AZ-104 Objective 5.1: Monitor Resources in Azure

September 14, 2025•60 min read•Microsoft Azure Administrator

AZ-104 Exam Focus: This objective covers comprehensive monitoring in Azure using Azure Monitor, including metrics interpretation, log configuration, querying, alerting, and specialized monitoring tools. Understanding monitoring concepts, Azure Monitor Insights, and Network Watcher is crucial for Azure administrators to maintain system health and performance. Master these concepts for both exam success and real-world Azure monitoring and troubleshooting.

Understanding Azure Monitoring

Azure provides comprehensive monitoring capabilities through Azure Monitor, which collects, analyzes, and acts on telemetry data from your Azure and on-premises environments. This includes metrics, logs, traces, and custom data sources. Monitoring is essential for maintaining the health of all your Azure resources, from storage accounts to virtual networks.

Azure Monitor Components

Metrics: Numerical values describing system performance
Logs: Text-based data for detailed analysis
Alerts: Automated responses to monitoring conditions
Dashboards: Visual representation of monitoring data
Workbooks: Interactive reports and visualizations
Insights: Specialized monitoring for specific services

1. Interpret Metrics in Azure Monitor

Metrics are numerical values that describe some aspect of a system at a particular point in time. Azure Monitor collects metrics from various sources and provides tools to analyze and visualize them.

Types of Metrics

Metric Categories:

Platform Metrics: Automatically collected from Azure resources
Custom Metrics: Application-defined metrics
Guest OS Metrics: Metrics from virtual machine operating systems
Application Metrics: Metrics from Application Insights

Common Azure Metrics

Resource Type	Key Metrics	Description
Virtual Machines	CPU Percentage, Memory, Disk I/O	Performance and resource utilization
Storage Accounts	Transactions, Capacity, Egress	Usage and performance metrics
Load Balancers	Data Path Availability, Health Probe Status	Availability and health monitoring
App Services	Requests, Response Time, Errors	Application performance metrics

Querying Metrics

# Get VM metrics using Azure CLI
az monitor metrics list \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM \
  --metric "Percentage CPU" \
  --aggregation Average \
  --interval PT1M \
  --start-time 2023-01-01T00:00:00Z \
  --end-time 2023-01-01T01:00:00Z

# Get storage account metrics
az monitor metrics list \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
  --metric "Transactions" \
  --aggregation Total \
  --interval PT1H

# Get load balancer metrics
az monitor metrics list \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/loadBalancers/myLoadBalancer \
  --metric "DipAvailability" \
  --aggregation Average

2. Configure Log Settings in Azure Monitor

Log settings control which logs are collected from Azure resources and where they are sent. This includes activity logs, resource logs, and guest OS logs.

Types of Logs

Log Categories:

Activity Logs: Administrative operations on Azure resources
Resource Logs: Operations performed within Azure resources
Guest OS Logs: Logs from virtual machine operating systems
Application Logs: Logs from applications running in Azure

Configuring Diagnostic Settings

# Create diagnostic setting for VM
az monitor diagnostic-settings create \
  --name myVMDiagnostics \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM \
  --logs '[{"category":"System","enabled":true,"retentionPolicy":{"enabled":true,"days":30}}]' \
  --workspace /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace

# Create diagnostic setting for storage account
az monitor diagnostic-settings create \
  --name myStorageDiagnostics \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
  --logs '[{"category":"StorageRead","enabled":true},{"category":"StorageWrite","enabled":true}]' \
  --workspace /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace

# Create diagnostic setting for load balancer
az monitor diagnostic-settings create \
  --name myLoadBalancerDiagnostics \
  --resource /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/loadBalancers/myLoadBalancer \
  --logs '[{"category":"LoadBalancerAlertEvent","enabled":true},{"category":"LoadBalancerProbeHealthStatus","enabled":true}]' \
  --workspace /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace

Log Analytics Workspace Configuration

# Create Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group myResourceGroup \
  --workspace-name myWorkspace \
  --location eastus \
  --sku PerGB2018

# Configure data retention
az monitor log-analytics workspace update \
  --resource-group myResourceGroup \
  --workspace-name myWorkspace \
  --retention-time 30

# List workspaces
az monitor log-analytics workspace list \
  --resource-group myResourceGroup

3. Query and Analyze Logs in Azure Monitor

Azure Monitor uses KQL (Kusto Query Language) to query and analyze log data. Understanding KQL is essential for extracting insights from your monitoring data.

