ama-metrics agent). When complete, Vantage application metrics appear alongside your infrastructure metrics in the same Azure Managed Grafana, scraped by an in-mesh Prometheus that reaches Vantage’s endpoints over Istio mTLS.
For background on why this pattern exists (including the Istio mTLS constraint that drives it), see Monitoring Overview.
Why this pattern exists
Theama-metrics agent deployed by Azure handles Kubernetes infrastructure metrics (kubelet, cadvisor, kube-state-metrics) automatically. It can also scrape Istio proxy metrics like istio_requests_total via pod annotations, since those are exposed on cleartext ports by the Envoy sidecar.
Vantage application metrics are different: they’re exposed on container port 8080, which is intercepted by the Envoy sidecar and subject to STRICT mTLS enforcement. The ama-metrics agent runs in kube-system without an Istio sidecar and cannot present valid mTLS certificates, so it cannot scrape application metrics endpoints in meshed namespaces. Microsoft documents this as a known limitation: “Currently, there’s no support to collect metrics from Istio setup with mutual TLS authentication.”
To collect Vantage application metrics, you deploy a Prometheus instance inside the Istio mesh. This Prometheus runs with an Istio sidecar, exports the mesh certificates, uses them to scrape application endpoints over mTLS, and remote-writes to the same Azure Monitor Workspace that ama-metrics uses.
How it works
Vantage applications are instrumented with OpenTelemetry SDKs and expose Prometheus-format metrics on/metrics-text at container port 8080. Services that expose metrics carry the label abbyy.platform.metrics.text.endpoint: "1".
The in-mesh Prometheus scrapes those metrics by:
- Running with an Istio sidecar (
sidecar.istio.io/inject: "true"). - Exporting Istio’s mTLS certificates via the
OUTPUT_CERTSproxy config annotation. - Mounting those certificates into the Prometheus container at
/etc/prom-certs/. - Configuring the
ServiceMonitor(created by thevantage-selfhostedchart in Step 6) to scrape overscheme: httpsusing the Istio CA cert, client cert, and key.
Architecture
| Component | Role |
|---|---|
| Azure Monitor Workspace | Prometheus-compatible backend that stores all metrics. |
| Azure Managed Grafana | Visualization layer, pre-wired to the monitor workspace as a data source. |
ama-metrics agent (Azure-managed) | Scrapes default Kubernetes infrastructure metrics. Deployed automatically when Prometheus is enabled on AKS. |
| In-mesh Prometheus (custom) | Istio-injected Prometheus that scrapes Vantage app metrics over mTLS and remote-writes to the Azure Monitor Workspace. |
ServiceMonitor (custom) | Defines the Vantage scrape targets: /metrics-text on services labeled abbyy.platform.metrics.text.endpoint: "1". |
Prerequisites
- AKS cluster with the Istio service mesh add-on enabled (STRICT mTLS).
- Azure Monitor Workspace provisioned and linked to the AKS cluster.
- Azure Managed Grafana provisioned and linked to the Azure Monitor Workspace.
ama-metricsagent running on the cluster (enabled via AKS Monitor Settings).- OIDC issuer enabled on the AKS cluster (required for workload identity).
- Prometheus Operator CRDs installed (these come with
ama-metrics).
Step 1: Provision Azure resources
If you haven’t already created the monitoring resources, do so now in the Azure portal:- Azure Monitor Workspace: Portal → “Azure Monitor workspaces” → Create. Use the same resource group and region as your AKS cluster. Naming convention:
amw-<cluster-name>. - Azure Managed Grafana: Portal → “Azure Managed Grafana” → Create. Same resource group and region. Link to the monitor workspace during creation. Naming convention:
amg-<cluster-name>. - Enable Prometheus on AKS: Portal → AKS cluster → Monitoring → Monitor Settings → enable “Metrics via managed Prometheus” and select the monitor workspace and Grafana instance.
ama-metrics pods are running:
Step 2: Create the observability namespace with Istio injection
Note: Any namespace name can be used, but certain optional Vantage features (like KEDA support) depend on Prometheus services living in theobservabilitynamespace, so usingobservabilityis recommended.
observability namespace:
Step 3: Gather Azure Monitor Workspace ingestion details
Get the data collection rule and endpoint resource IDs:The managed resource group follows the pattern
MA_<monitor-workspace-name>_<region>_managed.Step 4: Create a managed identity for Prometheus
Create a user-assigned managed identity:clientId and principalId from the output.
Assign the Monitoring Metrics Publisher role on the data collection rule:
Step 5: Install the Prometheus Operator
Theama-metrics agent installs the Prometheus CRDs but does not run an operator that reconciles custom Prometheus resources. Install the operator only; disable everything else:
Step 6: Apply the Prometheus manifests
Three manifests are required (service account, RBAC, and the Prometheus instance). Apply them in the order shown. The VantageServiceMonitor is created separately by the vantage-selfhosted chart (see below).
service-account.yaml: Prometheus service account with workload identity annotation:
rbac.yaml: ClusterRole and binding for target discovery:
prometheus.yaml: Prometheus instance with Istio sidecar injection, certificate export, and remote-write to Azure Monitor:
The
azureAd.sdk auth method uses DefaultAzureCredential, which picks up the workload identity token injected by the azure.workload.identity/use: "true" label. Requires Prometheus v3.60+.Configure the Vantage ServiceMonitor
The VantageServiceMonitor is created by the vantage-selfhosted Helm chart rather than applied by hand. Install or upgrade the chart with a values file that configures the ServiceMonitor to scrape Vantage over Istio mTLS using the certificates the in-mesh Prometheus exports:
Step 7: Verify
Check that the Prometheus pod is running with three containers (prometheus, config-reloader, istio-proxy):
http://localhost:9090/targets. Targets should show as UP, scraping over https on /metrics-text:8080.
Check remote-write logs for errors:
up{cluster="<cluster-name>"} in the Explore view using the Managed Prometheus data source to confirm metrics are flowing.
Operational notes
- The
ama-metricsagent continues handling Kubernetes infrastructure metrics (kubelet, cadvisor, kube-state-metrics, node-exporter). Do not disable it. - The in-mesh Prometheus only handles Vantage application metrics. Both write to the same Azure Monitor Workspace.
- The
azureAd.sdkremote-write auth usesDefaultAzureCredential, which picks up the workload identity token projected into the pod by the AKS workload identity webhook. This requires the service account annotationazure.workload.identity/client-idand the pod labelazure.workload.identity/use: "true". - The
azureAd.managedIdentityconfig does not work for this use case: it calls the IMDS endpoint on the node, and the user-assigned identity is not assigned to the VMSS node pool. UNKNOWNtargets in the Prometheus targets view are typically pods that are in a Degraded or CrashLooping state, not a scraping issue.logLevel: debugin the Prometheus CRD can be changed toinfoonce the setup is verified.
