Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Integration with Application Insights

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the functions managed with Microsoft Azure Function App are configured to use Azure Monitor Application Insights. Application Insights is a robust APM solution designed to cater to the needs of both developers and DevOps experts. By enabling this service, you can effortlessly set up continuous monitoring for your serverless application. Application Insights excels at identifying performance irregularities and offers a suite of potent analytical tools to assist you in troubleshooting problems and gaining deep insights into user interactions with your application.

Security
Reliability
Performance
efficiency
Operational
excellence

By seamlessly incorporating Application Insights into your Microsoft Azure Function App, you can enhance your ability to oversee, fine-tune performance, pinpoint problems, and acquire invaluable insights into your serverless application's behavior. This integration ultimately leads to heightened reliability and performance, efficiency, and user satisfaction.


Audit

To determine if your Azure functions are monitored with Application Insights, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Monitoring, select Application Insights to access the Application Insights integration settings available for the selected Function App.

07 If the Application Insights integration settings are not available, instead a Turn on Application Insights button is displayed, the integration with the Application Insights monitoring service is not enabled, therefore, the functions managed with the selected Microsoft Azure Function App are not monitored with Application Insights.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription:

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names:

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp config appsettings list command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to list the application settings configured for the selected Function App:

az functionapp config appsettings list
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope

07 The command output should return the requested configuration information:

[
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "..."
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-appadba"
	}
]

If the functionapp config appsettings list command output does not return the "APPLICATIONINSIGHTS_CONNECTION_STRING" or the "APPINSIGHTS_INSTRUMENTATIONKEY" parameter, the integration with the Application Insights monitoring service is not enabled, therefore, the functions managed with the selected Microsoft Azure Function App are not monitored with Application Insights.

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable integration with Application Insights for your Microsoft Azure Function Apps, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Monitoring, select Application Insights and choose Turn on Application Insights to initiate the setup process.

07 On the Application Insights setup page, perform the following actions:

  1. In the Link to an Application Insights resource section, choose Change your resource, select Create new resource, and provide a name and a location for the new Application Insights resource. Microsoft Azure displays the monitoring data collected for your application within an Application Insights resource. Creating a new resource is therefore part of setting up Application Insights to monitor an application.
  2. Choose Apply to save the Application Insights monitoring settings. Select Yes for confirmation. Once confirmed, Azure Application Insights will install the required tools to link the new Application Insights resource to your Azure Function App.

08 Repeat steps no. 5 – 7 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run extension add command (Windows/macOS/Linux) to install the Application Insights extension for Azure CLI (the command request does not produce an output):

az extension add -n application-insights

05 Run monitor app-insights component create command (OSX/Linux/UNIX) with the name of the Azure Function App that you want to configure as the identifier parameter, to create the required Application Insights resource for the selected Function App. Microsoft Azure displays data about your Function App within an Application Insights resource. Creating a new resource is therefore part of setting up Application Insights to monitor your functions:

az monitor app-insights component create
  --app cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --location westeurope
  --application-type other

06 The command output should return the information available for the new Application Insights resource. This information includes the connection string (i.e. "connectionString" attribute value) necessary to link the new Application Insights resource to the selected Function App. The requested information also includes the instrumentation key (i.e. "instrumentationKey" value). The instrumentation key provides backward compatibility and can be used to enable Application Insights for legacy applications:

{
	"appId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"applicationId": "cc-main-function-app",
	"applicationType": "other",
	"connectionString": "InstrumentationKey=abcd1234-abcd-1234-abcd-1234abcd1234;IngestionEndpoint=https://eastus-6.in.applicationinsights.azure.com/;LiveEndpoint=https://eastus.livediagnostics.monitor.azure.com/",
	"creationDate": "2024-09-16T10:27:00.208449+00:00",
	"disableIpMasking": null,
	"flowType": "Bluefield",
	"hockeyAppId": null,
	"hockeyAppToken": null,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-east-us/providers/microsoft.insights/components/cc-main-function-app",
	"immediatePurgeDataOn30Days": null,
	"ingestionMode": "ApplicationInsights",
	"kind": "web",
	"location": "eastus",
	"name": "cc-main-function-app",
	"privateLinkScopedResources": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccessForIngestion": "Enabled",
	"publicNetworkAccessForQuery": "Enabled",
	"requestSource": "rest",
	"resourceGroup": "cloud-shell-east-us",
	"instrumentationKey": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"retentionInDays": 90,
	"samplingPercentage": null,
	"tags": {},
	"type": "microsoft.insights/components"
}

07 Define the Application Insights configuration settings that should be applied to your Function App and save the settings to a JSON file named application-insights-config.json. Replace the "APPLICATIONINSIGHTS_CONNECTION_STRING" parameter value (i.e. \<your-connection-string\>) with your own connection string, returned at the previous step. This should link the new Application Insights resource with your function app. If your application requires additional parameters, add the necessary parameters to the configuration file:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "<your-connection-string>"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "<your-endpoint-configuration>"
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "<your-endpoint-configuration>"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-appabcd"
	}
]

08 Run functionapp config appsettings set command (Windows/macOS/Linux) with the name of the Function App that you want to configure as the identifier parameter to apply the Application Insights configuration settings defined at the previous step (i.e. application-insights-config.json file):

az functionapp config appsettings set
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --settings @application-insights-config.json

09 The command output should return the applied Application Insights settings:

[
	{
		"name": "APPLICATIONINSIGHTS_CONNECTION_STRING",
		"slotSetting": false,
		"value": "InstrumentationKey=abcd1234-abcd-1234-abcd-1234abcd1234;IngestionEndpoint=https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostics.monitor.azure.com/;ApplicationId=1234abcd-1234-abcd-1234-1234abcd1234"
	},
	{
		"name": "FUNCTIONS_EXTENSION_VERSION",
		"slotSetting": false,
		"value": "~4"
	},
	{
		"name": "FUNCTIONS_WORKER_RUNTIME",
		"slotSetting": false,
		"value": "dotnet-isolated"
	},
	{
		"name": "WEBSITE_USE_PLACEHOLDER_DOTNETISOLATED",
		"slotSetting": false,
		"value": "1"
	},
	{
		"name": "AzureWebJobsStorage",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
		"slotSetting": false,
		"value": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net"
	},
	{
		"name": "WEBSITE_CONTENTSHARE",
		"slotSetting": false,
		"value": "cc-main-function-appabcd"
	}
]

10 Repeat steps no. 5 - 9 for each Azure Function App that you want to configure, available within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023