Provide SSL certificates for monitoring

Beginning with the December, 2021 release, Azure Arc-enabled data services allows you to provide SSL/TLS certificates for the monitoring dashboards. You can use these certificates for logs (Kibana) and metrics (Grafana) dashboards.

You can specify the certificate when you create a data controller with:

  • Azure az CLI arcdata extension
  • Kubernetes native deployment

Microsoft provides sample files to create the certificates in the /microsoft/azure_arc/ GitHub repository.

You can clone the file locally to access the sample files.

git clone

The files that are referenced in this article are in the repository under /arc_data_services/deploy/scripts/monitoring.

Create or acquire appropriate certificates

You need appropriate certificates for each UI. One for logs, and one for metrics. The following table describes the requirements.

The following table describes the requirements for each certificate and key.

Requirement Logs certificate Metrics certificate
CN logsui-svc metricsui-svc
SANs None required metricsui-svc.${NAMESPACE}.${K8S_DNS_DOMAIN_NAME}
keyUsage digitalsignature


extendedKeyUsage serverAuth serverAuth


Default K8S_DNS_DOMAIN_NAME is svc.cluster.local, though it may differ depending on environment and configuration.

The GitHub repository directory includes example template files that identify the certificate specifications.

The Azure Arc samples GitHub repository provides an example you can use to generate a compliant certificate and private key for an endpoint.

See the code from /arc_data_services/deploy/scripts/

To use the example to create certificates, update the following command with your namespace and the directory for the certificates (output_directory). Then run the command.

./ <namespace> <output_directory>

This creates compliant certificates in the directory.

Deploy with CLI

After you have the certificate/private key for each endpoint, create the data controller with az dc create... command.

To apply your own certificate/private key use the following arguments.

  • --logs-ui-public-key-file <path\file to logs public key file>
  • --logs-ui-private-key-file <path\file to logs private key file>
  • --metrics-ui-public-key-file <path\file to metrics public key file>
  • --metrics-ui-private-key-file <path\file to metrics private key file>

For example, the following example creates a data controller with designated certificates for the logs and metrics UI dashboards:

az arcdata dc create --profile-name azure-arc-aks-default-storage --k8s-namespace <namespace> --use-k8s --name arc --subscription <subscription id> --resource-group <resource group name> --location <location> --connectivity-mode indirect --logs-ui-public-key-file <path\file to logs public key file> --logs-ui-private-key-file <path\file to logs private key file> --metrics-ui-public-key-file <path\file to metrics public key file> --metrics-ui-private-key-file <path\file to metrics private key file>

#az arcdata dc create --profile-name azure-arc-aks-default-storage  --k8s-namespace arc --use-k8s --name arc --subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource-group my-resource-group --location eastus --connectivity-mode indirect --logs-ui-public-key-file /path/to/logsuipublickeyfile.pem --logs-ui-private-key-file /path/to/logsuiprivatekey.pem --metrics-ui-public-key-file /path/to/metricsuipublickeyfile.pem --metrics-ui-private-key-file /path/to/metricsuiprivatekey.pem

You can only specify certificates when you include --use-k8s in the az arcdata dc create ... statement.

Deploy with Kubernetes native tools

If you are using Kubernetes native tools to deploy, create kubernetes secrets that hold the certificates and private keys. Create the following secrets:

  • logsui-certificiate-secret
  • metricsui-certificate-secret.

Make sure the services are listed as subject alternative names (SANs) and the certificate usage parameters are correct.

  1. Verify each secret has the following fields:
    • certificate.pem containing the base64 encoded certificate
    • privatekey.pem containing the private key

Next steps