Enable Container insights
This article provides an overview of the requirements and options that are available for configuring Container insights to monitor the performance of workloads that are deployed to Kubernetes environments. You can enable Container insights for a new deployment or for one or more existing deployments of Kubernetes by using several supported methods.
Supported configurations
Container insights supports the following environments:
- Azure Kubernetes Service (AKS)
- Azure Arc-enabled Kubernetes cluster
- Azure Stack or on-premises
- AKS engine
- Red Hat OpenShift version 4.x
The versions of Kubernetes and support policy are the same as those versions supported in AKS.
Differences between Windows and Linux clusters
The main differences in monitoring a Windows Server cluster compared to a Linux cluster include:
- Windows doesn't have a Memory RSS metric. As a result, it isn't available for Windows nodes and containers. The Working Set metric is available.
- Disk storage capacity information isn't available for Windows nodes.
- Only pod environments are monitored, not Docker environments.
- With the preview release, a maximum of 30 Windows Server containers are supported. This limitation doesn't apply to Linux containers.
Note
Container insights support for the Windows Server 2022 operating system is in preview.
Installation options
Prerequisites
Before you start, make sure that you've met the following requirements:
Log Analytics workspace
Container insights stores its data in a Log Analytics workspace. It supports workspaces in the regions that are listed in Products available by region. For a list of the supported mapping pairs to use for the default workspace, see Region mappings supported by Container insights.
You can let the onboarding experience create a Log Analytics workspace in the default resource group of the AKS cluster subscription. If you already have a workspace, you'll probably want to use that one. For more information, see Designing your Azure Monitor Logs deployment.
You can attach an AKS cluster to a Log Analytics workspace in a different Azure subscription in the same Azure Active Directory tenant. Currently, you can't do it with the Azure portal, but you can use the Azure CLI or an Azure Resource Manager template.
Azure Monitor workspace (preview)
If you're going to configure the cluster to collect Prometheus metrics with Azure Monitor managed service for Prometheus, you must have an Azure Monitor workspace where Prometheus metrics are stored. You can let the onboarding experience create an Azure Monitor workspace in the default resource group of the AKS cluster subscription or use an existing Azure Monitor workspace.
Permissions
To enable container monitoring, you require the following permissions:
- You must be a member of the Log Analytics contributor role.
- You must be a member of the Owner group on any AKS cluster resources.
To view data after container monitoring is enabled, you require the following permissions:
- You must be a member of the Log Analytics reader role if you aren't already a member of the Log Analytics contributor role.
Kubelet secure port
The containerized Linux agent (replicaset pod) makes API calls to all the Windows nodes on Kubelet secure port (10250) within the cluster to collect node and container performance-related metrics. Kubelet secure port (:10250) should be opened in the cluster's virtual network for both inbound and outbound for Windows node and container performance-related metrics collection to work.
If you have a Kubernetes cluster with Windows nodes, review and configure the network security group and network policies to make sure the Kubelet secure port (:10250) is opened for both inbound and outbound in the cluster's virtual network.
Authentication
Container insights now supports authentication by using managed identity (in preview). This secure and simplified authentication model has a monitoring agent that uses the cluster's managed identity to send data to Azure Monitor. It replaces the existing legacy certificate-based local authentication and removes the requirement of adding a Monitoring Metrics Publisher role to the cluster.
Note
Container insights preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available." They're excluded from the service-level agreements and limited warranty. Container insights previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see Frequently asked questions about Azure Kubernetes Service.
Agent
This section reviews the agents used by Container insights.
Azure Monitor agent
When Container insights uses managed identity authentication (in preview), it relies on a containerized Azure Monitor agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster. The agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.
Log Analytics agent
When Container insights doesn't use managed identity authentication, it relies on a containerized Log Analytics agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster. The agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.
The agent version is microsoft/oms:ciprod04202018 or later. It's represented by a date in the following format: mmddyyyy. When a new version of the agent is released, it's automatically upgraded on your managed Kubernetes clusters that are hosted on AKS. To track which versions are released, see Agent release announcements.
With the general availability of Windows Server support for AKS, an AKS cluster with Windows Server nodes has a preview agent installed as a daemonset pod on each individual Windows Server node to collect logs and forward them to Log Analytics. For performance metrics, a Linux node that's automatically deployed in the cluster as part of the standard deployment collects and forwards the data to Azure Monitor for all Windows nodes in the cluster.
Note
If you've already deployed an AKS cluster and enabled monitoring by using either the Azure CLI or a Resource Manager template, you can't use kubectl to upgrade, delete, redeploy, or deploy the agent. The template needs to be deployed in the same resource group as the cluster.
Network firewall requirements
The following table lists the proxy and firewall configuration information required for the containerized agent to communicate with Container insights. All network traffic from the agent is outbound to Azure Monitor.
Azure public cloud
| Agent resource | Port |
|---|---|
*.ods.opinsights.azure.com |
443 |
*.oms.opinsights.azure.com |
443 |
dc.services.visualstudio.com |
443 |
*.monitoring.azure.com |
443 |
login.microsoftonline.com |
443 |
The following table lists the extra firewall configuration required for managed identity authentication.
| Agent resource | Purpose | Port |
|---|---|---|
global.handler.control.monitor.azure.com |
Access control service | 443 |
<cluster-region-name>.ingest.monitor.azure.com |
Azure monitor managed service for Prometheus - metrics ingestion endpoint (DCE) | 443 |
<cluster-region-name>.handler.control.monitor.azure.com |
Fetch data collection rules for specific AKS cluster | 443 |
Azure China 21Vianet cloud
The following table lists the proxy and firewall configuration information for Azure China 21Vianet.
| Agent resource | Purpose | Port |
|---|---|---|
*.ods.opinsights.azure.cn |
Data ingestion | 443 |
*.oms.opinsights.azure.cn |
OMS onboarding | 443 |
dc.services.visualstudio.com |
For agent telemetry that uses Azure Public Cloud Application Insights | 443 |
The following table lists the extra firewall configuration required for managed identity authentication.
| Agent resource | Purpose | Port |
|---|---|---|
global.handler.control.monitor.azure.cn |
Access control service | 443 |
<cluster-region-name>.handler.control.monitor.azure.cn |
Fetch data collection rules for specific AKS cluster | 443 |
Azure Government cloud
The following table lists the proxy and firewall configuration information for Azure US Government.
| Agent resource | Purpose | Port |
|---|---|---|
*.ods.opinsights.azure.us |
Data ingestion | 443 |
*.oms.opinsights.azure.us |
OMS onboarding | 443 |
dc.services.visualstudio.com |
For agent telemetry that uses Azure Public Cloud Application Insights | 443 |
The following table lists the extra firewall configuration required for managed identity authentication.
| Agent resource | Purpose | Port |
|---|---|---|
global.handler.control.monitor.azure.us |
Access control service | 443 |
<cluster-region-name>.handler.control.monitor.azure.us |
Fetch data collection rules for specific AKS cluster | 443 |
Next steps
After you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on AKS, Azure Stack, or another environment.
To learn how to use Container insights, see View Kubernetes cluster performance.
Feedback
Submit and view feedback for