CAMPUX Cloud Bootcamp Phase Four · Class Thirty
Phase Four — Operate, Secure & AI
Reading 40 min · Drills 6 · 2 Labs
Build IV foundations
Class Thirty

App Insights & alerting

The workspace can answer any question you ask — this class builds the machinery that asks without you, and then defends that machinery from the thing that kills it: too many alerts nobody reads.

§1

App Insights — telemetry from inside

Everything Class Twenty-Eight collected watched from outside: the platform's view of your resources — CPU numbers, blob operations, job executions. What it cannot see is the inside of the application: which HTTP request was slow, which database call it was waiting on, which exception fired on which line. Application Insights is Azure Monitor's instrument for that interior view — wire it into the storefront (for many platforms, without touching code; for the rest, a small OpenTelemetry package and a connection string) and the app begins narrating its own execution into the same workspace family you already query.1

App Insights
Application performance monitoring from inside the code: every request, every outbound dependency call, every exception, correlated into end-to-end traces — so "the checkout is slow" becomes "the checkout spends 1.8 of its 2.1 seconds waiting on this one database query."

Four telemetry types carry most of the value, and they interlock. Requests: every call your app served, with duration and result. Dependencies: every call your app made — SQL, storage, third-party APIs — which is where most slowness actually lives. Exceptions: every error, with stack trace. Traces: the app's own log lines, stitched to the request that produced them. The stitching is the product: one slow checkout request expands into its dependency calls and exceptions as a single correlated story, and the application map draws the whole system — services, dependencies, failure rates on every edge — from that telemetry automatically. Class Twenty-Nine's skills apply unchanged; these are just richer tables.

§2

Availability tests — the robot customer

All telemetry so far shares a blind spot: it reports what happened to traffic that arrived. If DNS breaks, the certificate expires, or the front door falls off the internet, the app records nothing wrong — no requests, no errors, a peaceful dashboard over a dead site. The fix is a customer who never sleeps: an availability test, which requests your URL on a schedule from multiple Azure regions around the world and records success, failure, and response time from each.

The design details are small but load-bearing. A standard test checks more than "did it respond": expected status code, an optional content match string (a page that returns 200 with an error message in it is still down, as far as a customer cares), TLS certificate validity, and — quietly one of the most valuable lines in Azure — a proactive certificate lifetime check that fails the test before the cert expires, converting the classic Saturday-outage into a Tuesday ticket. Run it from at least five locations, and alert when several fail at once — the recommended threshold is locations minus two — so one region's network hiccup does not page anyone, but a real outage, visible from three continents, does.2 That multi-location logic is the whole trick: the robot customer distinguishes "the site is down" from "the internet had a moment," which is exactly the judgement a single ping never could.

§3

Action groups — where alerts go

Detection without delivery is a diary. Azure separates the two cleanly: an alert rule is scope + condition (a metric threshold, a failed availability test, or a Class Twenty-Nine log query on a schedule), and an action group is a named, reusable list of destinations — email, SMS, push, a webhook into Teams or Slack, an ITSM ticket, even a Logic App or Azure Function that does something. Rules reference action groups, many-to-one, so "who gets told" is maintained in one place instead of inside forty rules:

# one action group, reused by every alert that pages on-call
az monitor action-group create \
  --name ag-campux-oncall \
  --resource-group rg-campux-platform \
  --short-name oncall \
  --action email oncall-primary [email protected]

Two disciplines make the machinery trustworthy. First, severity is a promise, not a mood. Azure's levels run Sev0 (critical) to Sev4 (verbose); a team must define what each means in response time — Sev0 wakes a human now, Sev2 is business-hours work, Sev4 notifies nobody — and then honour it, because the day a Sev0 is ignored, the scale means nothing. Second, route by severity, not by alert: the page-someone group, the Teams-channel group, the log-it-only group — three action groups, and every rule picks one by the promise its severity makes. Alerts are also state-based where it matters: an availability alert fires once when the site goes down and once when it recovers, not every fifteen minutes in between — a mercy you will appreciate by §4.

§4

Alert fatigue — the graveyard

Here is where monitoring programs actually die. Not from missing tools — from a pager that cried wolf. The failure sequence is always the same: enthusiasm creates forty alerts; half fire on conditions that need no action; on-call learns, correctly, that most alerts mean nothing; the learning generalises; and eighteen months later a real Sev0 scrolls past unread in a channel nobody has muted only because muting felt like admitting it. The team then buys a new monitoring tool, and the cycle restarts with better dashboards. Alert fatigue is not a personnel problem. It is a signal-to-noise problem, and it is designed in or designed out.

