Monitoring Azure Resources with SCOM

Have any of you been tasked with monitoring "Azure" but are unfamiliar with it?  As the SCOM guru, [I hope!] you are familiar with SCOM but may have had little exposure to Azure (and it's hard to monitor something you've never seen or used!)  This is a primer for those trying to monitor what they've never seen....

First off, you don't monitor Azure -- it's an abstract entity.

You do monitor infrastructure, applications, etc.  Azure is a collection of servers, services, networking equipment, and storage that can be virtually configured to meet your needs.  Need a beefy SQL box?  Need thin, load-balanced web servers?  Need a huge data drive?  All are possible in the Azure cloud.....

Azure is managed from a console; below is a screenshot from the classic Azure Console.

A few key things:

• Subscriptions - A administrative and billing "bucket".  Everything you create is associated with a subscription, but as subscriptions have size limits many organizations will have multiple subscriptions active a time.
• Virtual Machine Tab- These are the servers you are responsible for the OS on (IaaS)
• You can't see these details from the client side, details are exposed via the Azure console or Azure Powershell

So how to I monitor all this stuff?

IaaS

To monitor servers you maintain in Azure (IaaS or Infrastructure as a Service), treat them like any DMZ (if in a different domain) or offsite server -- put an agent on the server.

• Good blog on how to determine if you should use a gateway for cloud servers - https://www.systemcentercentral.com/designing-operations-manager-2012-r2-architectures-when-you-have-iaas-virtuals-running-in-azure/
• Agents compress data, gateway not needed for compression with SCOM2012.  https://blogs.msdn.com/b/microsoft_press/archive/2015/04/21/free-ebook-microsoft-system-center-operations-manager-field-experience.aspx

 PaaS

If you want to monitor PaaS (Platform as a Service)  and lower-level Azure components hosted there, you need to use Azure MPs such as the following:

• Azure MP (https://social.technet.microsoft.com/wiki/contents/articles/29244.system-center-management-pack-for-windows-azure-fabric-october-2014-release.aspx) or newer
• Azure SQL MP (https://www.microsoft.com/en-us/download/details.aspx?id=38829) or newer

Because this is PaaS, you don't get to see everything but can tell is the Azure backend supporting your PaaS apps is healthy.

To do this, you need to setup a connection for each subscription you have servers associated with (see my example below).  You’ll need a certificate to be uploaded to each subscription (each subscription can have multiple certs uploaded) – this won’t create any issues for the subscription or impact how it currently works.

Tips:

1. Create a certificate using makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer" -- this will end up in your computer's certificate store.
2. Export it as a .cer (for upload to your Azure subscriptions) and again as a .pfx with a password (for use in the SCOM wizard)
3. Upload the .cer to your subscription(s) you want to monitor
4. Copy the .pfx to the computer you'll be running the SCOM wizard from (won't work with network drives in my experience)

 SaaS

To monitor SaaS (Software as a Service) , look for MPs.  With SaaS, Microsoft supports the infrastructure and application.  There is really very little left for you to monitor.....

• Office 365 - https://www.microsoft.com/en-us/download/details.aspx?id=43708

Keep in mind, Azure Log Analytics (formerly OMS) has access to the Azure fabric and will often be superior for Azure (not OS/application) monitoring.  It's still a case of SCOM + Log Analytics are "better together."