Navigating the Essentials of Azure Monitor Baseline Alerts: A Starting Guide

Image borrowed from the AMBA project

Introduction

The Azure Monitor Baseline Alerts (AMBA) project is a very interesting one in the current technology landscape, particularly for organizations leveraging Azure services for their cloud infrastructure. Here are some reasons why you would care as a Cloud Engineer / Customer leveraging the Microsoft cloud:

Baseline capabilities: AMBA provides an extensive set of baseline alerts for Azure resources and services. This is critical for organizations that may not know out of the box what they should monitor with so many different new types of services and resources, no matter if they are starting with a greenfield deployment or taking over an existing environment (also known as brownfield)
Proactive Problem Identification: By setting up baseline alerts, organizations can proactively identify potential issues before they escalate into major problems. This early detection can be vital for avoiding downtime.
Customization and Flexibility: AMBA offers a lot of flexibility. It allows organizations to customize alert rules and thresholds according to their specific needs. You can also decide not to implement certain sets of monitor baseline policies if you do not wish to use them.
Scalability and Adaptability: As organizations grow, their infrastructure grows. Since AMBA is based on Azure Policies you can scale the deployment alongside your environment.

What is AMBA actually?

AMBA is essentially a project that allows you to deploy a bunch of Policy Definitions where you can chose which ones you wish to assign and with certain parameters such as setting the email address of who should receive the alerts for example.

It is written in Azure Bicep which is a domain-specific Infrastructure-as-Code language that Azure uses. You can find their repository on Github here

Why this is exciting is that you can deploy a monitoring infrastructure whilst also drawing from the benefits of Infrastructure-as-Code (IaC) such as version-history and automatic of documentation.

Development and evolution of AMBA over time

The development and evolution of AMBA, or ALZ-Monitor as the repository was once called reflect Microsoft Azure's commitment to enhancing cloud service monitoring and management. This includes:

The Need for Baseline Alerts: As more and more companies started migrating to the cloud, it became apparent that different users and organizations had different monitoring needs. However, there was also a common set of metrics that were universally important for the health and performance of Azure services, hence the need for a baseline.
Integration with Azure Policy: Integration with Azure Policy allows for greater control and the posibility to follow up on compliance and ensure all the components we need are actually in-place.
Community Feedback and Adaptation: The project is open for feedback and you can submit issues, requests and open pull-requests to directly contribute to the project yourself, leveraging the power of open-source.

Deploy AMBA

In this guide I will show you a high overview of how I implemented AMBA in my tenant. I was only interested in setting up service health alerts as a first step but you can with certain tweaks of your own configure much more.

Create a fork of the official repo to your own account/org, link here
Clone your fork to your local machine

git clone git@github.com:*your_username*/azure-monitor-baseline-alerts.git
cd azure-monitor-baseline-alerts

Open the folder in your EDI of choice and navigate to patterns/alz/alzArm.param.json
This is your parameter file where you will make adjustments based on what you wish to deploy. You will enter the management group ID of your different groups, I am deploying the one aligned to ALZ so I am supplying the following

"enterpriseScaleCompanyPrefix": {
        "value": "lt"
      },
      "platformManagementGroup": {
        "value": "lt-platform"
      },
      "IdentityManagementGroup": {
        "value": "lt-identity"
      },
      "managementManagementGroup": {
        "value": "lt-management"
      },
      "connectivityManagementGroup": {
        "value": "lt-connectivity"
      },
      "LandingZoneManagementGroup": {
        "value": "lt-landing-zones"
      },

"lt" in this case is the prefix for my environment, LindbergTech
Then I have chosen to only deploy Service health alerts so everything else is disabled with the "No" keyword

"enableAMBAConnectivity": {
      "value": "No"
    },
    "enableAMBAIdentity": {
      "value": "No"
    },
    "enableAMBALandingZone": {
      "value": "No"
    },
    "enableAMBAManagement": {
      "value": "No"
    },
    "enableAMBAServiceHealth": {
      "value": "Yes"
    },

Configured alerts to get sent to my business email as well as setting RG name & tag

"policyAssignmentParametersCommon": {
        "value": {
          "ALZMonitorResourceGroupName": {
            "value": "rg-prod-sc-amba"
          },
          "ALZMonitorResourceGroupTags": {
            "value": {
              "Project": "amba-monitoring"
            }
          },
          "ALZMonitorResourceGroupLocation": {
            "value": "swedencentral"
          }
        }
      },
      "policyAssignmentParametersServiceHealth": {
        "value": {
          "ALZMonitorActionGroupEmail": {
            "value": "carl.lindberg@lindbergtech.com"
            },

You can configure much many things like alert thresholds, severity, state and much more depending on your business needs, this is where the customization comes into play, for me just requiring service health alerts in this deployment I can leave it with these changes

I will run my deployment by signing into Azure and executing the following commands

## Login to Azure
az login 

## Make sure I am authenticated to the correct account/subscription
az account show

## Run a what-if to preview the changes
az deployment mg what-if --template-uri https://raw.githubusercontent.com/*your_username*/azure-monitor-baseline-alerts/main/patterns/alz/alzArm.json -l swedencentral --management-group-id lt --parameters patterns/alz/alzArm.param.json

## Actually deploy if I am content with the what-if
az deployment mg create --template-uri https://raw.githubusercontent.com/*your_username*/azure-monitor-baseline-alerts/main/patterns/alz/alzArm.json -l swedencentral --management-group-id lt --parameters patterns/alz/alzArm.param.json

The output shows me which definitions it will deploy (There are many). In my case only one policy assignment gets created as well as one role-assignment which is a service principal (SP) that lets me run remediation tasks to deploy Service health alerts where they are missing.

Conclusion

If you're managing Azure resources and looking for an efficient way to monitor their performance and health, AMBA is a tool you should definitely consider and try. It could be a game-changer in the future as it is constantly being worked and improved upon.

I have only cratched the surface in this atricle and will possibly write more guides showcasing other features you can deploy in the future.