|
| 1 | +--- |
| 2 | +title: Remote-write in Azure Monitor Managed Service for Prometheus (preview) |
| 3 | +description: Describes how to configure remote-write to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using managed identity authentication. |
| 4 | +author: bwren |
| 5 | +ms.topic: conceptual |
| 6 | +ms.date: 10/20/2022 |
| 7 | +--- |
| 8 | + |
| 9 | +# Azure Monitor managed service for Prometheus remote write - managed identity (preview) |
| 10 | +Azure Monitor managed service for Prometheus is intended to be a replacement for self managed Prometheus so you don't need to manage a Prometheus server in your Kubernetes clusters. You may also choose to use the managed service to centralize data from self-managed Prometheus clusters for long term data retention and to create a centralized view across your clusters. In this case, you can use [remote_write](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage) to send data from your self-managed Prometheus into our managed service. |
| 11 | + |
| 12 | +This article describes how to configure remote-write to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using managed identity authentication. You either use an existing identity created by AKS or [create one of your own](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Both options are described here. |
| 13 | + |
| 14 | +## Architecture |
| 15 | +Azure Monitor provides a reverse proxy container (Azure Monitor side car container) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets. The Azure Monitor side car container currently supports User Assigned Identity and Azure Active Directory (Azure AD) based authentication to ingest Prometheus remote write metrics to Azure Monitor workspace. |
| 16 | + |
| 17 | + |
| 18 | +## Cluster configurations |
| 19 | +This article applies to the following cluster configurations: |
| 20 | + |
| 21 | +- Azure Kubernetes service (AKS) |
| 22 | +- Azure Arc-enabled Kubernetes cluster |
| 23 | + |
| 24 | +## Prerequisites |
| 25 | + |
| 26 | +- You must have self-managed Prometheus running on your AKS cluster. For example, see [Using Azure Kubernetes Service with Grafana and Prometheus](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/using-azure-kubernetes-service-with-grafana-and-prometheus/ba-p/3020459). |
| 27 | +- You used [Kube-Prometheus Stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) when you set up Prometheus on your AKS cluster. |
| 28 | + |
| 29 | + |
| 30 | +## Create Azure Monitor workspace |
| 31 | +Data for Azure Monitor managed service for Prometheus is stored in an [Azure Monitor workspace](../essentials/azure-monitor-workspace-overview.md). You must [create a new workspace](../essentials/azure-monitor-workspace-overview.md#create-an-azure-monitor-workspace) if you don't already have one. |
| 32 | + |
| 33 | + |
| 34 | +## Locate AKS node resource group |
| 35 | +The node resource group of the AKS cluster contains resources that you will require for other steps in this process. This resource group has the name `MC_<AKS-RESOURCE-GROUP>_<AKS-CLUSTER-NAME>_<REGION>`. You can locate it from the **Resource groups** menu in the Azure portal. Start by making sure that you can locate this resource group since other steps below will refer to it. |
| 36 | + |
| 37 | +:::image type="content" source="media/prometheus-remote-write-managed-identity/resource-groups.png" alt-text="Screenshot showing list of resource groups." lightbox="media/prometheus-remote-write-managed-identity/resource-groups.png"::: |
| 38 | + |
| 39 | +## Get the client ID of the user assigned identity |
| 40 | +You will require the client ID of the identity that you're going to use. Note this value for use in later steps in this process. |
| 41 | + |
| 42 | +Get the **Client ID** from the **Overview** page of your [managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). |
| 43 | + |
| 44 | +:::image type="content" source="media/prometheus-remote-write-managed-identity/client-id.png" alt-text="Screenshot showing client ID on overview page of managed identity." lightbox="media/prometheus-remote-write-managed-identity/client-id.png"::: |
| 45 | + |
| 46 | +Instead of creating your own ID, you can use one of the identities created by AKS, which are listed in [Use a managed identity in Azure Kubernetes Service](../../aks/use-managed-identity.md). This article uses the `Kubelet` identity. The name of this identity will be `<AKS-CLUSTER-NAME>-agentpool` and located in the node resource group of the AKS cluster. |
| 47 | + |
| 48 | +:::image type="content" source="media/prometheus-remote-write-managed-identity/resource-group-details.png" alt-text="Screenshot showing list of resources in the node resource group." lightbox="media/prometheus-remote-write-managed-identity/resource-group-details.png"::: |
| 49 | + |
| 50 | + |
| 51 | + |
| 52 | +## Assign managed identity the Monitoring Metrics Publisher role on the data collection rule |
| 53 | +The managed identity requires the *Monitoring Metrics Publisher* role on the data collection rule associated with your Azure Monitor workspace. |
| 54 | + |
| 55 | +1. From the menu of your Azure Monitor Workspace account, click the **Data collection rule** to open the **Overview** page for the data collection rule. |
| 56 | + |
| 57 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png" alt-text="Screenshot showing data collection rule used by Azure Monitor workspace." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-data-collection-rule.png"::: |
| 58 | + |
| 59 | +2. Click on **Access control (IAM)** in the **Overview** page for the data collection rule. |
