Enable Application Insights

Risk Level: Medium (should be achieved)

Rule ID: AppService-016

Ensure that the Application Insights feature is enabled for all your Microsoft Azure App Services applications in order to provide advanced application monitoring. Application Insights is an extensible Application Performance Management (APM) service for developers and DevOps professionals available as monitoring feature within Azure cloud. The feature monitors your live App Services applications to automatically detect performance anomalies. Application Insights includes powerful analytics tools that help you diagnose issues and understand what the end users actually do with your application. Application Insights can be enabled for apps on a wide variety of platforms including .NET, Node.js and Java EE, hosted on-premises, hybrid, or any other public cloud platforms. It seamlessly integrates with your DevOps processes and has connection points to a variety of development tools.

Application Insights can monitor the following:

Request rates, response times and failure rates - find out which web pages are the most popular, at what times of the day, and where your end users are. Also, find out which pages perform best.
Dependency rates, response times and failure rates - find out whether external services are slowing down your web application.
Server and browser exceptions - analyze the aggregated statistics available or pick specific instances and drill into the stack trace and related requests.
Page views and load performance - performance data reported by the end users' browsers.
AJAX calls from web pages - rates, response times and failure rates.
User and session counts.
Performance counters from your Linux or Windows virtual machines, such as CPU, memory and network usage.
Host diagnostics from Docker or Azure cloud.
Diagnostic trace logs from your web application - useful to correlate trace events with requests.
Custom events and metrics that you write yourself to track business events such as items sold and customer retention.

This rule resolution is part of the Conformity solution.

Reliability

Performance
efficiency

Application Insights is designed to help you continuously improve your application performance and usability. The feature provides instant visibility into your application's performance across all components and dependencies. It includes powerful analytics tools to help you diagnose issues and to understand what the end users actually do with your cloud application.

Audit

To determine if your Azure App Services applications are using the Application Insights feature, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service application/function app that you want to examine, listed in the Name column.

04 In the resource navigation panel, under Settings, choose Application Insights and check the feature configuration settings available for the selected application. If there are no configuration settings displayed, instead the Turn on Application Insights button is available, the Application Insights monitoring feature is not enabled for the selected Microsoft Azure App Services application.

05 Repeat steps no. 3 and 4 for each Azure App Services application (including function app), available in the selected account Azure subscription.

06 Repeat steps no. 3 – 5 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) with custom query filters to list the names of all App Services web applications (and the name of their associated resource groups) deployed in the current Azure subscription:

az webapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested information:

Name                 ResourceGroup
-------------------  ------------------------------
cc-ecommerce-app     cloud-shell-storage-eastus
cc-node10-web-app    cloud-shell-storage-eastus

03 Run webapp config appsettings list command (Windows/macOS/Linux) using the name of the web application that you want to examine as the identifier parameter to describe the Application Insights configuration information available for the selected application:

az webapp config appsettings list 
  --name cc-ecommerce-app 
  --resource-group cloud-shell-storage-eastus

04 The command output should return the requested configuration information:

[
	{
		"name": "SnapshotDebugger_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	}
]

If the webapp config appsettings list command output returns an empty array (i.e. []), there is no Application Insights configuration information currently available for the application, therefore the monitoring feature is not enabled for the selected Azure App Services web application. If the command output returns an array with one or more application settings, as shown in the example above, check for "APPLICATIONINSIGHTS_CONNECTION_STRING" and "APPINSIGHTS_INSTRUMENTATIONKEY" parameters. If "APPLICATIONINSIGHTS_CONNECTION_STRING" or "APPINSIGHTS_INSTRUMENTATIONKEY" is not returned, Application Insights is disabled for the selected App Services web application.

05 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the names of all App Services function apps (and the name of their associated resource groups) available within your Azure subscription:

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

06 The command output should return a table with requested information:

Name                      ResourceGroup
------------------------  ------------------------------
cc-project5-function-app  cloud-shell-storage-eastus
cc-customer-function-app  cloud-shell-storage-eastus

07 Run functionapp config appsettings list command (Windows/macOS/Linux) using the name of the function app that you want to examine as the identifier parameter to describe the Application Insights configuration information available for the selected function app:

az functionapp config appsettings list 
  --name cc-project5-function-app 
  --resource-group cloud-shell-storage-eastus

08 The command output should return the requested configuration information:

[
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-project5-function-abcd1234"
	}
]

If the functionapp config appsettings list command output does not return the "APPLICATIONINSIGHTS_CONNECTION_STRING" or the "APPINSIGHTS_INSTRUMENTATIONKEY" parameter, there is no Application Insights configuration information available for the function app, therefore the monitoring feature is not enabled for the selected Azure App Services function app.

