Governance Policies Azure Monitoring App Insights - Azure/az-prototype GitHub Wiki
Governance policies for App Insights
Domain: azure-monitoring
| Name | Description |
|---|---|
| Application Insights linked to Log Analytics | Workspace-based Application Insights with connection string output for app configuration |
| Description | Instead |
|---|---|
| Do not create classic Application Insights without WorkspaceResourceId | Always set WorkspaceResourceId to link to Log Analytics Workspace |
| Do not use API version 2024-03-01 for Microsoft.Insights/components | Use API version 2020-02-02 which is the current stable version |
| Do not include publicNetworkAccess properties on Application Insights 2020-02-02 | Control network access via the linked Log Analytics Workspace and Azure Monitor Private Link Scope |
| Do not use InstrumentationKey for new integrations | Use ConnectionString which includes the ingestion endpoint and is forward-compatible |
| Check | Severity | Description |
|---|---|---|
| AZ-AI-001 | Required | Create Application Insights linked to Log Analytics Workspace with workspace-based mode |
| AZ-AI-002 | Required | Link Application Insights to Log Analytics Workspace via WorkspaceResourceId |
| AZ-AI-003 | Recommended | Set SamplingPercentage to 100 for POC, reduce for high-traffic production |
| AZ-AI-004 | Recommended | Output ConnectionString for downstream app configuration |
Create Application Insights linked to Log Analytics Workspace with workspace-based mode
Severity: Required
Rationale: Workspace-based Application Insights is the current model; classic mode is deprecated. WorkspaceResourceId links telemetry to Log Analytics for unified querying
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Insights/components
Link Application Insights to Log Analytics Workspace via WorkspaceResourceId
Severity: Required
Rationale: Without WorkspaceResourceId, Application Insights creates in classic mode which is deprecated and lacks unified query support
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Insights/components
Set SamplingPercentage to 100 for POC, reduce for high-traffic production
Severity: Recommended
Rationale: Full sampling captures all telemetry for debugging; reduce to 10-50% for high-volume production to control costs
Agents: cloud-architect, monitoring-agent, cost-analyst
- Microsoft.Insights/components
Output ConnectionString for downstream app configuration
Severity: Recommended
Rationale: Compute resources need the connection string to send telemetry; prefer ConnectionString over InstrumentationKey
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Insights/components