Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Integration with Application Insights

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the functions managed with Microsoft Azure Function App are configured to use Azure Monitor Application Insights. Application Insights is a robust APM solution designed to cater to the needs of both developers and DevOps experts. By enabling this service, you can effortlessly set up continuous monitoring for your serverless application. Application Insights excels at identifying performance irregularities and offers a suite of potent analytical tools to assist you in troubleshooting problems and gaining deep insights into user interactions with your application.

Security
Reliability
Performance
efficiency
Operational
excellence

By seamlessly incorporating Application Insights into your Microsoft Azure Function App, you can enhance your ability to oversee, fine-tune performance, pinpoint problems, and acquire invaluable insights into your serverless application's behavior. This integration ultimately leads to heightened reliability and performance, efficiency, and user satisfaction.

Audit

To determine if your Azure functions are monitored with Application Insights, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the navigation panel, under Settings, select Application Insights to access the Application Insights integration settings available for the selected Function App.

07 If the Application Insights integration settings are not available, instead the Turn on Application Insights button is displayed, the integration with the Application Insights monitoring service is not enabled, therefore the functions managed with the selected Microsoft Azure Function App are not monitored with Application Insights.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run functionapp list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group for each Azure Function App available in the current subscription: 

az functionapp list 
  --output table 
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

03 Run functionapp config appsettings list command (Windows/macOS/Linux) using the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to list the names of the application settings configured for the selected Function App: 

az functionapp config appsettings list 
  --name cc-main-function-app 
  --resource-group cloud-shell-storage-westeurope 
  --query '[*].name'

04 The command output should return the requested application configuration information: 

[
	"FUNCTIONS_EXTENSION_VERSION",
	"FUNCTIONS_WORKER_RUNTIME",
	"AzureWebJobsStorage",
	"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
	"WEBSITE_CONTENTSHARE"
]

If the "APPINSIGHTS_INSTRUMENTATIONKEY" setting name is not returned by the functionapp show command output, the integration with the Application Insights monitoring service is not enabled, therefore the functions managed with the selected Microsoft Azure Function App are not monitored with Application Insights.

05 Repeat step no. 3 and 4 for each Azure Function App available within the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable integration with Application Insights for your Microsoft Azure Function Apps, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select Function App and choose Apply to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the navigation panel, under Settings, select Application Insights to access the Application Insights integration settings available for the selected Function App.

07 Choose Turn on Application Insights, select Create new resource, ensure that the new resource has the appropriate name and location, and choose Apply to enable Application Insights integration for the selected Azure Function App. Once the integration is enabled, your Function App will be connected to a new, auto-created Application Insights resource. The necessary instrumentation key (i.e. "APPINSIGHTS_INSTRUMENTATIONKEY") will be added automatically to Function App settings.

08 Repeat steps no. 5 – 7 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run extension add command (Windows/macOS/Linux) to install the Application Insights extension for Azure CLI (the command request does not produce an output): 

az extension add -n application-insights

02 Run monitor app-insights component create command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to create the Application Insights resource required for integration with Azure Function App: 

az monitor app-insights component create 
  --app cc-main-function-ai-resource 
  --location westeurope 
  --kind web 
  --resource-group cloud-shell-storage-westeurope 
  --application-type web 
  --retention-time 120

03 The command output should return the configuration information available for the new Application Insights resource: 

{
	"appId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"applicationId": "cc-main-function-ai-resource",
	"applicationType": "web",
	"connectionString": "InstrumentationKey=1234abcd-1234-abcd-1234-abcd1234abcd",
	"creationDate": "2023-09-07T09:42:04.636913+00:00",
	"disableIpMasking": null,
	"etag": "\"abcdabcd-1234-abcd-1234-abcdabcdabcd\"",
	"flowType": "Bluefield",
	"hockeyAppId": null,
	"hockeyAppToken": null,
	"id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.insights/components/cc-main-function-ai-resource",
	"immediatePurgeDataOn30Days": null,
	"ingestionMode": "ApplicationInsights",
	"instrumentationKey": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"kind": "web",
	"location": "westeurope",
	"name": "cc-main-function-ai-resource",
	"privateLinkScopedResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccessForIngestion": "Enabled",
	"publicNetworkAccessForQuery": "Enabled",
	"requestSource": "rest",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"retentionInDays": 120,
	"samplingPercentage": null,
	"tags": {},
	"tenantId": "1234abcd-1234-abcd-1234-abcd1234abcd",
	"type": "microsoft.insights/components"
}

04 Run monitor app-insights component connect-function command (OSX/Linux/UNIX) using the name of the Azure Function App that you want to configure as the identifier parameter to connect Application Insights to your Azure Function App (i.e. enable Application Insights integration). The required instrumentation key (i.e. "APPINSIGHTS_INSTRUMENTATIONKEY") will be added automatically to your Function App settings: 

az monitor app-insights component connect-function 
  --resource-group cloud-shell-storage-westeurope 
  --app cc-main-function-ai-resource 
  --function cc-main-function-app

05 The command output should return the new application settings configured for the selected Azure Function App: 

[
	{
		"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
		"slotSetting": false,
		"value": "1234abcd-1234-abcd-1234-abcd1234abcd"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "python"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-app88fb"
	}
]

06 Repeat steps no. 1 - 5 for each Azure Function App that you want to configure, available within the current subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Integration with Application Insights

Risk Level: High