Set up alert rules, action groups, and alert processing rules

Monitor resources in Azure

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

Monitoring is one of the most important tasks for an Azure Administrator. To prevent outages, performance issues, or security risks, Azure provides alerting features that notify you when something important happens in your environment.

This topic includes the following key areas:

  1. Alert Rules
  2. Action Groups
  3. Alert Processing Rules

These work together to detect problems and notify the right people or systems.

1. Azure Alert Rules

An alert rule defines what condition should be monitored and when an alert should be triggered.

Azure provides different types of alert rules:

Types of Alert Rules (Important for AZ-104 Exam)

1. Metric Alerts

  • Triggered when a metric crosses a threshold.
  • Metrics are near real-time (e.g., CPU %, Disk I/O, Memory %, Response time).
  • Very fast – updated every 1 minute.

Example:
Trigger an alert when CPU usage > 80% for 5 minutes on a Virtual Machine.

2. Activity Log Alerts

  • Triggered when a specific event occurs in the Azure Activity Log.
  • Detects administrative actions and resource changes.

Example:
Trigger an alert when someone deletes a network security group or modifies a public IP.

3. Log Alerts (Log Analytics Alerts)

  • Uses Kusto Query Language (KQL).
  • Triggered based on logs collected in Log Analytics workspace.

Example:
Trigger an alert when a VM’s system log shows repeated authentication failures.

4. Prometheus Alerts (Azure Monitor for Containers)

  • Used for Kubernetes AKS.
  • Works with Prometheus metrics.

Alert Rule Structure

Every alert rule includes:

  • Scope → What resource to monitor (VM, Storage Account, NSG, AKS, App Service, etc.)
  • Condition → The logic to evaluate (CPU > 80%, Failed Requests > 10, etc.)
  • Threshold → The value that triggers alert
  • Evaluation Period → E.g., over the last 5 minutes
  • Frequency → How often to check the condition
  • Action Group → Who will be notified
  • Severity Level → 0 to 4
    • 0 = Critical
    • 4 = Informational

2. Action Groups

Action groups define how notifications should be sent and who receives them.

You can reuse action groups across multiple alerts.

Components of an Action Group

Each action group can contain multiple actions:

Notification Actions

  • Email
  • SMS
  • Push notification (via Azure mobile app)
  • Voice call

Automation Actions

  • Azure Function
  • Logic App
  • Webhook
  • Automation Runbook

ITSM Actions

  • Sends alerts to ITSM tools like:
    • ServiceNow
    • BMC Remedy
    • Cherwell
    • Jira Service Management

Why Use Action Groups? (Exam Tip)

Action groups provide:

  • Centralized management
  • Reuse across multiple alerts
  • Consistent notification behavior

📘 3. Alert Processing Rules

Alert Processing Rules (APRs) modify how alerts behave after they are triggered.
They act after an alert is generated, unlike alert rules that define the condition.

These are often used to control alert noise.

Types of Alert Processing Rules

1. Suppress Alerts

Used when you don’t want alerts during:

  • Maintenance windows
  • Scheduled downtime
  • Patch deployment
  • Backup jobs

Example:
Suppress all alerts for a VM every Sunday from 02:00–03:00 during backup.

2. Route Alerts

Forward alerts to a different action group depending on:

  • Severity (e.g., critical alerts only)
  • Resource type
  • Resource group
  • Time of day (day shift vs night shift)

3. Add Actions

Automatically add extra actions after an alert triggers.

Example:
If a critical alert is raised, also notify the on-call engineer by voice call.

How Alert Processing Rules Work

  • They operate after the alert rule triggers.
  • They do not replace the action group in the alert rule — they modify or extend it.
  • They can be scheduled (daily, weekly, custom recurrence).

🧩 How All Three Work Together (Important for AZ-104 Exam)

1. Alert Rule

Detects a condition and triggers an alert.

2. Action Group

Defines who receives the alert and what automation should run.

3. Alert Processing Rule

Fine-tunes or adjusts alert behavior (suppress, route, add actions).

🖥️ Real IT Examples (No real-life analogies)

Example 1 – Monitoring Virtual Machines

  • Alert rule monitors VM CPU usage.
  • Action group sends email + SMS to on-call team.
  • Alert processing rule suppresses alerts during planned patching window.

Example 2 – Monitoring Network Changes

  • Activity log alert triggers when someone changes a Network Security Group rule.
  • Action group sends alert to Security Team and triggers a Logic App to log details in SIEM.

Example 3 – Monitoring AKS cluster

  • Prometheus alert checks pod restart rate > threshold.
  • Action group notifies DevOps team via Microsoft Teams webhook.
  • Alert processing rule forwards high-severity alerts to senior engineers after business hours.

📝 Key Azure Portal Steps (What You Should Know for the Exam)

Create an Alert Rule

  1. Go to Azure Monitor
  2. Select AlertsCreate → Alert Rule
  3. Choose Scope (resource)
  4. Choose Condition
  5. Set Threshold + Evaluation period
  6. Choose or create Action Group
  7. Set Severity
  8. Create the alert rule

Create an Action Group

  1. Azure Monitor → Alerts → Action groups
  2. Create action group
  3. Add:
    • Name
    • Notifications (Email, SMS, Push, Voice)
    • Automation actions (Webhook, Function, Logic App)
  4. Save

Create an Alert Processing Rule

  1. Azure Monitor → Alerts → Alert processing rules
  2. Choose:
    • Suppress
    • Route
    • Add actions
  3. Choose applicable alerts (scope)
  4. Configure schedule (optional)
  5. Create

📚 What You Must Know for the AZ-104 Exam

✔ Difference between metric, activity log, log, and Prometheus alerts
✔ Severity levels (0–4)
✔ Action groups can be reused
✔ Action groups support notifications and automation actions
✔ Alert processing rules modify alerts after triggering
✔ How to suppress alerts during maintenance windows
✔ The difference between:

  • Alert rules = trigger conditions
  • Action groups = notifications/automation
  • Alert processing rules = modify/suppress/reroute alerts

✔ Alerts can integrate with:

  • Functions
  • Logic Apps
  • Webhooks
  • ITSM tools

Conclusion

Setting up alert rules, action groups, and alert processing rules is essential for monitoring Azure environments. This topic appears frequently in the AZ-104 exam, and understanding how these components work together ensures you can design effective monitoring and notification strategies.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by