Control Plane Operations
Control Plane in Azure Cosmos DB is a RESTful service that allows you to perform a variety of activities on your Azure Cosmos DB account. It exposes a public resource model (for example, a database or an account) and multiple operations to end users, allowing them to conduct actions on the model. Control plane activities include making changes to the Azure Cosmos DB account or container. Examples of control plane actions include creating an Azure Cosmos DB account, adding a region, updating throughput, performing region failover, adding a VNet, and so on. This article describes how to audit control plane operations in Azure Cosmos DB. Control plane activities on Azure Cosmos DB accounts can be performed using Azure CLI, PowerShell, or the Azure portal, while containers require Azure CLI or PowerShell.
Auditing control plane operations can be useful in the following scenarios:
- You wish to be notified when the firewall rules for your Azure Cosmos DB account are changed. The alert is required to detect unauthorized changes to the rules that regulate the network security of your Azure Cosmos DB account and take prompt action.
- You’d like to receive an alert when a new region is added or withdrawn from your Azure Cosmos DB account. Adding or removing regions has an impact on billing and data sovereignty requirements. This alert will notify you if a region has been accidentally added or removed from your account.
- You wish to learn more about what has changed by reviewing the diagnostic logs. For example, a VNet was modified.
Allow diagnostic logs for control plane activities.
You can activate diagnostic logs for control plane activities through the Azure portal. After activating, the diagnostic logs will show the operation as a pair of start and completion events with necessary information. For example, the RegionFailoverStart and RegionFailoverComplete will complete the region failover event.
Follow the procedures below to enable logging on control plane operations:
- Go to Azure Portal, and navigate to your Azure Cosmos DB account.
- Open the Diagnostic settings pane, provide a Name for the logs to create.
- Select ControlPlaneRequests for log type and select the Send to Log Analytics option.
- Optionally, send the diagnostic logs to Azure Storage, Azure Event Hubs, Azure Monitor, or a third party.
You can also store the logs in a storage account or stream to an event hub.
Ref: audit Azure Cosmos DB control plane operations
Azure Cosmos DB Insights
Insights: This pane provides a customized monitoring experience for Azure Cosmos DB. Insights use the same metrics and logs that are collected in Azure Monitor and show an aggregated view for your account.
- Go to Azure portal and navigate to your Azure Cosmos DB account.
The following metrics are available from the Insights pane:
- Throughput. This tab displays the total number of request units consumed or failed (429 response code) due to the container’s throughput or storage capacity exceeding its allocated limit.
- Requests. This page displays the total number of requests handled by status code, operation type, and failed requests (429 response codes). Requests fail when the container’s throughput or storage capacity exceeds its provisioned limit.
- Storage. This tab shows the size of data and index usage over the selected time period.
- Availability. This tab shows the percentage of successful requests over the total requests per hour. The Azure Cosmos DB SLAs defines the success rate.
- Latency. This tab displays the read and write latency measured by Azure Cosmos DB in the region where your account is active. You can see latency across regions for a geo-replicated account. You may also view server-side latency for certain tasks. This measure does not reflect end-to-end request latency.
- System. This tab shows how many metadata requests that the primary partition serves. It also helps to identify the throttled requests.
- Management Operations. This tab shows the metrics for account management activities such as account creation, deletion, key updates, network and replication settings.