Azure Kubernetes Service Cluster
Plugin: go.d.plugin Module: azure_monitor
Overview
Monitor AKS cluster health including API server and etcd resource usage, pod scheduling status and readiness, node capacity and conditions, cluster autoscaler behavior, and per-node CPU, memory, disk, and network utilization.
The collector uses Azure SDK clients for:
- Authentication via Entra ID (service principal, managed identity, or default credentials)
- Resource discovery via Azure Resource Graph queries
- Metrics collection via Azure Monitor Metrics batch API, grouped by region and time grain
This collector is supported on all platforms.
This collector supports collecting metrics from multiple instances of this integration, including remote instances.
The monitoring principal needs read access to Azure Resource Graph and Azure Monitor metrics for target resources.
Default Behavior
Auto-Detection
When profiles includes auto (the default), the collector queries Azure Resource Graph
to discover which resource types exist in the subscription and enables matching built-in profiles automatically.
Limits
Azure Monitor metrics granularity is typically 1 minute. The collector enforces a minimum collection interval of 60 seconds.
Performance Impact
The collector uses bounded request concurrency and batches resources and metrics to minimize API calls. Default limits: 4 concurrent queries, 50 resources per batch, 20 metrics per query.
Metrics
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
Per resource
These metrics refer to each monitored Azure resource.
Labels:
| Label | Description |
|---|---|
| resource_name | The Azure resource name. |
| resource_group | The Azure resource group. |
| region | The Azure region where the resource is deployed. |
| resource_type | The Azure resource type identifier. |
| profile | The Azure Monitor profile id. |
| resource_uid | The unique Azure resource identifier. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| azure_monitor.aks.apiserver_cpu | average, maximum | percentage |
| azure_monitor.aks.apiserver_memory | average, maximum | percentage |
| azure_monitor.aks.apiserver_inflight_requests | average | requests |
| azure_monitor.aks.etcd_cpu | average, maximum | percentage |
| azure_monitor.aks.etcd_memory | average, maximum | percentage |
| azure_monitor.aks.etcd_database | average, maximum | percentage |
| azure_monitor.aks.pod_status_phase | average | pods |
| azure_monitor.aks.pod_status_ready | average | pods |
| azure_monitor.aks.allocatable_cpu | average | cores |
| azure_monitor.aks.allocatable_memory | average | bytes |
| azure_monitor.aks.node_conditions | average | nodes |
| azure_monitor.aks.autoscaler_health | safe_to_autoscale, cooldown | state |
| azure_monitor.aks.autoscaler_unschedulable_pods | average | pods |
| azure_monitor.aks.autoscaler_unneeded_nodes | average | nodes |
| azure_monitor.aks.node_cpu_millicores | average, maximum | millicores |
| azure_monitor.aks.node_cpu_percentage | average, maximum | percentage |
| azure_monitor.aks.node_memory_working_set | average, maximum | bytes |
| azure_monitor.aks.node_memory_working_set_percentage | average, maximum | percentage |
| azure_monitor.aks.node_memory_rss | average, maximum | bytes |
| azure_monitor.aks.node_memory_rss_percentage | average, maximum | percentage |
| azure_monitor.aks.node_disk_usage | average, maximum | bytes |
| azure_monitor.aks.node_disk_percentage | average, maximum | percentage |
| azure_monitor.aks.node_network | in, out | bytes |
Alerts
The following alerts are available:
| Alert name | On metric | Description |
|---|---|---|
| am_aks_apiserver_cpu | azure_monitor.aks.apiserver_cpu | AKS API server CPU on ${label:resource_name} |
| am_aks_apiserver_memory | azure_monitor.aks.apiserver_memory | AKS API server memory on ${label:resource_name} |
| am_aks_apiserver_inflight_requests | azure_monitor.aks.apiserver_inflight_requests | AKS API server inflight requests on ${label:resource_name} |
| am_aks_etcd_cpu | azure_monitor.aks.etcd_cpu | AKS etcd CPU on ${label:resource_name} |
| am_aks_etcd_memory | azure_monitor.aks.etcd_memory | AKS etcd memory on ${label:resource_name} |
| am_aks_etcd_database | azure_monitor.aks.etcd_database | AKS etcd database usage on ${label:resource_name} |
| am_aks_autoscaler_safe_to_autoscale | azure_monitor.aks.autoscaler_health | AKS autoscaler unsafe on ${label:resource_name} |
| am_aks_autoscaler_unschedulable_pods | azure_monitor.aks.autoscaler_unschedulable_pods | AKS unschedulable pods on ${label:resource_name} |
| am_aks_node_cpu | azure_monitor.aks.node_cpu_percentage | AKS node CPU on ${label:resource_name} |
| am_aks_node_memory_working_set | azure_monitor.aks.node_memory_working_set_percentage | AKS node memory working set on ${label:resource_name} |
| am_aks_node_memory_rss | azure_monitor.aks.node_memory_rss_percentage | AKS node memory RSS on ${label:resource_name} |
| am_aks_node_disk | azure_monitor.aks.node_disk_percentage | AKS node disk usage on ${label:resource_name} |
Setup
You can configure the azure_monitor collector in two ways:
| Method | Best for | How to |
|---|---|---|
| UI | Fast setup without editing files | Go to Nodes → Configure this node → Collectors → Jobs, search for azure_monitor, then click + to add a job. |
| File | If you prefer configuring via file, or need to automate deployments (e.g., with Ansible) | Edit go.d/azure_monitor.conf and add a job. |
UI configuration requires paid Netdata Cloud plan.
