Anyone tried to use "Component Monitor Wizard" to monitor Azure Application Gateway before?

What are you trying to monitor about that gateway?
I'm doing some Azure monitoring currently, everything's doable but i've found azure stuff pretty hard

Hi there - I try to monitor the https status, throughput or total request something like that just below.

But I am really scratching my head where to start on.  I even wonder if we can send over the application gateway logs to solarwinds SAM.

and YES - this is quite hard to configure it as it's lack of documentation ( or I don't know how to search them well in here..)

marcrobinson Here's a generic-ish start, this does some certificate checking, but i've not really settled on the final output yet. The tough bit IMO is getting the scope right, and afterwards being in a scenario where you've got a uncertain amount of stuff to return. I'm leaning toward custom tables for the lot of em, though you could count the issues and summarize that way to fit neatly within a SAM monitor

### Azure thing check

$SubscriptionID = "xxxxxxxxxxxxxxxxxxxxxxxxxx" #Subscriptionname
$tenantID = "xxxxxxxxxxxxxxxxxxxxxxxxxxx" #Aka DirectoryID
$ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
$secretID = "xxxxxxxxxxxxxxxxxxxxxxx"
$secret = "xxxxxxxxxxxxxxxxxxxxxxx"

$targetAppSericeURL = "https://management.azure.com/subscriptions/$($SubscriptionID)/providers/Microsoft.Web/certificates?api-version=2022-03-01"

$oauth2URL = "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/token" ##OAuth 2.0 token endpoint

    $body = @{
    grant_type = "client_credentials"
    ContentType = 'application/json'
    accept = '*/*'
    client_id = $clientID
    client_secret = $secret
    scope = "https://management.azure.com/.default" ### This is the annoying bit
    }

    $accessToken = Invoke-RestMethod -Method Post -Uri $oauth2URL -Body $body



$bearerAuth = "Bearer $($accessToken.access_token)"
$headers = @{
    Authorization = $bearerAuth
}
$certificates = Invoke-RestMethod -Method GET -Uri $targetAppSericeURL -headers $headers

There's some API poller templates pre-configured for azure in the product but they're buried in the "assign api poller" and look fairly nightmareish to configure to start. You can create a new token at the start of an api poller though so it should be an available option

Thanks to Adam's basic script there and a LOT of Stack Overflow reading I got a script running yesterday that will return the backend health of servers in an App Gateway using the async method of POST followed by GET. I'm going to try and crowbar it into a SAM powershell monitor today. 

I'll report on the results later.

Would love to see what you come up with, and also what you've gone with for depositing the data afterwards

Based on what I know about Veeam SAM monitors it should be possible to plug in a server name for individual monitoring, SAM will parse the screen output of a script and that can be used externally. I hope :) 

I'm not 100% sure what you meant, but you can pass servernames in with ${IP} or $arg[0]...[x] etc

I meant pass the Backend server IP as a parameter if you were checking an App Gateway with multiple hosts at the back. My test site just has a single one so it's not important for now. Annoyingly, the script runs fine on my laptop and on the primary poller in PSv7, but I suspect the actual script engine running for the SAM template is stuck on PSv2 as it says on the template page. In which case I'm doomed.

The other thing is you have to run the template against a host, so I'm using my dummy node that I have all the API calls registered against, and I don't know if that is breaking things. Debugging code in the actual template is nigh-on impossible so I need to find out if/where such things are logged so I can see what's failing.

There's a set of logs on the polling engine, I forget the path at the moment, but they're under APM and are then in folders named the ID of each application.

I do find troubleshooting within the component script sections very hard to work with.

If you had like 5 backend server IPs you wanted to pass into the script from SLW you could still use the args, else one API call to GET the ips and a loop to do the other stuff. You might run into the "where do I put dynamic data" problem though.

If your problem is around the -ignorecertificate thing there's a nice block code to dodge that issue.

This particular issue seem to be that the script either isn't running or is running on the wrong version of powershell and the invoke-restmethod calls are failing because the parameters I'm using only came in in PSv6. I'll have a look under APM though, cheers!

