Configure BYOS for Application Insights Profiler and Snapshot Debugger
When you use Application Insights Profiler or Snapshot Debugger, artifacts generated by your application are uploaded by default into Azure Storage accounts over the public internet. For these artifacts and storage accounts, Microsoft controls and covers the cost for:
- Processing and analysis.
- Encryption-at-rest and lifetime management policies.
Meanwhile, when you "bring your own storage" (BYOS), artifacts are uploaded into a storage account that only you control and cover the cost for:
- The encryption-at-rest policy and the Lifetime management policy.
- Network access.
Note
BYOS is required if you're enabling Azure Private Link or customer-managed keys.
In this guide, you learn how to:
- Grant Diagnostic Services access to your storage account.
- Link your storage account with your Application Insights resource.
- Learn how your storage account is accessed.
Prerequisites
- Verify you created your storage account in the same location as your Application Insights resource.
- If you enabled Private Link, allow connection to our Trusted Microsoft Service from your virtual network.
Grant Diagnostic Services access to your storage account
A BYOS storage account is linked to an Application Insights resource. Start by granting the Storage Blob Data Contributor
role to the Microsoft Entra application named Diagnostic Services Trusted Storage Access
via the Access Control (IAM) page in your storage account.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Assign the following role.
Setting Value Role Storage Blob Data Contributor Assign access to User, group, or service principal Members Diagnostic Services Trusted Storage Access Once assigned, you can see the role under the Role assignments section.
Note
If you're also using Private Link, one more configuration is required to allow connection to our Trusted Microsoft Service from your virtual network. For more information, see Storage network security documentation.
Link your storage account with your Application Insights resource
You have three options for configuring BYOS for code-level diagnostics like Profiler and Snapshot Debugger:
- Azure PowerShell cmdlets
- The Azure CLI
- Azure Resource Manager templates
Before you begin, install Azure PowerShell 4.2.0 or greater.
Install the Application Insights PowerShell extension.
Install-Module -Name Az.ApplicationInsights -Force
Sign in with your Azure account subscription.
Connect-AzAccount -Subscription "{subscription_id}"
For more information on how to sign in, see the Connect-AzAccount documentation.
Remove any previous storage account linked to your Application Insights resource.
Pattern:
Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" | Remove-AzApplicationInsightsLinkedStorageAccount
Example:
Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai" | Remove-AzApplicationInsightsLinkedStorageAccount
Connect your storage account with your Application Insights resource.
Pattern:
$storageAccount = Get-AzStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{storage_account_name}" Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" | New-AzApplicationInsightsLinkedStorageAccount -LinkedStorageAccountResourceId $storageAccount.Id
Example:
$storageAccount = Get-AzStorageAccount -ResourceGroupName "byos-test" -Name "byosteststoragewestus2" Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai" | New-AzApplicationInsightsLinkedStorageAccount -LinkedStorageAccountResourceId $storageAccount.Id
Troubleshooting
Troubleshoot common issues in configuring BYOS.
- For general Profiler troubleshooting, see the Profiler troubleshooting documentation.
- For general Snapshot Debugger troubleshooting, see the Snapshot Debugger troubleshooting documentation.
Scenario: Template schema '{schema_uri}' isn't supported
You received an error similar to the following example:
New-AzResourceGroupDeployment : 11:53:49 AM - Error: Code=InvalidTemplate; Message=Deployment template validation failed: 'Template schema
'https://schema.management.azure.com/schemas/2020-01-01/deploymentTemplate.json#' is not supported. Supported versions are
'2014-04-01-preview,2015-01-01,2018-05-01,2019-04-01,2019-08-01'. Please see https://aka.ms/arm-template for usage details.'.
Solutions
Make sure that the
$schema
property of the template is valid. It must follow this pattern:https://schema.management.azure.com/schemas/{schema_version}/deploymentTemplate.json#
Make sure that the
schema_version
of the template is within valid values:2014-04-01-preview, 2015-01-01, 2018-05-01, 2019-04-01, 2019-08-01
.
Scenario: No registered resource provider found for location '{location}'
You received an error similar to the following example:
New-AzResourceGroupDeployment : 6:18:03 PM - Resource microsoft.insights/components 'byos-test-westus2-ai' failed with message '{
"error": {
"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'westus2' and API version '2020-03-01-preview' for type 'components'. The supported api-versions are '2014-04-01,
2014-08-01, 2014-12-01-preview, 2015-05-01, 2018-05-01-preview'. The supported locations are ', eastus, southcentralus, northeurope, westeurope, southeastasia, westus2, uksouth,
canadacentral, centralindia, japaneast, australiaeast, koreacentral, francecentral, centralus, eastus2, eastasia, westus, southafricanorth, northcentralus, brazilsouth, switzerlandnorth,
australiasoutheast'."
}
}'
Solutions
- Make sure that the
apiVersion
of the resourcemicrosoft.insights/components
is2015-05-01
. - Make sure that the
apiVersion
of the resourcelinkedStorageAccount
is2020-03-01-preview
.
Scenario: Storage account location should match Application Insights component location
You received an error similar to the following example:
New-AzResourceGroupDeployment : 1:01:12 PM - Resource microsoft.insights/components/linkedStorageAccounts 'byos-test-centralus-ai/serviceprofiler' failed with message '{
"error": {
"code": "BadRequest",
"message": "Storage account location should match AI component location",
"innererror": {
"trace": [
"System.ArgumentException"
]
}
}
}'
Solution
Make sure that the location of the Application Insights resource is the same as the storage account.
Frequently asked questions
This section provides answers to common questions about configuring BYOS for Profiler and Snapshot Debugger.
If I enabled Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?
No, it won't.
Does BYOS work with encryption-at-rest and customer-managed keys?
Yes. To be precise, BYOS is a requirement to have Profiler/Snapshot Debugger enabled with customer-manager keys.
Does BYOS work in an environment isolated from the internet?
Yes. BYOS is a requirement for isolated network scenarios.
Does BYOS work with both customer-managed keys and Private Link enabled?
Yes, it's possible.
If I enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?
Yes, you can, but we don't currently support data migration from your BYOS.
After I enable BYOS, do I take over all the related costs of storage and networking?
Yes.
How is my storage account accessed?
Agents running in your virtual machines or Azure App Service upload artifacts (profiles, snapshots, and symbols) to blob containers in your account.
This process involves contacting Profiler or Snapshot Debugger to obtain a shared access signature token to a new blob in your storage account.
Profiler or Snapshot Debugger:
- Analyzes the incoming blob.
- Write back the analysis results and log files into blob storage.
Depending on available compute capacity, this process might occur anytime after upload.
When you view Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.