9 +178,13 @@ az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
 
 3. Click on the 'Enable' link next to the cluster that you want to enable monitoring for.
 
-4. Choose the Log Analytics workspace and select the 'Configure' button to continue.
+4. Choose the Log Analytics workspace. 
 
-## Create extension instance using Azure Resource Manager
+5. To use managed identity authentication, select the *Use managed identity (preview)* checkbox.
+
+6. Select the 'Configure' button to continue.
+
+## [Resource Manager](#tab/create-arm)
 
 1. Download Azure Resource Manager template and parameter:
 
@@ -169,19 +203,61 @@ az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-n
     az deployment group create --resource-group <resource-group> --template-file ./arc-k8s-azmon-extension-arm-template.json --parameters @./arc-k8s-azmon-extension-arm-template-params.json
     ```
 
+---
+
 ## Verify extension installation status
 Once you have successfully created the Azure Monitor extension for your Azure Arc-enabled Kubernetes cluster, you can additionally check the status of installation using the Azure portal or CLI. Successful installations should show the status as 'Installed'. If your status is showing 'Failed' or remains in the 'Pending' state for long periods of time, proceed to the Troubleshooting section below.
 
-### Azure portal
+### [Azure portal](#tab/verify-portal)
 1. In the Azure portal, select the Azure Arc-enabled Kubernetes cluster with the extension installing
 2. Select the 'Extensions' item under the 'Settings' section of the resource blade
 3. You should see an extension with the name 'azuremonitor-containers' listed, with the listed status in the 'Install status' column
-### Azure CLI
+### [CLI](#tab/verify-cli)
 Run the following command to show the latest status of the `Microsoft.AzureMonitor.Containers` extension
 ```azurecli
 az k8s-extension show --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters -n azuremonitor-containers
 ```
 
+---
+
+## Migrate to managed identity authentication (preview)
+Use the flowing guidance to migrate an existing extension instance to managed identity authentication (preview).
+
+## [CLI](#tab/migrate-cli)
+First retrieve the Log Analytics workspace configured for Container insights extension.
+
+```cli
+az k8s-extension show --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters -n azuremonitor-containers 
+```
+
+Enable Container insights extension with managed identity authentication option using the workspace returned in the first step. 
+
+```cli
+az k8s-extension create --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings omsagent.useAADAuth=true logAnalyticsWorkspaceResourceID=\<workspace-resource-id\> 
+```
+
+## [Resource Manager](#tab/migrate-arm)
+
+
+1. Download the template at [https://aka.ms/arc-k8s-azmon-extension-msi-arm-template](https://aka.ms/arc-k8s-azmon-extension-msi-arm-template) and save it as **arc-k8s-azmon-extension-msi-arm-template.json**.
+
+2. Download the parameter file at [https://aka.ms/arc-k8s-azmon-extension-msi-arm-template-params](https://aka.ms/arc-k8s-azmon-extension-msi-arm-template) and save it as **arc-k8s-azmon-extension-msi-arm-template-params.json**.
+ 
+3. Edit the values in the parameter file.
+
+  - For **workspaceDomain**, use *opinsights.azure.com* for Azure public cloud and *opinsights.azure.us* for Azure Government cloud.
+  - Specify the tags in the **resourceTagValues** parameter if you want to use any Azure tags on the Azure resources that will be created as part of the Container insights extension.
+
+4. Deploy the template to create Container Insights extension. 
+
+```cli
+az login 
+az account set --subscription "Subscription Name" 
+az deployment group create --resource-group <resource-group> --template-file ./arc-k8s-azmon-extension-msi-arm-template.json --parameters @./arc-k8s-azmon-extension-msi-arm-template-params.json 
+```
+
+---
+
 ## Delete extension instance
 
 The following command only deletes the extension instance, but doesn't delete the Log Analytics workspace. The data within the Log Analytics resource is left intact.