Prerequisites
Create an Azure monitoring principal
Create a service principal or use a managed identity with the following permissions:
- Monitoring Reader role on the target subscription or resource groups (for Azure Monitor metrics access)
- Reader role for Azure Resource Graph queries (for resource discovery)
For service principal authentication:
# Create the service principal
az ad sp create-for-rbac --name "netdata-monitor" --role "Monitoring Reader" \
--scopes /subscriptions/<subscription-id>
# Note the appId (client_id), password (client_secret), and tenant
For managed identity (on Azure VMs, VMSS, or AKS):
# Assign Monitoring Reader role to the VM's managed identity
az role assignment create --assignee <managed-identity-principal-id> \
--role "Monitoring Reader" --scope /subscriptions/<subscription-id>
Configuration
Options
The following options can be defined globally: update_every, autodetection_retry.
Profile files are loaded from:
- Stock:
/usr/lib/netdata/conf.d/go.d/azure_monitor.profiles/default/ - User:
/etc/netdata/go.d/azure_monitor.profiles/
User profile files with the same filename override stock profiles.
Config options
| Group | Option | Description | Default | Required |
|---|---|---|---|---|
| Collection | update_every | Data collection interval (seconds). Must be at least 60. | 60 | no |
| autodetection_retry | Autodetection retry interval (seconds). Set 0 to disable. | 0 | no | |
| Target | subscription_id | Azure subscription ID. | yes | |
| cloud | Azure cloud environment: public, government, or china. | public | no | |
| Collection | discovery_every | Resource discovery interval in seconds. | 300 | no |
| query_offset | Offset in seconds for metric query windows. Increase if metrics appear incomplete. | 180 | no | |
| timeout | Timeout for Azure Resource Graph and Azure Monitor API requests, in seconds. | 30 | no | |
| Limits | max_concurrency | Maximum concurrent batch queries to Azure Monitor. | 4 | no |
| max_batch_resources | Maximum resources per Azure Monitor batch request. | 50 | no | |
| max_metrics_per_query | Maximum metrics per Azure Monitor batch request. | 20 | no | |
| Profiles | profiles | Profile ids to enable. Use auto to discover resource types via Azure Resource Graph and enable matching profiles. Combine with explicit ids: [auto, custom_profile]. | [auto] | no |
| Filters | resource_groups | Optional list of resource group names to restrict monitoring scope. | [] | no |
| Authentication | auth.mode | Authentication mode: service_principal, managed_identity, or default. | yes | |
| auth.mode_service_principal.tenant_id | Entra ID tenant ID (required for service_principal mode). | no | ||
| auth.mode_service_principal.client_id | Entra ID application (client) ID (required for service_principal mode). | no | ||
| auth.mode_service_principal.client_secret | Entra ID client secret (required for service_principal mode). | no | ||
| auth.mode_managed_identity.client_id | Client ID for user-assigned managed identity. Leave empty for system-assigned. | no | ||
| Virtual Node | vnode | Associates this data collection job with a Virtual Node. | no |
via UI
Configure the azure_monitor collector from the Netdata web interface:
- Go to Nodes.
- Select the node where you want the azure_monitor data-collection job to run and click the ⚙ (Configure this node). That node will run the data collection.
- The Collectors → Jobs view opens by default.