Every alert is a claim on someone's attention.

Actionable
There is something a human should do upon receiving it — and the alert says what, ideally with a runbook line. "FYI, CPU was briefly high" is not an alert; it is a chart that belongs on a dashboard, per §5.
Owned
A named person or rotation answers it. An alert routed to a twelve-person alias is owned by nobody — everyone assumes someone else is looking, and everyone is right.
Rare
It fires only when the condition is real: thresholds tuned to actual behaviour (not defaults), state-based so one incident is one notification, and reviewed on a cadence where anything that fired without requiring action gets retuned or deleted — the same ratchet as Class Twenty-Nine's query pack, run in reverse.

The test is brutal and worth applying to every rule you ever create: would you wake a colleague at 3am for this, in person, standing at their bed? If yes, it is a Sev0 or Sev1 with a pager. If no — and for most "alerts" the honest answer is no — it is a dashboard panel, a weekly report, or nothing. Teams that keep three meaningful alerts outperform teams with forty ignored ones, in every incident, forever.

§5

Dashboards that answer questions

What happens to everything that failed the 3am test? It becomes glanceable instead of interruptive — and here too there is a discipline separating useful from decorative. The decorative kind is familiar: a wall of sixteen charts, assembled in week one and understood by nobody by month three, whose actual function is looking impressive behind the team during video calls. The useful kind is built backwards from questions. Before adding any panel, name the question it answers and who asks it: Is checkout healthy right now? (on-call, hourly). Did last night's batch run? (the storefront team, each morning). Is ingestion cost drifting? (the platform lead, monthly). If no one asks the question, the panel does not earn the pixels.

Azure's tool for this is the workbook — an interactive document mixing prose, parameters, and live Class Twenty-Nine queries, closer to a runbook with charts than to a TV wall. The strongest pattern wires the layers of this class together: the alert tells you something is wrong; the workbook it links to shows the affected service's requests, dependencies, and recent deploys side by side — the first three investigation queries pre-run before the engineer has poured coffee. Alerts interrupt; dashboards answer; workbooks investigate. Keep the three jobs separate and each stays good at its own.

Case File · Campux Retail

Three alerts, on purpose

the pager earns its authority by being quiet

Campux wires App Insights into the storefront and gets its interior view — and the application map promptly earns its keep, showing checkout's latency living almost entirely in one database dependency nobody had suspected. Then the alerting review, and the number that matters: after a long argument, the team ships three alerts, total.3 A standard availability test on checkout from five regions, content-matching the order button, alerting at three-of-five failures — Sev1, pages on-call, runbook line: check the availability workbook, then App Service status. The Class Twenty-Nine disk-space-low query, scheduled — Sev2, Teams channel, owner: platform. And a failed-execution alert on the POS job — Sev2, storefront team, runbook: rerun via job start after reading the execution log.

Everything else that was proposed — CPU warnings, memory notices, per-error emails — went to the two workbooks instead: Is the storefront healthy? and Did the nightly run? Each alert has a named owner and a first move written down; each fires rarely enough that when the phone buzzes, it means something. Six weeks later the checkout availability test fails from three continents at 04:10 — an expired DNS record after a domain migration — and on-call is looking at the workbook by 04:13. Nobody at Campux has ever slept through an alert, because Campux has never taught anyone that alerts are safe to sleep through.

Watch · Microsoft Learn

The official pages, and a CAMPUX overview

The availability page mirrors Lab 1 almost step for step
Microsoft Learn · Docs

Application Insights overview
learn.microsoft.com/azure/azure-monitor/app/app-insights-overview

Application Insights availability tests
learn.microsoft.com/azure/azure-monitor/app/availability-overview

CAMPUX overview video

The application map finding the slow dependency, a robot customer failing from three regions on a broken content match, and the 3am test applied to a list of forty proposed alerts will live here. Video to be added.

Lab 1 · The robot customer

Stand up an availability test and watch it judge a real site

~20 minutes · Azure portal · one throwaway resource group; results take a few minutes per test cycle

Create an App Insights resource and point a standard test at any public site you like — your Class 27 container app if it still runs, a personal site, or any public page. The robot does not care whose site it visits.