Basic KQL Queries

# Basic table query
AzureActivity
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, Status, ResourceGroup

# Filter and summarize
Perf
| where Computer == "myVM" and CounterName == "% Processor Time"
| where TimeGenerated > ago(1h)
| summarize avg(CounterValue) by bin(TimeGenerated, 5m)

# Join tables
AzureActivity
| join (SecurityEvent) on Computer
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, EventID

# Aggregation and grouping
AzureDiagnostics
| where ResourceType == "STORAGEACCOUNTS"
| where TimeGenerated > ago(24h)
| summarize count() by bin(TimeGenerated, 1h), ResourceId

Advanced KQL Queries

# Time series analysis
Perf
| where CounterName == "Available MBytes"
| where TimeGenerated > ago(7d)
| summarize avg(CounterValue) by bin(TimeGenerated, 1h), Computer
| render timechart

# Top N queries
AzureActivity
| where TimeGenerated > ago(24h)
| summarize count() by OperationName
| top 10 by count_ desc

# Conditional logic
AzureDiagnostics
| extend Status = case(
    status_s == "Success", "OK",
    status_s == "Failed", "Error",
    "Unknown"
)
| summarize count() by Status

# String operations
AzureActivity
| where OperationName contains "Create"
| extend ResourceType = extract("providers/([^/]+)", 1, ResourceId)
| summarize count() by ResourceType

Common Log Queries

Use Case	Query Example	Description
Failed Operations	AzureActivity \| where Status == "Failed"	Find failed administrative operations
High CPU Usage	Perf \| where CounterName == "% Processor Time" and CounterValue > 80	Identify high CPU usage
Storage Errors	AzureDiagnostics \| where ResourceType == "STORAGEACCOUNTS" and status_s != "Success"	Find storage account errors
Network Issues	AzureDiagnostics \| where ResourceType == "LOADBALANCERS" and status_s == "Failed"	Identify load balancer issues

4. Set Up Alert Rules, Action Groups, and Alert Processing Rules

Azure Monitor alerts notify you when important conditions are found in your monitoring data. They can trigger automated responses and help you identify and address issues quickly.

Creating Action Groups

# Create action group
az monitor action-group create \
  --name myActionGroup \
  --resource-group myResourceGroup \
  --short-name myAG \
  --email-receivers name=admin email=admin@company.com \
  --sms-receivers name=admin phone-number=+1234567890 \
  --webhook-receivers name=webhook uri=https://hooks.slack.com/services/xxx

# Add more receivers to action group
az monitor action-group update \
  --name myActionGroup \
  --resource-group myResourceGroup \
  --add-action email name=devops email=devops@company.com \
  --add-action webhook name=teams uri=https://outlook.office.com/webhook/xxx

Creating Alert Rules

# Create metric alert rule
az monitor metrics alert create \
  --name "High CPU Alert" \
  --resource-group myResourceGroup \
  --scopes /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM \
  --condition "avg Percentage CPU > 80" \
  --description "Alert when CPU usage exceeds 80%" \
  --evaluation-frequency 1m \
  --window-size 5m \
  --severity 2 \
  --action myActionGroup

# Create log alert rule
az monitor scheduled-query create \
  --name "Failed Operations Alert" \
  --resource-group myResourceGroup \
  --scopes /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace \
  --condition "count 'AzureActivity | where Status == "Failed"' > 5" \
  --description "Alert when more than 5 operations fail" \
  --evaluation-frequency 5m \
  --window-size 15m \
  --severity 1 \
  --action myActionGroup

# Create activity log alert
az monitor activity-log alert create \
  --name "Resource Deletion Alert" \
  --resource-group myResourceGroup \
  --condition category=Administrative operationName=Microsoft.Resources/subscriptions/resourceGroups/delete \
  --action myActionGroup

Alert Processing Rules

# Create alert processing rule
az monitor action-rule create \
  --name "Suppress Alerts During Maintenance" \
  --resource-group myResourceGroup \
  --location eastus \
  --status Enabled \
  --suppression-recurrence-type Weekly \
  --suppression-schedule-start-date "2023-01-01T02:00:00" \
  --suppression-schedule-end-date "2023-01-01T04:00:00" \
  --suppression-schedule-start-time "02:00:00" \
  --suppression-schedule-end-time "04:00:00" \
  --scope-type ResourceGroup \
  --scope /subscriptions/{subscription-id}/resourceGroups/myResourceGroup

5. Configure and Interpret Monitoring of Virtual Machines, Storage Accounts, and Networks

Azure Monitor provides specialized insights for different resource types, offering pre-configured monitoring solutions and dashboards for common scenarios.

Virtual Machine Monitoring

VM Insights Features:

Performance Monitoring: CPU, memory, disk, and network metrics
Process Monitoring: Running processes and dependencies
Map View: Visual representation of VM dependencies
Log Analytics: Integrated log collection and analysis

# Enable VM Insights
az monitor log-analytics solution create \
  --resource-group myResourceGroup \
  --location eastus \
  --workspace /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace \
  --solution-name "VMInsights"

# Install VM extension for monitoring
az vm extension set \
  --resource-group myResourceGroup \
  --vm-name myVM \
  --name OmsAgentForLinux \
  --publisher Microsoft.EnterpriseCloud.Monitoring \
  --settings '{"workspaceId":"your-workspace-id"}' \
  --protected-settings '{"workspaceKey":"your-workspace-key"}'

Storage Account Monitoring

Storage Insights Features:

Capacity Monitoring: Storage usage and trends
Transaction Monitoring: API calls and performance
Availability Monitoring: Service availability metrics
Error Analysis: Failed requests and error codes

Network Monitoring

Network Insights Features:

Traffic Analysis: Network flow monitoring
Performance Monitoring: Latency and throughput metrics
Security Monitoring: Threat detection and analysis
Topology View: Network topology visualization

6. Use Azure Network Watcher and Connection Monitor

Azure Network Watcher provides tools to monitor, diagnose, and gain insights into network performance and connectivity issues in Azure.

