Enable Application Insights

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: AppService-016

Ensure that Application Insights feature is enabled for all your Microsoft Azure App Services web applications in order to provide advanced application monitoring. Application Insights is an extensible Application Performance Management (APM) service for developers and DevOps professionals available as monitoring feature within Azure cloud. The feature monitors your live App Services applications to automatically detect performance anomalies. Application Insights includes powerful analytics tools that help you diagnose issues and understand what the end users actually do with your application. Application Insights can be enabled for apps on a wide variety of platforms including .NET, Node.js and Java EE, hosted on-premises, hybrid, or any other public cloud platforms. It seamlessly integrates with your DevOps processes and has connection points to a variety of development tools.

Application Insights can monitor the following:

Request rates, response times and failure rates - find out which web pages are the most popular, at what times of the day, and where your end users are. Also, find out which pages perform best.

Dependency rates, response times and failure rates - find out whether external services are slowing down your web application.

Server and browser exceptions - analyze the aggregated statistics available or pick specific instances and drill into the stack trace and related requests.

Page views and load performance - performance data reported by the end users' browsers.

AJAX calls from web pages - rates, response times and failure rates.

User and session counts.

Performance counters from your Linux or Windows virtual machines, such as CPU, memory and network usage.

Host diagnostics from Docker or Azure cloud.

Diagnostic trace logs from your web application - useful to correlate trace events with requests.

Custom events and metrics that you write yourself to track business events such as items sold and customer retention.

This rule resolution is part of the Cloud Conformity solution

Reliability
Performance
efficiency

Application Insights is designed to help you continuously improve your web application performance and usability. The feature provides instant visibility into your application's performance across all components and dependencies. It includes powerful analytics tools to help you diagnose issues and to understand what the end users actually do with your website/web application.

Note: As example, this conformity rule demonstrates how to check and enable the Application Insights monitoring feature for an ASP.NET web application.


Audit

To determine if your Azure App Services applications are using the Application Insights feature, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services application that you want to examine.

04 In the navigation panel, under Settings, select Application Insights and check the feature configuration settings available for the selected application as follows:

  1. If there are no configuration settings displayed, instead the Turn on Application Insights button is available, the Application Insights monitoring feature is not enabled for the selected Microsoft Azure App Services web application.
  2. If there are configuration settings displayed, click on View Application Insights data. If error message shows up, the Application Insights monitoring feature is enabled but not linked to Application Insights resource correctly (wrong setting or resource not found).

05 Repeat step no. 3 and 4 for each Azure App Services application available in the selected account subscription.

06 Repeat steps no. 3 – 5 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the names of all App Services applications (and the name of their associated resource groups) deployed in the current Azure subscription:

az webapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested application information:

Name                 ResourceGroup
-------------------  ------------------------------
cc-project5-web-app  cloud-shell-storage-westeurope
cc-node10-prod-app   cloud-shell-storage-westeurope

03 Run webapp config appsettings list command (Windows/macOS/Linux) using the name of the web app that you want to examine as identifier parameter to describe the Application Insights configuration details available for the selected application:

az webapp config appsettings list
	--name cc-project5-web-app
	--resource-group cloud-shell-storage-westeurope

04 The command output should return the requested configuration information:

[
  {
    "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
    "slotSetting": true,
    "value": "zzzzbbbb-4321-zzbb-4321-zzzzzzbbbbbb"
  },
  {
    "name": "APPINSIGHTS_JAVASCRIPT_ENABLED",
    "slotSetting": false,
    "value": "true"
  },
  {
    "name": "APPINSIGHTS_PROFILERFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "APPINSIGHTS_SNAPSHOTFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },

  ...

]

  1. If the webapp config appsettings list command output returns an empty array, there is no Application Insights configuration currently available for the application; therefore the monitoring feature is not enabled for the selected Microsoft Azure App Services web application.
  2. If the webapp config appsettings list command output returns array as shown in the example above, copy the property values of APPINSIGHTS_INSTRUMENTATIONKEY and query that Application Insight (replace the <instrumentation-key> attribute value placeholder with your own instrumentation key):
    az monitor app-insights component show --query "[?instrumentationKey==<instrumentation-key>]"
    
    If the command output returns an empty array, the Application Insights monitoring feature is enabled but not linked to Application Insights resource correctly (wrong setting or resource not found).

05 Repeat step no. 3 and 4 for each Azure App Services application deployed within the current account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Application Insights feature for your Microsoft Azure App Services web applications in order to collect application monitoring data, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the application that you want to reconfigure (see Audit section part I to identify the right application).

04 In the navigation panel, under Settings, select Application Insights and click the Turn on Application Insights button to initiate the setup process.