I do have the -ignorecertificate thing too, my Veeam monitoring is broken because SW is ignoring its own global settings to ignore certificate errors. SW support haven't been able to fix that one for me

Put this in at the top

if (-not ([System.Management.Automation.PSTypeName]’ServerCertificateValidationCallback’).Type)
{
$certCallback = @"
using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class ServerCertificateValidationCallback
{
public static void Ignore()
{
if(ServicePointManager.ServerCertificateValidationCallback ==null)
{
ServicePointManager.ServerCertificateValidationCallback +=
delegate
(
Object obj,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors errors
)
{
return true;
};
}
}
}
"@
Add-Type $certCallback
}
[ServerCertificateValidationCallback]::Ignore()

Morning Adam,

Thanks for that, but the issue I'm having is that SW can't execute a remote PS script because of the certificate error. It's given me an idea though, the outcome of which will be dictated by how well I understand the way SW handles PS scripts - does it just run them using the default PS engine on the poller or does it have its own more obscure, twisted method...

Morning Adam,

Thanks for that, but the issue I'm having is that SW can't execute a remote PS script because of the certificate error. It's given me an idea though, the outcome of which will be dictated by how well I understand the way SW handles PS scripts - does it just run them using the default PS engine on the poller or does it have its own more obscure, twisted method...

Hi Fop, yeah that block dodges the certificate error

It uses PSv2 and you can select 32 or 64 bit mode per script

Needs to be updated to PSv5/v7 soon imo

Hmm, this might explain somethings.. Good call. 

On a whim I created a SAM powershell template assigned to a dummy node that just does this:

[int]$foo=$PSVersionTable.PSVersion.major
Write-Host "Message.Health: Health: Version";
Write-Host "Statistic.Health: $foo";

On my poller it returns V5 so that's what it's using to execute scripts. I've got PS7 installed but haven't enabled it as default. That will fix this issue I think.

Interesting! I must've been going off way outdated knowledge there

...and the bad news is I've just had official clarification from Solarwinds that SAM uses 5.1 only and changing to v7 isn't even on their roadmap for future development so I've requested it as a feature.

This doesn't help me right now of course. The invoke-restmethod parameters my script needs only came in in v6 so I need to see if it's possible to get the response headers out of the 5.1 version of that cmdlet. Trouble is, MS's own docs vary from awful to terrible on this sort of subject.

A

fop Please add the link to this feature request, so we can all bump it up. Calling the bumpsquad! As to your pain with Microsoft and Azure - umm you are not alone. I get very similar reactions when I talk to the Azure Architects. This is often mentioned with a comment to wait two weeks, Microsoft will update Azure to invalidate what you just did . Creating and provisioning an MS Graph application solves many, many api issues by design. The App Gateway Team didn't get that memo from what I can tell. They wanted their own twist in authentication. This thread seems to validate the pain from my thread on this topic too. 

Microsoft Azure Application Gateway API - Forum - The Orion Platform - THWACK (solarwinds.com)

You're trying to use the -ignorecertificateaction thing right?

Hahaha, it's so good to see I'm not alone 

My Solarwinds tech said 'I will open a feature request for you and send it to the Development team, as the requested functionality is currently not part of our product line. ' but he also linked to the Feature Request here so I'll do that too.

As it happens, I was THIS CLOSE to sorting it on v5 last week and hadn't realised, so a couple of command changes later and the script runs on v5 and returns the correct results.

In Orion of course, it fails with this spectacular error - "The response content cannot be parsed because the Internet Explorer engine is not available". I just needed to add -UseBasicParsing to get around that one.

(+) Orion SAM to be upgraded to use Powershell V7 - Community Feature Requests - THWACK Command Center - THWACK (solarwinds.com)

Never saw this reply at the time, but FYI stuff like the -usebasicparsing thing is like profile-based issues, there's a bunch of those, and there's a class of fix which is basically

1) Confirm the account you'll be using for the script, dont change it without redoing later steps
2) On the account you're using above, do the things to prepare the profile (Open IE, install a module, etc)
3) if need be, add them as the result of a CATCH block