Configure Managed HSM alerts

After you start to use Azure Managed HSM to store your production keys, it's important to monitor the health of your HSM to make sure that your service operates as intended.

As you start to scale your service, the number of requests sent to your HSM rises. This rise has a potential to increase the latency of your requests. In extreme cases, it can cause your requests to be throttled and affect the performance of your service. You also need to know if your HSM is sending an unusual number of error codes, so you can quickly handle any problems with an access policy or firewall configuration.

This article shows you how to configure alerts at specified thresholds so you can alert your team to take action immediately if your HSM is in an unhealthy state. You can configure alerts that send an email (preferably to a team distribution list), fire an Azure Event Grid notification, or call or text a phone number.

Alert Types

You can choose between these alert types:

• Static alert based on a fixed value
• Dynamic alert that notifies you if a monitored metric exceeds the average limit of your HSM a certain number of times within a defined time range

Important

It can take up to 10 minutes for newly configured alerts to start sending notifications.

This article focuses on alerts for managed HSM.

Configure an Action Group

An action group is a configurable list of notifications and properties. The first step in configuring alerts is to create an action group and choose an alert type:

1. Select your HSM resource in the Azure portal, and then select Alerts under Monitoring.

   

2. Select Create.

   

3. Select Action group.

   

4. Enter Project and Instance details, and then select Next.

   

5. Choose the Notification Type for your action group. In this example, we create an email and SMS alert. Select Email/SMS message/Push/Voice.

   

6. In the dialog, enter email and SMS details, and then select OK.

   

7. Enter a name for the notification time and select Next.

   

8. Select an Action type for your action group. In this example, we create an Event Hubs action. Select Event Hub.

   

9. Enter Event Hub namespace and name and select OK.

   

10. Enter a Name for the action.

    

11. Select Review + create and select Create.

Configure Alert Thresholds

Next, create a rule and configure the thresholds that trigger an alert:

1. Select your HSM resource in the Azure portal, and then select Alerts under Monitoring.

   

2. Select Alert rule under Create.

   

3. Select the scope of your alert rule. You can select a single HSM or multiple HSMs.

   Important

   When you're selecting multiple HSMs for the scope of your alerts, all selected HSMs must be in the same region. You have to configure separate alert rules for HSMs in different regions.

   

4. Select the thresholds that define the logic for your alerts. You can view all available signals by selecting See all signals. The Managed HSM team recommends configuring the following thresholds for most applications, but you can adjust them based on your application needs:

   • Key Vault availability drops below 100 percent (static threshold)
   • Key Vault latency is greater than 1000 ms (static threshold)

   Note

   The intention of the 1000 ms threshold is to notify that the Key Vault service in this region has a workload higher than average. Our SLA for Key Vault operations is several times higher. See the Service Level Agreement for Online Services for current SLA. To alert when Key Vault operations are out of SLA, use the thresholds from the SLA documents.

   • Total error codes are higher than average (dynamic threshold).

   

5. Select an action to apply to the alert rule. In this example, we add an existing action group. Select the action group and select Select.

   

6. Enter Project and Alert rule details, and then select Next.

7. Select Create.

Example: Configure a static alert threshold for latency

1. Select Overall Service Api Latency as the signal name and select Apply.

   

   1. Use the following configuration parameters:

      • Set Threshold to Static.
      • Set Aggregation type to Average.
      • Set Operator to Greater than.
      • Set Threshold value to 1000.
      • Set Check every to 1 minute.
      • Set Lookback period to 5 Minutes.

      

   2. Select Done.

   Example: Configure an Azure Advisor alert

   To get alerted if a backup has not been taken in the last 30 days, the alert must be set up in Advisor.

   1. Search "Advisor" in the Azure portal and select the "Advisor" service.

      

   2. Select Alerts under Monitoring.

      

   3. Select New Advisor Alert.

      

   4. Select the scope of your alert rule.

   5. Select Recommendation Type as the configuration condition.

   6. Search for "Create a backup of HSM" as the recommendation type and select it.

   7. Select an Action Group. In this example, we will select an existing action group. You can select up to 5 action groups to attach to an alert rule. Choose Select existing and a side panel will pop out. Select the existing action group.

      

      

   8. Give the alert rule a name and select the resource group it applies to. Then, select Create Alert.

      

   Next Steps

Use the tools that you set up in this article to actively monitor the health of your key vault:

• Monitor Azure Managed HSM
• Azure Key Vault monitoring data reference
• Setting up Sentinel for Azure Managed HSM
• Create a log query alert for an Azure resource