05 On the Application Insights page, select Enable under Collect application monitoring data using Application Insights, and perform the following:

  1. In the Link to an Application Insights resource section, select Create new resource, then provide a name and a location for the new resource. Azure Application Insights displays data about your application within a Microsoft Azure resource. Creating a new resource is therefore part of setting up Application Insights to monitor a web application.
  2. After configuring the resource, you can choose how you want Application Insights to collect data per platform for your application. As example, this conformity rule configures the Application Insights feature for an ASP.NET web application. In the Instrument your application section, select .NET tab, then choose one the following options:
    • Select Basic collection level to provide essential single-instance APM monitoring capabilities.
    • Select Recommended collection level to provide more monitoring capabilities such as add CPU, memory, and I/O usage trends, correlate micro-services across dependency boundaries, collect usage trends and enables correlation from availability results to transactions, collect exceptions that are unhandled by the host processes, improve APM metrics accuracy under load (when sampling is used) and so on.
  3. Click Apply to save the Application Insights monitoring settings. Click Yes to confirm your configuration changes. Once confirmed, Azure Application Insights will install the required tools to link your new Application Insights resource to the selected web app. This action will restart your ASP.NET application.

06 (Optional) To enable client-side monitoring, perform the following:

  1. In the navigation panel, under Settings, choose Configuration and select the Application settings tab.
  2. Click New application setting, then type APPINSIGHTS_JAVASCRIPT_ENABLED in the Name box and true in the Value box available on the Add/Edit application setting panel. Click OK to save the changes.
  3. Click Save to apply the changes and restart the application. Choose Continue to confirm the action.

07 Repeat steps no. 3 – 6 for each Azure App Services web application that you want to reconfigure in order to enable Application Insights, available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run extension add command (Windows/macOS/Linux) to install the Azure Application Insights extension for Azure CLI (the command request does not produce an output):

az extension add -n application-insights

02 Run monitor app-insights component create command (Windows/macOS/Linux) using the name of the web application that you want to reconfigure (see Audit section part II to identify the right app) to create the required Application Insights resource for the selected Azure App Services application. Azure Application Insights displays data about your application within a Microsoft Azure resource. Creating a new resource is therefore part of setting up Application Insights to monitor your web application:

az monitor app-insights component create
	--app cc-project5-web-app
	--resource-group cloud-shell-storage-westeurope
	--location centralus
	--application-type web

03 The command output should return the metadata for the new Application Insights resource (including the instrumentation key necessary to link the resource to the selected web application, available as value for the instrumentationKey attribute).

{
  "appId": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "applicationId": "cc-project5-web-app",
  "applicationType": "web",
  "creationDate": "2020-04-01T10:00:33.534913+00:00",
  "flowType": "Bluefield",
  "hockeyAppId": null,
  "hockeyAppToken": null,
  "id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/components/cc-project5-web-app",
  "instrumentationKey": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "kind": "web",
  "location": "centralus",
  "name": "cc-project5-web-app",
  "provisioningState": "Succeeded",
  "requestSource": "rest",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "samplingPercentage": null,
  "tags": {},
  "tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
  "type": "microsoft.insights/components"
}

04 Define the Application Insights configuration settings that should be applied to your web application and save them to a JSON document named application-insights-config.json. Replace the <instrumentation-key> attribute value placeholder with your own instrumentation key returned at the previous step:

[
  {
    "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
    "slotSetting": true,
    "value": "<instrumentation-key>"
  },
  {
    "name": "APPINSIGHTS_JAVASCRIPT_ENABLED",
    "slotSetting": false,
    "value": "true"
  },
  {
    "name": "APPINSIGHTS_PROFILERFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "APPINSIGHTS_SNAPSHOTFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
    "slotSetting": false,
    "value": "InstrumentationKey=<instrumentation-key>"
  },
  {
    "name": "ApplicationInsightsAgent_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "~2"
  },
  {
    "name": "DiagnosticServices_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "InstrumentationEngine_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "SnapshotDebugger_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "XDT_MicrosoftApplicationInsights_BaseExtensions",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "XDT_MicrosoftApplicationInsights_Mode",
    "slotSetting": true,
    "value": "recommended"
  }
]

05 Run webapp config appsettings set command (Windows/macOS/Linux) using the name of the web application that you want to reconfigure as identifier parameter to apply the Application Insights configuration settings defined at the previous step (i.e. application-insights-config.json file):

az webapp config appsettings set
	--name cc-project5-web-app
	--resource-group cloud-shell-storage-westeurope
	--settings @application-insights-config.json

06 The command output should return the applied Application Insights settings:

[
  {
    "name": "APPINSIGHTS_JAVASCRIPT_ENABLED",
    "slotSetting": false,
    "value": "true"
  },
  {
    "name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
    "slotSetting": false,
    "value": "InstrumentationKey=abcdabcd-1234-abcd-1234-abcdabcdabcd"
  },
  {
    "name": "APPINSIGHTS_INSTRUMENTATIONKEY",
    "slotSetting": true,
    "value": "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  },
  {
    "name": "APPINSIGHTS_PROFILERFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "APPINSIGHTS_SNAPSHOTFEATURE_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "ApplicationInsightsAgent_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "~2"
  },
  {
    "name": "DiagnosticServices_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "InstrumentationEngine_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "SnapshotDebugger_EXTENSION_VERSION",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "XDT_MicrosoftApplicationInsights_BaseExtensions",
    "slotSetting": true,
    "value": "disabled"
  },
  {
    "name": "XDT_MicrosoftApplicationInsights_Mode",
    "slotSetting": true,
    "value": "recommended"
  }
]

07 Repeat steps no. 2 – 6 for each Azure App Services web application that you want to reconfigure in order to enable Application Insights, available within the current subscription.

08 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Apr 6, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Application Insights

Risk level: Medium