Purchasing Azure Monitor: A Comprehensive Guide

Azure Monitor is a comprehensive monitoring solution for collecting, analysing, and responding to monitoring data from your cloud and on-premises environments. It is a pay-as-you-go service, where you only pay for what you use.

Azure Monitor is enabled the moment you create a new Azure subscription, and activity logs and platform metrics are automatically collected.

To buy Azure Monitor, you can create a pay-as-you-go account or start with a $200 Azure credit.

Understand the different ways Azure Monitor charges for usage

Azure Monitor uses a pay-as-you-go billing model, where you only pay for what you use. Features that are enabled by default, such as collection and alerting on the Activity log and collection and analysis of platform metrics, are free of charge.

However, several other features do not have a direct cost but you will be charged for the ingestion and retention of data that they collect. Log data ingestion is the largest component of Azure Monitor charges for most customers. There is no charge for querying this data except in the case of Basic and Auxiliary logs or data in long-term retention.

Additionally, there is a charge for the retention of data in each Log Analytics workspace. You can set the retention period for the entire workspace or for each table. After this period, the data is either removed or kept in long-term retention, which comes with a reduced retention charge and a charge to retrieve the data.

Alerts are charged based on the type and number of signals used by the alert rule, its frequency, and the type of notification used in response.

There are also data transfer charges for sending data to Azure Monitor, although these are typically very small compared to the costs for data ingestion and retention.

Finally, some functionalities of Azure Monitor such as web tests and data export have additional charges.

Learn how to evaluate charges on your Azure bill

To learn how to evaluate charges on your Azure bill, you can refer to the following steps:

Understand the Azure billing model

Azure Monitor uses a consumption-based pricing (pay-as-you-go) billing model where you only pay for what you use. Features enabled by default, such as collection and alerting on the Activity log and collection and analysis of platform metrics, do not incur any charges.

Identify the different types of usage charged

Several features do not have a direct cost but are charged based on the ingestion, retention, and export of data. This includes Log Analytics workspaces and legacy Application Insights resources. Log data ingestion is typically the largest component of Azure Monitor charges. There are also charges for processing diagnostic and auditing information for certain services when sent to destinations other than a Log Analytics workspace.

Understand the cost of alerts

Alerts are charged based on the type and number of signals used, the frequency of the alert rule, and the type of notification used in response. For log search alerts configured for at-scale monitoring, the cost depends on the number of time series created by the dimensions resulting from your query.

Review your Azure subscription bill

You can review your Azure subscription bill by signing into the Azure portal and downloading your invoice and usage files. The detailed usage CSV file will show your charges by billing period and daily usage. Compare the values in the "Cost" column of the CSV file with the usage charges on your invoice to ensure they match.

Analyze unexpected charges

If you encounter unexpected charges, you can review the invoice, check your invoiced charges in Cost Analysis, find the people responsible for the resource, analyze audit logs, and analyze user permissions to the resource's parent scope.

Optimize your Azure Monitor costs

To optimize your Azure Monitor costs, you can refer to resources such as "Cost optimization and Azure Monitor", which provides strategies to reduce expenses. Additionally, you can set a daily cap on the amount of data that can be ingested into a Log Analytics workspace to control your costs.

Learn how to set up Azure Monitor for on-premises servers

To set up Azure Monitor for on-premises servers, you will need to install the Microsoft Monitoring Agent (MMA) on each server in your cluster. This will allow you to collect telemetry data and push it to the Log Analytics workspace.

Firstly, ensure you have an Azure subscription. Then, follow these steps:

• Log in to the Azure portal.
• Click 'All services' and type 'Log Analytics' in the list of resources.
• Click 'Create' and select your preferences for the following:

• Provide a name for the new Log Analytics Workspace.
• Select a Subscription to link to.
• For the Resource Group, choose an existing group that contains one or more Azure virtual machines.

• After providing the required information, click 'OK'.
• Obtain the workspace ID and key for your Log Analytics workspace.
• Download the appropriate Windows Agent version for each server, depending on the processor architecture of the Windows operating system.
• Run the Setup and install the agent on your computer.
• Follow the installation prompts, accepting the license terms, and choosing your preferred destination folder.
• On the Agent Setup Options page, choose to connect the agent to Azure Log Analytics.
• Paste the Workspace ID and Workspace Key.
• If your computer needs to communicate via a proxy server, click 'Advanced' and provide the necessary details.
• Review your choices and click 'Install'.
• Once complete, click 'Finish'.

