Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Integration with Application Insights

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: APIManagement-003

Ensure that your Azure API Management APIs are configured to use Application Insights. Application Insights is a robust APM solution designed to cater to the needs of both developers and DevOps professionals. Enabling this service facilitates effortless implementation of continuous monitoring for your APIs, allowing Application Insights to effectively identify performance anomalies and provide a comprehensive suite of analytical tools to assist in troubleshooting issues and gaining deep understanding of API interactions.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Operational
excellence
Performance
efficiency
Reliability

Seamless integration of Application Insights with your Azure API Management APIs significantly enhances your ability to oversee, fine-tune performance, pinpoint issues, and gain valuable insights into API behavior. This integration ultimately contributes to improved reliability, performance, efficiency, and user satisfaction.

Audit

To determine if your Azure API Management APIs are monitored with Application Insights, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to examine.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to examine, listed under All APIs.

08 Choose the Settings tab and select the Application Insights tab from the Diagnostics Logs section.

09 Check the Enable configuration checkbox to determine if Application Insights is enabled for the selected API. If the Enable checkbox is not selected, your Azure API Management API is not monitored with Application Insights.

10 Repeat steps no. 7 – 9 for each API managed by the selected Azure API Management service.

11 Repeat steps no. 5 – 10 for each Azure API Management service available in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure Powershell

01 Run Get-AzApiManagementApi PowerShell command (cmdlet) using custom query filters to list the name of each Azure API Management service instance available in the current subscription: 

Get-AzApiManagement -ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object Name

02 The command output should return the requested Azure API Management service names: 

Name
----
cc-main-api-service-instance
cc-project5-service-instance

03 Run Get-AzApiManagementApi PowerShell command (cmdlet) using the name of the Azure API Management service instance that you want to examine and its associated resource group as the identifier parameters to describe the name of each API managed by the selected service: 

$apimContext = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

Get-AzApiManagementApi -Context $apimContext | Select-Object ApiId

04 The command output should return the requested API names: 

ApiId
-----
cc-worker-api
cc-filter-api

05 Run Get-AzApiManagementDiagnostic PowerShell command (cmdlet) using the name of the Azure API Management API that you want to examine as the identifier parameter to describe the diagnostics logs identifier configured at the API level: 

$apimContext = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

Get-AzApiManagementDiagnostic -Context $apimContext -ApiId "echo-api" | Select-Object DiagnosticId

06 The command output should return the requested configuration information: 

DiagnosticId
------------
local

If the Get-AzApiManagementDiagnostic command does not produce an output, there are no diagnostics logs configured for your API. If the Get-AzApiManagementDiagnostic command returns an output different than applicationinsights, as shown in the output example above, the selected Azure API Management API is not monitored with Application Insights.

07 Repeat steps no. 5 and 6 for each API managed by the selected Azure API Management service.

08 Repeat steps no. 3 - 7 for each Azure API Management service available in the selected Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable integration with Application Insights for your Azure API Management APIs, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box and choose Apply.

04 From the Type filter box, select API Management service and choose Apply to list only the Microsoft Azure API Management services available in the selected subscription.

05 Click on the name (link) of the Azure API Management service that you want to access.

06 In the main navigation panel, under APIs, select APIs to access the list of APIs managed by the selected service.

07 Select the API that you want to configure, listed under All APIs.

08 Choose the Settings tab and select the Application Insights tab from the Diagnostics Logs section.

09 Select the Enable checkbox and perform the following actions:

  1. For Destination, choose the Application Insights logger to send the telemetry to.
  2. For Sampling (%), you can reduce the volume of telemetry by setting a sampling percentage.
  3. For Always log errors, choose whether to send telemetry if there is an erroneous condition, regardless of the sampling setting configured.
  4. For Log client IP address, choose whether or not to log client IP.
  5. (Optional) Select Support custom metrics if you want to enable support for custom metrics.
  6. For Verbosity, choose the log verbosity level.
  7. For Correlation protocol, select the protocol to use in order to correlate telemetry sent by multiple components.
  8. (Optional) Use Additional settings to add content to log in addition to the basic telemetry.
  9. Choose Save to apply the configuration changes.

10 Repeat steps no. 7 – 9 for each API managed by the selected Azure API Management service.

11 Repeat steps no. 5 – 10 for each Azure API Management service available in the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure PowerShell

01 Run New-AzApiManagementDiagnostic PowerShell command (cmdlet) using the name of the Azure API Management API that you want to configure as the identifier parameter to enable Application Insights for the selected API by configuring the appropriate diagnostics logs: 

$apimContext = New-AzApiManagementContext -ResourceGroupName "cloud-shell-storage-westeurope" -ServiceName "cc-main-api-service-instance"

$logger = Get-AzApiManagementLogger -Context $apimContext -LoggerId "cc-api-app-insights"

$samplingSetting = New-AzApiManagementSamplingSetting -SamplingType fixed -SamplingPercentage 100

New-AzApiManagementDiagnostic -Context $apimContext -ApiId "echo-api" -LoggerId $logger.LoggerId -DiagnosticId "applicationinsights" -SamplingSetting $samplingSetting -AlwaysLog allErrors

02 The command output should return the new diagnostics logs configuration: 

DiagnosticId                : applicationinsights
ApiId                       : echo-api
AlwaysLog                   : allErrors
LoggerId                    : cc-api-app-insights
EnableHttpCorrelationHeader :
SamplingSetting             : Microsoft.Azure.Commands.ApiManagement.ServiceManagement.Models.PsApiManagementSamplingSetting
FrontendSetting             : Microsoft.Azure.Commands.ApiManagement.ServiceManagement.Models.PsApiManagementPipelineDiagnosticSetting
BackendSetting              : Microsoft.Azure.Commands.ApiManagement.ServiceManagement.Models.PsApiManagementPipelineDiagnosticSetting
Id                          : /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ApiManagement/service/cc-main-api-service-instance/apis/echo-api/diagnostics/applicationinsights
ResourceGroupName           : cloud-shell-storage-westeurope
ServiceName                 : cc-main-api-service-instance

03 Repeat steps no. 1 and 2 for each API managed by the selected Azure API Management service.

04 Repeat steps no. 1 – 3 for each Azure API Management service available in the selected Azure subscription.

05 Repeat steps no. 1 - 4 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 26, 2023

Related APIManagement rules