09 Repeat steps no. 1 - 8 for each Azure App Services application (including function app), deployed within the current Azure subscription.

10 Repeat steps no. 1 – 9 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Application Insights feature for your Microsoft Azure App Services applications in order to collect application monitoring data, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Portal.

02 Navigate to App Services blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service application/function app that you want to configure, listed in the Name column.

04 In the resource navigation panel, under Settings, select Application Insights and choose Turn on Application Insights to initiate the setup process.

05 On the Application Insights setup page, ensure that the Enable button is active, and perform the following operations:

In the Link to an Application Insights resource section, choose Change your resource, select Create new resource, and provide a name and a location for the new Application Insights resource. Microsoft Azure displays the monitoring data collected for your application within an Application Insights resource. Creating a new resource is therefore part of setting up Application Insights to monitor an application.
(Optional) After configuring the necessary resource, you can choose how you want Application Insights to collect data per platform for your application. In the Instrument your application section, select the programming language you chose during application creation to access the instrumentation details and additional configuration settings if available.
Choose Apply to save the Application Insights monitoring settings. Select Yes for confirmation. Once confirmed, Azure Application Insights will install the required tools to link the new Application Insights resource to your App Services application/function app.

06 (Optional) To enable client-side monitoring, perform the following actions:

In the resource navigation panel, under Settings, choose Configuration and select the Application settings tab.
Choose New application setting, type APPINSIGHTS_JAVASCRIPT_ENABLED in the Name box and true in the Value box, and choose Ok to save the changes.
Choose Save to apply the changes and restart the application. Choose Continue for confirmation.

07 Repeat steps no. 3 – 6 for each Azure App Services application (including function app) that you want to configure, available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run extension add command (Windows/macOS/Linux) to install the Azure Application Insights extension for Azure CLI (the command request does not produce an output):

az extension add -n application-insights

02 Run monitor app-insights component create command (Windows/macOS/Linux) using the name of the web application that you want to configure as the identifier parameter, to create the required Application Insights resource for the selected application. Microsoft Azure displays data about your application within an Application Insights resource. Creating a new resource is therefore part of setting up Application Insights to monitor your web application:

az monitor app-insights component create 
  --app cc-ecommerce-app 
  --resource-group cloud-shell-storage-eastus 
  --location eastus 
  --application-type web

03 The command output should return the information available for the new Application Insights resource. This information includes the connection string (i.e. "connectionString" attribute value) necessary to link the new Application Insights resource to the selected web application. The requested information also includes the instrumentation key (i.e. "instrumentationKey" value). The instrumentation key provides backward compatibility and can be used to enable Application Insights for legacy applications:

{
	"appId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"applicationId": "cc-ecommerce-app",
	"applicationType": "web",
	"connectionString": "InstrumentationKey=abcdabcd-1234-abcd-1234-abcdabcdabcd;IngestionEndpoint=https://eastus-6.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/",
	"creationDate": "2024-02-16T09:48:47.114650+00:00",
	"disableIpMasking": null,
	"flowType": "Bluefield",
	"hockeyAppId": null,
	"hockeyAppToken": null,
	"id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-eastus/providers/microsoft.insights/components/cc-ecommerce-app",
	"immediatePurgeDataOn30Days": null,
	"ingestionMode": "ApplicationInsights",
	"kind": "web",
	"location": "eastus",
	"name": "cc-ecommerce-app",
	"privateLinkScopedResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccessForIngestion": "Enabled",
	"publicNetworkAccessForQuery": "Enabled",
	"requestSource": "rest",
	"resourceGroup": "cloud-shell-storage-eastus",
	"instrumentationKey": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"retentionInDays": 90,
	"samplingPercentage": null,
	"tags": {},
	"type": "microsoft.insights/components"
}

04 Define the Application Insights configuration settings that should be applied to your web application and save the settings to a JSON file named application-insights-config.json. Replace the "APPLICATIONINSIGHTS_CONNECTION_STRING" parameter value with your own connection string, returned at the previous step. This should link the new Application Insights resource with your web application. If your application requires additional parameters, add the necessary parameters to the configuration file:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "[your-connection-string]"
	},
	{
		"name": "APPINSIGHTS_JAVASCRIPT_ENABLED",
		"slotSetting": false,
		"value": "true"
	},
	{
		"name": "APPINSIGHTS_PROFILERFEATURE_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "APPINSIGHTS_SNAPSHOTFEATURE_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "ApplicationInsightsAgent_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "~2"
	},
	{
		"name": "DiagnosticServices_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "InstrumentationEngine_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "SnapshotDebugger_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "XDT_MicrosoftApplicationInsights_BaseExtensions",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "XDT_MicrosoftApplicationInsights_Mode",
		"slotSetting": true,
		"value": "recommended"
	}
]