The Microsoft Monitoring Agent should now appear in your Control Panel. You can review your configuration and verify that the agent is connected to Log Analytics.

To set up alerts, you can use Windows Admin Center to configure default alerts that will apply to all servers in your Log Analytics workspace. Alternatively, you can set up custom alerts using the Log Search portal.

Learn how to use Azure Monitor Log Analytics agent on a Windows machine

The Log Analytics agent is a tool that allows you to collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure. It can also be used to send data to a Log Analytics workspace, enabling you to take advantage of features supported by Azure Monitor Logs, such as log queries.

Installation options

The Log Analytics agent can be installed on different types of virtual machines, including Azure virtual machines, Windows virtual machines on-premises or in another cloud, and Linux virtual machines on-premises or in another cloud.

For Azure virtual machines, you can use VM insights to install the agent for a single machine or multiple machines at scale. This installs the Log Analytics agent and the Dependency agent. You can also install the Log Analytics VM extension for Windows or Linux using the Azure portal, Azure CLI, Azure PowerShell, or an Azure Resource Manager template.

For Windows virtual machines on-premises or in another cloud, you can use Azure Arc-enabled servers to deploy and manage the Log Analytics VM extension. You can also manually install the agent from the command line, automate the installation with Azure Automation DSC, or use a Resource Manager template with Azure Stack.

For Linux virtual machines on-premises or in another cloud, you can also use Azure Arc-enabled servers to deploy and manage the Log Analytics VM extension. Additionally, you can manually install the agent by calling a wrapper script hosted on GitHub or integrate System Center Operations Manager with Azure Monitor to forward collected data from Windows computers reporting to a management group.

Network requirements

The Log Analytics agent for Linux and Windows communicates outbound to the Azure Monitor service over TCP port 443. If the machine connects through a firewall or proxy server to communicate over the internet, you will need to review the proxy and firewall configuration requirements to understand the necessary network configuration.

If your IT security policies do not allow computers on the network to connect to the internet, you can set up a Log Analytics gateway and configure the agent to connect through the gateway to Azure Monitor. This allows the agent to receive configuration information and send collected data.

Configuring the agent to use TLS 1.2

To ensure the security of data in transit to Azure Monitor logs, it is recommended to configure the agent to use at least Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable. While they still work to allow backward compatibility, they are not recommended.

For the Windows agent, you can locate the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols and create a subkey under Protocols for TLS 1.2. You will then need to create a Client subkey under the TLS 1.2 protocol version subkey and create specific DWORD values. Finally, configure .NET Framework 4.6 or later to support secure cryptography.

For the Linux agent, you can specify the proxy server during installation or after installation by modifying the proxy.conf configuration file. The proxy configuration value has the following syntax:

[protocol://][user:password@]proxyhost[:port]

Limitations of the Log Analytics agent

The Log Analytics agent has some limitations, including the inability to send data to Azure Monitor Metrics, Azure Storage, or Azure Event Hubs. It is also difficult to configure unique monitoring definitions for individual agents and manage at scale due to each virtual machine having a unique configuration.

Comparison to other agents

For a comparison between the Log Analytics agent and other agents in Azure Monitor, you can refer to the Overview of Azure Monitor agents.

Learn about the different types of data Azure Monitor collects

Azure Monitor collects data from every layer and component of your system across multiple Azure and non-Azure subscriptions and tenants. It stores this data in a common data platform for consumption by a common set of tools that can correlate, analyse, visualise, and/or respond to the data.

Azure Monitor collects the following types of data:

• App — Application performance, health, and activity data. Workloads — IaaS workloads such as SQL server, Oracle or SAP running on a hosted Virtual Machine.
• Container — Data about containers, such as Azure Kubernetes Service, Prometheus, and the applications running inside containers.
• Operating system — Data about the guest operating system on which your application is running.
• Azure resource — Data about the operation of an Azure resource from inside the resource, including changes.
• Azure subscription — The operation and management of an Azure subscription, and data about the health and operation of Azure itself.
• Azure tenant — Data about the operation of tenant-level Azure services, such as Microsoft Entra ID.

Azure Monitor also collects data from custom sources that use APIs, and can integrate application, infrastructure, and custom data source monitoring data from outside Azure, including from on-premises, and non-Microsoft clouds.

Frequently asked questions