Share via


Monitor your Azure Cosmos DB account for key updates and key regeneration

APPLIES TO: NoSQL MongoDB Cassandra Gremlin Table

Azure Monitor for Azure Cosmos DB provides metrics, alerts, and logs to monitor your account. You can create dashboards and customize them per your requirement. The Azure Cosmos DB metrics are collected by default, so you don't have to enable or configure anything explicitly.

Warning

Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.

For Azure Cosmos DB, Microsoft Entra authentication is the most secure authentication mechanism available. Review the appropriate security guide for your API:

Prerequisites

  • An existing Azure Cosmos DB account

Monitor key updates with metrics

To monitor your account for key updates, use the Account Keys Updated metric. This metric counts the number of times the primary and secondary keys are updated for an account and the time when they were changed. You can also set up alerts to get notifications when a key is updated.

  1. Sign in to the Azure portal (https://portal.azure.com).

  2. Select Monitor from the service menu, and then select Metrics.

    Screenshot of the 'Metrics' pane in Azure Monitor.

  3. From the Metrics pane, select the scope of the resource for which you want to view metrics.

    1. First choose the required subscription, for the Resource type field select Azure Cosmos DB accounts. A list of resource groups where the Azure Cosmos DB accounts are located is displayed.

    2. Choose a Resource Group and select one of your existing Azure Cosmos DB accounts. Select Apply.

    Screenshot of the option to select the account scope to view metrics.

  4. For the Metric field, choose Account Keys updated metric. Leave the Aggregation field to default value Count. This chart includes the total number of times the primary and secondary key are updated for the selected account. You can also select a timeline in the graph and see the date and time when the key is updated.

  5. To further see which key was changed, select the Apply splitting option. Select KeyType and set the Limit, Sort properties. The graph now splits the primary and secondary key updates.

    Screenshot of the metric chart when primary and secondary keys are updated.

Configure alerts for a key update

When a key is rotated or updated, you should update the dependent client applications so they can continue working. By configuring alerts, you receive notifications when a key is updated.

  1. Create an alert.

  2. When selecting the alert condition, choose Account Keys Updated signal.

  3. Select KeyType Dimension and choose Primary or Secondary key.

  4. Based on the key type you select; an alert is triggered when the key is updated.

    Screenshot of configuring an alert to get an email notification when account keys are updated.