05 Run webapp config appsettings set command (Windows/macOS/Linux) using the name of the web application that you want to configure as the identifier parameter to apply the Application Insights configuration settings defined at the previous step (i.e. application-insights-config.json file):

az webapp config appsettings set
  --name cc-ecommerce-app
  --resource-group cloud-shell-storage-eastus
  --settings @application-insights-config.json

06 The command output should return the applied Application Insights settings:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "InstrumentationKey=abcdabcd-1234-abcd-1234-abcdabcdabcd;IngestionEndpoint=https://eastus-6.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/"
	},
	{
		"name": "APPINSIGHTS_JAVASCRIPT_ENABLED",
		"slotSetting": false,
		"value": "true"
	},
	{
		"name": "APPINSIGHTS_PROFILERFEATURE_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "APPINSIGHTS_SNAPSHOTFEATURE_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "ApplicationInsightsAgent_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "~2"
	},
	{
		"name": "DiagnosticServices_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "InstrumentationEngine_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "SnapshotDebugger_EXTENSION_VERSION",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "XDT_MicrosoftApplicationInsights_BaseExtensions",
		"slotSetting": true,
		"value": "disabled"
	},
	{
		"name": "XDT_MicrosoftApplicationInsights_Mode",
		"slotSetting": true,
		"value": "recommended"
	}
]

07 Run monitor app-insights component create command (Windows/macOS/Linux) using the name of the function app that you want to configure as the identifier parameter, to create the required Application Insights resource for the selected function app:

az monitor app-insights component create 
  --app cc-project5-function-app 
  --resource-group cloud-shell-storage-eastus 
  --location eastus 
  --application-type other

08 The command output should return the information available for the new Application Insights resource. This information includes the connection string (i.e. "connectionString" attribute value) necessary to link the new Application Insights resource to the selected function app. The requested information also includes the instrumentation key (i.e. "instrumentationKey" value). The instrumentation key provides backward compatibility and can be used to enable Application Insights for legacy applications:

{
	"appId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"applicationId": "cc-project5-function-app",
	"applicationType": "other",
	"connectionString": "InstrumentationKey=abcd1234-abcd-1234-abcd-1234abcd1234;IngestionEndpoint=https://eastus-6.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/",
	"creationDate": "2024-02-16T10:27:00.208449+00:00",
	"disableIpMasking": null,
	"flowType": "Bluefield",
	"hockeyAppId": null,
	"hockeyAppToken": null,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-east-us/providers/microsoft.insights/components/cc-project5-functions-app",
	"immediatePurgeDataOn30Days": null,
	"ingestionMode": "ApplicationInsights",
	"kind": "web",
	"location": "eastus",
	"name": "cc-project5-functions-app",
	"privateLinkScopedResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccessForIngestion": "Enabled",
	"publicNetworkAccessForQuery": "Enabled",
	"requestSource": "rest",
	"resourceGroup": "cloud-shell-east-us",
	"instrumentationKey": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"retentionInDays": 90,
	"samplingPercentage": null,
	"tags": {},
	"type": "microsoft.insights/components"
}

09 Define the Application Insights configuration settings that should be applied to your function app and save the settings to a JSON file named application-insights-config.json. Replace the "APPLICATIONINSIGHTS_CONNECTION_STRING" parameter value with your own connection string, returned at the previous step. This should link the new Application Insights resource with your function app. If your application requires additional parameters, add the necessary parameters to the configuration file:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "[your-connection-string]"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-project5-functions-appabcd"
	}
]

10 Run functionapp config appsettings set command (Windows/macOS/Linux) using the name of the function app that you want to configure as the identifier parameter to apply the Application Insights configuration settings defined at the previous step (i.e. application-insights-config.json file):

az functionapp config appsettings set 
  --name cc-project5-function-app 
  --resource-group cloud-shell-storage-eastus 
  --settings @application-insights-config.json

11 The command output should return the applied Application Insights settings:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "InstrumentationKey=abcd1234-abcd-1234-abcd-1234abcd1234;IngestionEndpoint=https://eastus-6.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-project5-functions-appabcd"
	}
]

12 Repeat steps no. 2 – 11 for each Azure App Services application (including function app) that you want to configure, available in the selected subscription.

13 Repeat steps no. 2 – 12 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
App Service
Azure Monitor Frequently Asked Questions
What is Application Insights?
Monitor Azure App Service performance
Create an Application Insights resource

Azure PowerShell Documentation
az webapp list
az webapp config appsettings list
az monitor app-insights component create
az webapp config appsettings set
az functionapp config appsettings list
az functionapp config appsettings set

Publication date Apr 6, 2020

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Application Insights

Risk Level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related AppService rules