---
title: "discovery.azure | Grafana Alloy documentation"
description: "Learn about discovery.azure"
---

# `discovery.azure`

`discovery.azure` discovers [Azure](https://azure.microsoft.com/en-us) Virtual Machines and exposes them as targets.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.azure "<LABEL>" {
}
```

## Arguments

You can use the following arguments with `discovery.azure`:

Expand table

| Name                     | Type                | Description                                                                                      | Default              | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|----------------------|----------|
| `enable_http2`           | `bool`              | Whether HTTP2 is supported for requests.                                                         | `true`               | no       |
| `environment`            | `string`            | Azure environment.                                                                               | `"AzurePublicCloud"` | no       |
| `follow_redirects`       | `bool`              | Whether redirects returned by the server should be followed.                                     | `true`               | no       |
| `http_headers`           | `map(list(secret))` | Custom HTTP headers to be sent along with each request. The map key is the header name.          |                      | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |                      | no       |
| `port`                   | `number`            | The port appended to the `__address__` label for each target.                                    | `80`                 | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |                      | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false`              | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |                      | no       |
| `refresh_interval`       | `duration`          | Interval at which to refresh the list of targets.                                                | `"5m"`               | no       |
| `subscription_id`        | `string`            | Azure subscription ID.                                                                           |                      | no       |

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

## Blocks

You can use the following blocks with `discovery.azure`:

No valid configuration blocks found.

You must specify exactly one of the `oauth` or `managed_identity` blocks.

### `managed_identity`

The `managed_identity` block configures Managed Identity authentication for the Azure API.

Expand table

| Name        | Type     | Description                 | Default | Required |
|-------------|----------|-----------------------------|---------|----------|
| `client_id` | `string` | Managed Identity client ID. |         | yes      |

### `oauth`

The `oauth` block configures OAuth 2.0 authentication for the Azure API.

Expand table

| Name            | Type     | Description              | Default | Required |
|-----------------|----------|--------------------------|---------|----------|
| `client_id`     | `string` | OAuth 2.0 client ID.     |         | yes      |
| `client_secret` | `string` | OAuth 2.0 client secret. |         | yes      |
| `tenant_id`     | `string` | OAuth 2.0 tenant ID.     |         | yes      |

### `tls_config`

The `tls_config` block configures TLS settings for requests to the Azure API.

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

The following fields are exported and can be referenced by other components:

Expand table

| Name      | Type                | Description                                       |
|-----------|---------------------|---------------------------------------------------|
| `targets` | `list(map(string))` | The set of targets discovered from the Azure API. |

Each target includes the following labels:

- `__meta_azure_machine_computer_name`: The host OS name of the VM.
- `__meta_azure_machine_id`: The UUID of the Azure VM.
- `__meta_azure_machine_location`: The region the VM is in.
- `__meta_azure_machine_name`: The name of the VM.
- `__meta_azure_machine_os_type`: The OS the VM is running, either `Linux` or `Windows`.
- `__meta_azure_machine_private_ip`: The private IP address of the VM.
- `__meta_azure_machine_public_ip`: The public IP address of the VM.
- `__meta_azure_machine_resource_group`: The name of the resource group the VM is in.
- `__meta_azure_machine_scale_set`: The name of the scale set the VM is in.
- `__meta_azure_machine_size`: The size of the VM.
- `__meta_azure_machine_tag_*`: A tag on the VM. There is one label per tag.
- `__meta_azure_subscription_id`: The Azure subscription ID.
- `__meta_azure_tenant_id`: The Azure tenant ID.

Each discovered VM maps to a single target. The `__address__` label is set to the `private_ip:port` of the VM if the private IP is an IPv4 address, or `[private_ip]:port` if the private IP of the VM is an IPv6 address.

## Component health

`discovery.azure` is only reported as unhealthy when given an invalid configuration. In those cases, exported fields retain their last healthy values.

## Debug information

`discovery.azure` doesn’t expose any component-specific debug information.

## Debug metrics

`discovery.azure` doesn’t expose any component-specific debug metrics.

## Example

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
discovery.azure "example" {
  port = 80
  subscription_id = "<AZURE_SUBSCRIPTION_ID>"
  oauth {
      client_id = "<AZURE_CLIENT_ID>"
      client_secret = "<AZURE_CLIENT_SECRET>"
      tenant_id = "<AZURE_TENANT_ID>"
  }
}

prometheus.scrape "demo" {
  targets    = discovery.azure.example.targets
  forward_to = [prometheus.remote_write.demo.receiver]
}

prometheus.remote_write "demo" {
  endpoint {
    url = "<PROMETHEUS_REMOTE_WRITE_URL>"

    basic_auth {
      username = "<USERNAME>"
      password = "<PASSWORD>"
    }
  }
}
```

Replace the following:

- *`<AZURE_SUBSCRIPTION_ID>`* : Your Azure subscription ID.
- *`<AZURE_CLIENT_ID>`* : Your Azure client ID.
- *`<AZURE_CLIENT_SECRET>`* : Your Azure client secret.
- *`<AZURE_TENANT_ID>`* : Your Azure tenant ID.
- *`<PROMETHEUS_REMOTE_WRITE_URL>`* : The URL of the Prometheus remote\_write-compatible server to send metrics to.
- *`<USERNAME>`* : The username to use for authentication to the `remote_write` API.
- *`<PASSWORD>`* : The password to use for authentication to the `remote_write` API.

## Compatible components

`discovery.azure` has exports that can be consumed by the following components:

- Components that consume [Targets](../../../compatibility/#targets-consumers)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.