Share via

How to enable Container Insights on Azure Local Aks Arc cluster ?

Cloudy 286 Reputation points
2026-04-02T14:59:16.58+00:00

HI folks ! I juste deployed AKS on azurel local for one customer and i'm looking at enabling container insights... but .. seems not working (following the doc https://learn.microsoft.com/en-us/azure/aks/aksarc/aks-monitor-logging) It seems that aks cluster must be using a managed ID but ... with aks arc... only worklod ID (and in preview) is supported... Extension azuremonitor-containers is deployed as per the spshot no taein the LAW.

<personal info>

Azure Local

Answer accepted by question author

  1. Himanshu Shekhar 5,740 Reputation points Microsoft External Staff Moderator
    2026-04-02T18:53:01.0566667+00:00

    Thank you for reaching out and for providing the details on your AKS on Azure Local deployment (AKS enabled by Azure Arc). I understand you're trying to enable Container Insights (container logging and events) following the documentation at the link you shared, but the extension isn't populating data in your Log Analytics workspace (LAW). You're also seeing a potential mismatch with managed identity requirements versus workload identity support on AKS Arc.

    I'm happy to help resolve this. Container Insights is fully supported on AKS on Azure Local / AKS Arc clusters. The documentation you referenced appears to have been updated or moved (the original page now returns a 404). The current, official guidance is in the Azure Monitor documentation for Arc-enabled Kubernetes clusters, which explicitly includes AKS on Azure Local.

    • The core issue: The azuremonitor-containers extension needs to be configured (or re-configured) with the correct Log Analytics workspace and managed identity authentication for the Azure Monitor agent (amalogs.useAADAuth=true).
    • Key clarification on identity: The "managed identity" requirement in the documentation refers to agent authentication (how the Azure Monitor container agent sends data to Azure Monitor/Log Analytics). This is supported and is the default on AKS Arc (including Azure Local). It is not the same as workload identity, which is a separate preview feature used by your application pods to authenticate to Azure resources (e.g., Key Vault, storage). The two are independent.
    • No action needed on workload identity for Container Insights.

    Azure Portal steps :

    The Azure portal provides a simple, guided way to enable or update monitoring and automatically handles the extension configuration.

    1. In the Azure portal, navigate to your AKS Arc cluster (under Arc-enabled Kubernetes or the AKS on Azure Local resource).
    2. In the left menu, select MonitorMonitor Settings.
    3. Under configuration options:
      • Select Container Logs and events (you can also enable Prometheus metrics at the same time if desired).
      • Choose your existing Log Analytics workspace (or let it create the default one).
      • (Optional) Use Advanced settings to select a logging profile (e.g., Logs and Events (Default) or Cost-optimized), set collection interval, or apply namespace filters.
    4. Click Configure.

    This will deploy/update the azuremonitor-containers extension with the proper workspace and managed identity authentication.

    Alternative: CLI

    If you prefer the command line or need to script this:

    # Replace with your values
az k8s-extension create \
  --name azuremonitor-containers \
  --cluster-name <your-cluster-name> \
  --resource-group <your-resource-group> \
  --cluster-type connectedClusters \
  --extension-type Microsoft.AzureMonitor.Containers \
  --configuration-settings logAnalyticsWorkspaceResourceID=<full-resource-id-of-your-law> \
  --configuration-settings amalogs.useAADAuth=true

    To get the full LAW resource ID: az monitor log-analytics workspace show --resource-group <rg> --workspace-name <workspace-name> --query id -o tsv

    • If the extension already exists, you can first check its current settings with az k8s-extension show ... and then use az k8s-extension update (or delete/recreate if needed).

    Verification Steps

    After configuration:

    • Run kubectl get pods -n azuremonitor-containers – you should see the ama-logs (and optionally ama-metrics) pods running.
    • In the Azure portal, go to your cluster → Insights (or MonitorLogs) and confirm data is flowing (Nodes, Workloads, Containers views).
    • Query your LAW for recent container logs (e.g., ContainerLogV2 table).

    https://learn.microsoft.com/en-us/azure/azure-monitor/containers/kubernetes-monitoring-enable-arc

    This page covers AKS on Azure Local explicitly and includes the latest CLI examples, portal steps, and identity guidance.