Network Watcher Features

Core Capabilities:

Connection Monitor: Monitor connectivity between resources
Packet Capture: Capture network traffic for analysis
IP Flow Verify: Check if traffic is allowed or denied
Next Hop: Determine the next hop for traffic
VPN Troubleshoot: Diagnose VPN connectivity issues
NSG Flow Logs: Log network security group traffic

Configuring Connection Monitor

# Create connection monitor
az network watcher connection-monitor create \
  --name myConnectionMonitor \
  --resource-group myResourceGroup \
  --source-resource myVM \
  --dest-address 8.8.8.8 \
  --dest-port 80 \
  --protocol TCP \
  --location eastus

# Create connection monitor with multiple test configurations
az network watcher connection-monitor create \
  --name myAdvancedConnectionMonitor \
  --resource-group myResourceGroup \
  --source-resource myVM \
  --dest-address 8.8.8.8 \
  --dest-port 80 \
  --protocol TCP \
  --location eastus \
  --test-config-name "HTTP Test" \
  --test-frequency 60 \
  --test-group-name "Internet Connectivity"

# Start connection monitor
az network watcher connection-monitor start \
  --name myConnectionMonitor \
  --resource-group myResourceGroup \
  --location eastus

Network Watcher Diagnostics

# Test IP flow
az network watcher test-ip-flow \
  --resource-group myResourceGroup \
  --vm myVM \
  --direction Outbound \
  --protocol TCP \
  --local 10.0.1.4:80 \
  --remote 8.8.8.8:80

# Check next hop
az network watcher show-next-hop \
  --resource-group myResourceGroup \
  --vm myVM \
  --source-ip 10.0.1.4 \
  --dest-ip 8.8.8.8

# Test connectivity
az network watcher test-connectivity \
  --resource-group myResourceGroup \
  --source-resource myVM \
  --dest-address 8.8.8.8 \
  --dest-port 80

# Capture packets
az network watcher packet-capture create \
  --resource-group myResourceGroup \
  --vm myVM \
  --name myPacketCapture \
  --storage-account mystorageaccount \
  --storage-path captures

NSG Flow Logs

# Enable NSG flow logs
az network watcher flow-log create \
  --resource-group myResourceGroup \
  --nsg myNSG \
  --storage-account mystorageaccount \
  --log-version 2 \
  --retention 30 \
  --traffic-analytics true

# Configure traffic analytics
az network watcher flow-log configure \
  --resource-group myResourceGroup \
  --nsg myNSG \
  --enabled true \
  --workspace /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myWorkspace

Monitoring Best Practices

Implementation Guidelines:

Enable monitoring for all critical resources
Set up appropriate alert thresholds and action groups
Use Log Analytics workspaces for centralized log collection
Implement proper log retention policies
Create custom dashboards for different audiences
Use Azure Monitor Insights for specialized monitoring
Regularly review and tune alert rules
Implement proper RBAC for monitoring resources

Exam Tips and Key Points

Critical Exam Knowledge:

Metrics: Understand platform vs custom metrics and common resource metrics
Logs: Know log types, diagnostic settings, and Log Analytics workspace
KQL: Understand basic query syntax and common query patterns
Alerts: Know alert types, action groups, and processing rules
Insights: Understand VM, storage, and network monitoring capabilities
Network Watcher: Know connection monitoring and diagnostic tools
Best Practices: Understand monitoring strategy and implementation

Common Scenarios and Solutions

Real-World Scenarios:

Performance Issues: Use metrics and logs to identify bottlenecks
Availability Monitoring: Set up alerts for service availability
Security Monitoring: Monitor failed logins and suspicious activities
Capacity Planning: Use trends to predict resource needs
Network Troubleshooting: Use Network Watcher for connectivity issues
Compliance Monitoring: Track administrative operations and changes

Summary

Azure monitoring is essential for maintaining system health, performance, and security. This objective covers the comprehensive monitoring capabilities in Azure:

Metrics interpretation and analysis for performance monitoring
Log configuration and collection for detailed analysis
KQL querying for log analysis and insights
Alert rules, action groups, and processing rules for automated responses
Specialized monitoring insights for VMs, storage, and networks
Network Watcher and Connection Monitor for network diagnostics
Best practices for comprehensive monitoring strategy

Understanding these monitoring concepts is essential for Azure administrators to maintain system health, troubleshoot issues, and ensure optimal performance in Azure environments.

Next Steps: Practice setting up monitoring for various Azure resources, creating alert rules, and writing KQL queries in the Azure portal. Experiment with Network Watcher tools and Azure Monitor Insights to understand the complete monitoring ecosystem in Azure.