- In the Search box, type azure_monitor (or scroll the list) to locate the azure_monitor collector.
- Click the + next to the azure_monitor collector to add a new job.
- Fill in the job fields, then click Test to verify the configuration and Submit to save.
- Test runs the job with the provided settings and shows whether data can be collected.
- If it fails, an error message appears with details (for example, connection refused, timeout, or command execution errors), so you can adjust and retest.
via File
The configuration file name for this integration is go.d/azure_monitor.conf.
The file format is YAML. Generally, the structure is:
update_every: 1
autodetection_retry: 0
jobs:
- name: some_name1
- name: some_name2
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/azure_monitor.conf
Examples
Service principal (auto-discover all resources)
Authenticate with a service principal and auto-discover all supported Azure resource types in the subscription.
jobs:
- name: prod
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
auth:
mode: service_principal
mode_service_principal:
tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_secret: "your-client-secret"
Managed identity (Azure VM/VMSS/AKS)
Use the managed identity of the Azure VM, VMSS, or AKS node where Netdata is running.
Config
jobs:
- name: prod
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
auth:
mode: managed_identity
Specific profiles only
Monitor only specific Azure services instead of auto-discovering all resource types.
Config
jobs:
- name: databases
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
profiles:
- sql_database
- postgres_flexible
- redis_cache
auth:
mode: service_principal
mode_service_principal:
tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_secret: "your-client-secret"
Filter by resource group
Only monitor resources in specific resource groups.
Config
jobs:
- name: prod-rg
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
resource_groups:
- production-rg
- staging-rg
auth:
mode: default
Azure Government cloud
Connect to Azure Government cloud environment.
Config
jobs:
- name: gov
subscription_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
cloud: government
auth:
mode: service_principal
mode_service_principal:
tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_secret: "your-client-secret"
Troubleshooting
Debug Mode
Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.
To troubleshoot issues with the azure_monitor collector, run the go.d.plugin with the debug option enabled. The output
should give you clues as to why the collector isn't working.
-
Navigate to the
plugins.ddirectory, usually at/usr/libexec/netdata/plugins.d/. If that's not the case on your system, opennetdata.confand look for thepluginssetting under[directories].cd /usr/libexec/netdata/plugins.d/ -
Switch to the
netdatauser.sudo -u netdata -s -
Run the
go.d.pluginto debug the collector:./go.d.plugin -d -m azure_monitorTo debug a specific job:
./go.d.plugin -d -m azure_monitor -j jobName
Getting Logs
If you're encountering problems with the azure_monitor collector, follow these steps to retrieve logs and identify potential issues:
- Run the command specific to your system (systemd, non-systemd, or Docker container).
- Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.
System with systemd
Use the following command to view logs generated since the last Netdata service restart:
journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep azure_monitor
System without systemd
Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector's name:
grep azure_monitor /var/log/netdata/collector.log
Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.
Docker Container
If your Netdata runs in a Docker container named "netdata" (replace if different), use this command:
docker logs netdata 2>&1 | grep azure_monitor
No metrics are collected
Verify the following:
- The service principal or managed identity has Monitoring Reader role on the subscription or resource group.
- The
subscription_idin the configuration matches the subscription containing the target resources. - Target resources are running and producing metrics (check Azure Portal > Metrics for the resource).
- Check the Netdata error log for authentication or API errors:
grep azure_monitor /var/log/netdata/error.log.
Missing metrics for some resource types
Azure Monitor profiles are matched by resource type. If a resource type exists but no metrics appear:
- Ensure
profiles: [auto](default) is set, or the specific profile id is listed. - Verify the resource type matches a built-in profile. Run
ls /usr/lib/netdata/conf.d/go.d/azure_monitor.profiles/default/to see available profiles. - Some metrics require the resource to be actively processing data (e.g., IoT Hub telemetry metrics only appear when devices send messages).
Metrics appear delayed
Azure Monitor metrics have a built-in reporting delay of 1-3 minutes. The collector uses a query_offset (default: 180 seconds) to account for this.
If metrics are missing or incomplete, try increasing query_offset to 240 or 300 seconds.
Some metrics with longer time grains (e.g., PT5M) may take up to 5 minutes to appear.
Authentication errors in sovereign clouds
For Azure Government or Azure China clouds, set the cloud parameter:
- Azure Government:
cloud: government - Azure China (21Vianet):
cloud: china
Ensure the service principal is registered in the correct cloud tenant.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.