| 60 | + |
| 61 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/azure-monitor-account-access-control.png" alt-text="Screenshot showing Access control (IAM) menu item on the data collection rule Overview page." lightbox="media/prometheus-remote-write-managed-identity/azure-monitor-account-access-control.png"::: |
| 62 | + |
| 63 | +3. Click **Add** and then **Add role assignment**. |
| 64 | + |
| 65 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png" alt-text="Screenshot showing adding a role assignment on Access control pages." lightbox="media/prometheus-remote-write-managed-identity/data-collection-rule-add-role-assignment.png"::: |
| 66 | + |
| 67 | +4. Select **Monitoring Metrics Publisher** role and click **Next**. |
| 68 | + |
| 69 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/add-role-assignment.png" alt-text="Screenshot showing list of role assignments." lightbox="media/prometheus-remote-write-managed-identity/add-role-assignment.png"::: |
| 70 | + |
| 71 | +5. Select **Managed Identity** and then click **Select members**. Choose the subscription the user assigned identity is located in and then select **User-assigned managed identity**. Select the User Assigned Identity that you're going to use and click **Select**. |
| 72 | + |
| 73 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/select-managed-identity.png" alt-text="Screenshot showing selection of managed identity." lightbox="media/prometheus-remote-write-managed-identity/select-managed-identity.png"::: |
| 74 | + |
| 75 | +6. Click **Review + assign** to complete the role assignment. |
| 76 | + |
| 77 | + |
| 78 | +## Grant AKS cluster access to the identity |
| 79 | +This step isn't required if you're using an AKS identity since it will already have access to the cluster. |
| 80 | + |
| 81 | +> [!IMPORTANT] |
| 82 | +> You must have owner/user access administrator access on the cluster. |
| 83 | +
|
| 84 | +1. Identify the virtual machine scale sets in the [node resource group](#locate-aks-node-resource-group) for your AKS cluster. |
| 85 | + |
| 86 | + :::image type="content" source="media/prometheus-remote-write-managed-identity/resource-group-details-virtual-machine-scale-sets.png" alt-text="Screenshot showing virtual machine scale sets in the node resource group." lightbox="media/prometheus-remote-write-managed-identity/resource-group-details-virtual-machine-scale-sets.png"::: |
| 87 | + |
| 88 | +2. Run the following command in Azure CLI for each virtual machine scale set. |
| 89 | + |
| 90 | + ```azurecli |
| 91 | + az vmss identity assign -g <AKS-NODE-RESOURCE-GROUP> -n <AKS-VMSS-NAME> --identities <USER-ASSIGNED-IDENTITY-RESOURCE-ID> |
| 92 | + ``` |
| 93 | +
|
| 94 | +
|
| 95 | +## Deploy Side car and configure remote write on the Prometheus server |
| 96 | +
|
| 97 | +1. Copy the YAML below and save to a file. This YAML assumes you're using 8081 as your listening port. Modify that value if you use a different port. |
| 98 | +
|
| 99 | + ```yml |
| 100 | + prometheus: |
| 101 | + prometheusSpec: |
| 102 | + externalLabels: |
| 103 | + cluster: <AKS-CLUSTER-NAME> |
| 104 | +
|
| 105 | + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write |
| 106 | + ## |
| 107 | + remoteWrite: |
| 108 | + - url: "http://localhost:8081/api/v1/write" |
| 109 | +
|
| 110 | + containers: |
| 111 | + - name: prom-remotewrite |
| 112 | + image: <CONTAINER-IMAGE-VERSION> |
| 113 | + imagePullPolicy: Always |
| 114 | + ports: |
| 115 | + - name: rw-port |
| 116 | + containerPort: 8081 |
| 117 | + livenessProbe: |
| 118 | + httpGet: |
| 119 | + path: /health |
| 120 | + port: rw-port |
| 121 | + readinessProbe: |
| 122 | + httpGet: |
| 123 | + path: /ready |
| 124 | + port: rw-port |
| 125 | + env: |
| 126 | + - name: INGESTION_URL |
| 127 | + value: "<INGESTION_URL>" |
| 128 | + - name: LISTENING_PORT |
| 129 | + value: "8081" |
| 130 | + - name: IDENTITY_TYPE |
| 131 | + value: "userAssigned" |
| 132 | + - name: AZURE_CLIENT_ID |
| 133 | + value: "<MANAGED-IDENTITY-CLIENT-ID>" |
| 134 | + # Optional parameters |
| 135 | + - name: CLUSTER |
| 136 | + value: "<CLUSTER-NAME>" |
| 137 | + ``` |
| 138 | +
|
| 139 | +
|
| 140 | +2. Replace the following values in the YAML. |
| 141 | +
|
| 142 | + | Value | Description | |
| 143 | + |:---|:---| |
| 144 | + | `<AKS-CLUSTER-NAME>` | Name of your AKS cluster | |
| 145 | + | `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20221012.2`<br>This is the remote write container image version. | |
| 146 | + | `<INGESTION-URL>` | **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace | |
| 147 | + | `<MANAGED-IDENTITY-CLIENT-ID>` | **Client ID** from the **Overview** page for the managed identity | |
| 148 | + | `<CLUSTER-NAME>` | Name of the cluster Prometheus is running on | |
| 149 | +
|
| 150 | + |
| 151 | +
|
| 152 | +
|
| 153 | +
|
| 154 | +3. Open Azure Cloud Shell and upload the YAML file. |
| 155 | +4. Use helm to apply the YAML file to update your Prometheus configuration with the following CLI commands. |
| 156 | +
|
| 157 | + ```azurecli |
| 158 | + # set context to your cluster |
| 159 | + az aks get-credentials -g <aks-rg-name> -n <aks-cluster-name> |
| 160 | + |
| 161 | + # use helm to update your remote write config |
| 162 | + helm upgrade -f <YAML-FILENAME>.yml prometheus prometheus-community/kube-prometheus-stack -namespace <namespace where Prometheus pod resides> |
| 163 | + ``` |
| 164 | +
|
| 165 | +
|
| 166 | +
|
| 167 | +## Next steps |
| 168 | +
|
| 169 | +- [Learn more about Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md). |
0 commit comments