Anyone tried to use "Component Monitor Wizard" to monitor Azure Application Gateway before?

Hello,

Did anyone ever try to use "Component Monitor Wizard" function to monitor Azure Application Gateway? 

I've been told from support as this is out of boundary support as there's no such template could be used for monitoring Azure Application Gateway, so that's why I tried my luck in there to see if any folks did something similar before. Slight smile

After I click "Next, I see below.  It requires me to input the server IP address in here but Azure application gateway doesn't own it at all.  On this occasion, how can I achieve the goal to monitor it or it's not something we can do in terms of monitoring it from Solarwinds SAM?  Please advise, thank you Slight smile

Parents Reply Children
  • You can use any of the "Script"-type monitors to make an API connection and poll the data, or do the reverse in azure, using a logicapp or simmilar to send API calls or something back to your solarwinds box.

    The API monitor feature may be worth a look

    For a more SLW-Native solution it might be worth thinking abou what your gateway is passing through, so to speak. Like if you've got a website behind it you can monitor the website with knowledge that this gateway's in the way.

    Perhaps you could netpath a IP or port or something as well.

  • Aside from the logs, there is an Azure App gateway API. you will need to configure an MS GRaph application, grant it permissions, then create the api poller. Currently it looks like the API implementation for the azure app gateways want the token renewed hourly, which is something that I have not found the api poller capable of doing or at least I am unaware of how to configure it to renew a token. Scripting the api call seems to be answer elsewhere - and since SAM is fully capable of scripted components - that might be the answer. Here is the api information from Microsoft. If you happen to create a script or get the api poller please post. I would love to see the answer. This is one of those, it really seems like it should be simple to do, what am I missing....

    Application Gateways - Backend Health - REST API (Azure Application Gateway) | Microsoft Learn

  •  Here's a generic-ish start, this does some certificate checking, but i've not really settled on the final output yet. The tough bit IMO is getting the scope right, and afterwards being in a scenario where you've got a uncertain amount of stuff to return. I'm leaning toward custom tables for the lot of em, though you could count the issues and summarize that way to fit neatly within a SAM monitor

    ### Azure thing check
    
    $SubscriptionID = "xxxxxxxxxxxxxxxxxxxxxxxxxx" #Subscriptionname
    $tenantID = "xxxxxxxxxxxxxxxxxxxxxxxxxxx" #Aka DirectoryID
    $ClientID = "xxxxxxxxxxxxxxxxxxxxxxxxxx"
    $secretID = "xxxxxxxxxxxxxxxxxxxxxxx"
    $secret = "xxxxxxxxxxxxxxxxxxxxxxx"
    
    $targetAppSericeURL = "https://management.azure.com/subscriptions/$($SubscriptionID)/providers/Microsoft.Web/certificates?api-version=2022-03-01"
    
    $oauth2URL = "https://login.microsoftonline.com/$($tenantID)/oauth2/v2.0/token" ##OAuth 2.0 token endpoint
    
        $body = @{
        grant_type = "client_credentials"
        ContentType = 'application/json'
        accept = '*/*'
        client_id = $clientID
        client_secret = $secret
        scope = "https://management.azure.com/.default" ### This is the annoying bit
        }
    
        $accessToken = Invoke-RestMethod -Method Post -Uri $oauth2URL -Body $body
    
    
    
    $bearerAuth = "Bearer $($accessToken.access_token)"
    $headers = @{
        Authorization = $bearerAuth
    }
    $certificates = Invoke-RestMethod -Method GET -Uri $targetAppSericeURL -headers $headers
    

    There's some API poller templates pre-configured for azure in the product but they're buried in the "assign api poller" and look fairly nightmareish to configure to start. You can create a new token at the start of an api poller though so it should be an available option

  • Thanks to Adam's basic script there and a LOT of Stack Overflow reading I got a script running yesterday that will return the backend health of servers in an App Gateway using the async method of POST followed by GET. I'm going to try and crowbar it into a SAM powershell monitor today. 

    I'll report on the results later.

  • Would love to see what you come up with, and also what you've gone with for depositing the data afterwards

  • Based on what I know about Veeam SAM monitors it should be possible to plug in a server name for individual monitoring, SAM will parse the screen output of a script and that can be used externally. I hope :) 

  • I'm not 100% sure what you meant, but you can pass servernames in with ${IP} or $arg[0]...[x] etc

  • I meant pass the Backend server IP as a parameter if you were checking an App Gateway with multiple hosts at the back. My test site just has a single one so it's not important for now. Annoyingly, the script runs fine on my laptop and on the primary poller in PSv7, but I suspect the actual script engine running for the SAM template is stuck on PSv2 as it says on the template page. In which case I'm doomed.

    The other thing is you have to run the template against a host, so I'm using my dummy node that I have all the API calls registered against, and I don't know if that is breaking things. Debugging code in the actual template is nigh-on impossible so I need to find out if/where such things are logged so I can see what's failing.

  • There's a set of logs on the polling engine, I forget the path at the moment, but they're under APM and are then in folders named the ID of each application.

    I do find troubleshooting within the component script sections very hard to work with.

    If you had like 5 backend server IPs you wanted to pass into the script from SLW you could still use the args, else one API call to GET the ips and a loop to do the other stuff. You might run into the "where do I put dynamic data" problem though.

    If your problem is around the -ignorecertificate thing there's a nice block code to dodge that issue.

  • This particular issue seem to be that the script either isn't running or is running on the wrong version of powershell and the invoke-restmethod calls are failing because the parameters I'm using only came in in PSv6. I'll have a look under APM though, cheers!

    I do have the -ignorecertificate thing too, my Veeam monitoring is broken because SW is ignoring its own global settings to ignore certificate errors. SW support haven't been able to fix that one for me