Azure Managed Prometheus¶

Configure Robusta to use Azure Monitor's managed Prometheus service.

Prerequisites¶

An Azure Monitor workspace with Prometheus enabled
Either an Azure AD Service Principal or Managed Identity configured

Quick Start¶

Get your workspace query endpoint:
- Go to Azure Monitor workspaces
- Select your workspace
- Copy the Query endpoint from the Overview page
Choose your authentication method and configure Robusta:

Service Principal

Create a Service Principal (app registration)
Add to generated_values.yaml:

globalConfig:
    prometheus_url: "https://your-workspace.region.prometheus.monitor.azure.com:443"
    check_prometheus_flags: false  # Required for Azure

runner:
    additional_env_vars:
    - name: PROMETHEUS_SSL_ENABLED
      value: "true"
    - name: AZURE_CLIENT_ID
      value: "your-app-client-id"
    - name: AZURE_TENANT_ID
      value: "your-tenant-id"
    - name: AZURE_CLIENT_SECRET
      value: "your-client-secret"

Grant your app access to the workspace (Monitoring Data Reader role)
Update Robusta

Managed Identity

Get your AKS kubelet's Managed Identity:

az aks show -g <resource-group> -n <cluster-name> \
    --query identityProfile.kubeletidentity.clientId -o tsv

Add to generated_values.yaml:

globalConfig:
    prometheus_url: "https://your-workspace.region.prometheus.monitor.azure.com:443"
    check_prometheus_flags: false  # Required for Azure

runner:
    additional_env_vars:
    - name: PROMETHEUS_SSL_ENABLED
      value: "true"
    - name: AZURE_USE_MANAGED_ID
      value: "true"
    - name: AZURE_CLIENT_ID
      value: "your-kubelet-client-id"
    - name: AZURE_TENANT_ID
      value: "your-tenant-id"

Grant the Managed Identity access to your workspace:
- Open your Azure Monitor workspace
- Go to Access Control (IAM)
- Add role assignment → Monitoring Data Reader
- Select the Managed Identity from step 1
Update Robusta

Note

Azure Managed Prometheus does not support the Prometheus flags API. Always set check_prometheus_flags: false.

The prometheus URL must include port :443
SSL is required and automatically enabled
AlertManager URL is not needed (Azure handles alerting separately)

Next Steps¶

Configure alert routing
Set up Azure alerts integration
Learn about common configuration options