    If the extension still doesn't send data after these steps (e.g., due to network/firewall, proxy, or permission issues), please share:

    • Output of az k8s-extension show --name azuremonitor-containers ...
    • Any errors from the agent pods (kubectl logs ... -n azuremonitor-containers)
    • Confirmation that the cluster meets the network requirements for Azure Arc + Azure Monitor.

    We'll get this resolved quickly. Feel free to reply with any additional details or let me know if you'd like me to walk through the portal steps in more detail.

    Thanks,
    Himanshu

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-02T14:59:49.3166667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For AKS on Azure Local (AKS Arc), Container Insights is supported, but it relies on Azure connectivity and the Azure Monitor agent running in the cluster. If the extension is installed but no tables appear in the Log Analytics workspace, the issue is typically with prerequisites or connectivity rather than with managed identity on the cluster itself.

    Use the following checks and steps:

    1. Verify Azure connectivity mode
      • Container Insights for AKS Arc requires connectivity from the on-premises cluster to Azure.
      • In semi‑connected or disconnected mode, Container Insights and diagnostic settings creation are not available; only on‑premises/3rd‑party monitoring works.
      • Ensure the cluster is in a connected state; otherwise, use an on‑premises monitoring solution instead of Container Insights.
    2. Confirm the monitoring option used
      • For AKS on Azure Local, there are two monitoring approaches:
        • Container Insights (requires Azure Arc connectivity and Azure Monitor/Log Analytics).
        • On‑premises monitoring (no Azure connectivity; OSS or vendor tools).
      • To use Container Insights, the cluster must be connected to Azure via Azure Arc for Kubernetes and the observability/azuremonitor-containers extension must be installed.
    3. Enable Prometheus metrics and container logging correctly
      • In the Azure portal, open the Arc‑enabled Kubernetes/AKS Arc cluster → MonitorMonitor Settings.
      • Under configuration options, ensure:
        • Prometheus metrics, Grafana and Container Logs and events are selected.
        • A valid Log Analytics workspace is selected.
        • A logging profile (for example, Logs and Events (Default) or Standard) is chosen.
      • If needed, use Advanced settings to:
        • Confirm collection frequency (for example, 1m).
        • Ensure namespace filtering is not excluding the namespaces in use.
        • Ensure Collected data includes at least the Logs and events group so that ContainerLogV2, KubeEvents, and KubePodInventory are collected.
        • Optionally enable ContainerLogV2 so logs land in the ContainerLogV2 table.
    4. Validate that the agent is running in the cluster
      • After enabling monitoring, the Azure Monitor agent is deployed as containers in the azuremonitor-containers namespace.
      • Use kubectl against the AKS Arc cluster to confirm that the pods for the Azure Monitor agent are running and not in CrashLoopBackOff or ImagePullBackOff states.
    5. Check for data in the correct tables
      • Container Insights for AKS/AKS Arc writes to Container Insights tables, not to generic LogManagement tables.
      • In the Log Analytics workspace, look for tables such as:
        • ContainerLogV2 (or ContainerLog if V2 is disabled)
        • KubeEvents
        • KubePodInventory
      • It can take a few minutes after enabling monitoring for these tables to appear and start receiving data.
    6. If the cluster is semi‑connected or disconnected
      • When the AKS on Azure Local cluster is temporarily disconnected (semi‑connected mode), Container Insights and diagnostic settings that depend on Azure are not available.
      • In that case, use an on‑premises monitoring stack as described for “On‑premises monitoring” instead of Container Insights.

    If, after confirming connectivity, extension health, and collection settings, the Container Insights tables still do not populate, collect logs from the Azure Monitor agent pods and the Arc/observability extension and open a support case, as the platform should automatically ingest data once these prerequisites are satisfied.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.