  1. Create the workspace-based App Insights resource:

    az group create --name rg-alert-lab --location eastus
    az monitor log-analytics workspace create \
      --resource-group rg-alert-lab --workspace-name alert-lab-logs
    az monitor app-insights component create \
      --app campux-availability --location eastus \
      --resource-group rg-alert-lab \
      --workspace $(az monitor log-analytics workspace show \
          -g rg-alert-lab -n alert-lab-logs --query id -o tsv)
    What to notice: App Insights stores its telemetry in a Log Analytics workspace — the Class 28 reservoir again. If the CLI asks to install the application-insights extension, say yes.
  2. In the portal: open campux-availabilityAvailabilityAdd Standard test. Fill it in deliberately:

    Test name:      checkout-availability
    URL:            https://<a-public-site-you-choose>/
    Test frequency: 5 minutes
    Test locations: pick 5, on different continents
    SSL check:      enabled · Proactive lifetime check: 14 days
    Content match:  a word you know is on the page
    What to notice: each setting is a §2 decision — five locations so one region's hiccup is not an outage; the content match so a 200-with-an-error-page still fails; the lifetime check so a certificate can never surprise you on a Saturday.
  3. Wait ten minutes, then open the Availability graph and flip to Scatter Plot.

    On screen: green dots marching in from five parts of the world — your robot customers reporting in. Hover one: location, duration, result. Click into a sample to see the full request the test made, exactly as a diagnosing engineer would at 4am.
  4. Now make it fail honestly: edit the test and change the content match to a string that is not on the page (e.g. campux-canary-xyzzy). Wait ten minutes and reload.

    The lesson: red crosses from every location — the page still returns 200, but the robot now correctly reports that what customers need is not there. This is the exact failure mode (error page, wrong content, half-rendered checkout) that a naive up/down ping never catches. Revert the content match; Lab 2 needs the test healthy.
Note · edits to a test can take up to 20 minutes to reach all test agents — patience between steps 4's edit and its results. Standard tests are billed per execution; at 5 locations every 5 minutes for an hour or two, the lab costs pennies — but delete the group at the end of Lab 2.
Lab 2 · Wire the pager

Route the alert to your inbox, fire it, then apply the 3am test

~15 minutes · continues Lab 1 · you will receive real email

Create an action group, attach it to the availability alert, break the test again to feel a real notification arrive — then finish with the §4 discipline: tune it, and tear it down.

  1. Create the action group with your own address:

    az monitor action-group create \
      --name ag-lab-oncall \
      --resource-group rg-alert-lab \
      --short-name oncall \
      --action email me <your-email>
    What to notice: you get a "you've been added to an action group" email immediately — Azure confirming the destination exists. The group is reusable: every future alert rule in this lab points here, not at a hard-coded address.
  2. Attach it to the availability alert: in the portal, Availability → your test's context menu → Open Rules (Alerts) page → open the rule → Edit. Set severity to Sev1, add ag-lab-oncall as the action group, and confirm the condition reads 3 of 5 locations.

    What to notice: the rule existed already — availability tests create one by default — but with no action group, it was a diary. You just connected detection to delivery, and set the location threshold to §2's locations-minus-two.
  3. Break the content match again (your canary string), and wait for the phone to buzz.

    On screen: within roughly ten to fifteen minutes, a real alert email: severity, resource, fired time, and a link into the portal. Note what happens next: nothing — no repeat every five minutes, because the alert is state-based. One incident, one notification; one recovery notification when you revert the string. That restraint is §3's design working.
  4. Revert the match, watch the resolved notification arrive, then apply the discipline and clean up:

    # the 3am test, applied honestly:
    # would you wake a colleague for this site being down? if not,
    # this alert should be Sev3 → a dashboard, not an email.
    az group delete --name rg-alert-lab --yes --no-wait
    The lesson: you have now built the entire chain — robot customer → alert rule → action group → your pocket — and felt both the fire and the resolve. The last step is the one most teams skip: asking whether this alert deserved a human interrupt at all. For a lab site, it did not; you just practised deleting an alert, which is a monitoring skill exactly as real as creating one.
On the job

Quiet alerting is a feature

You · Cloud Engineer · tired of hearing it from users

You are done hearing about outages from customers first. You wire Application Insights and set three alerts that matter — not forty that get ignored — so a real failure pages someone with signal instead of noise. The next incident starts with a page at the first sign, not a support ticket an hour in. Quiet alerting is a feature, and you built it.

Class Thirty

Examination

Four drills, then two situations. The situations have no marking scheme — write your answer before you reveal the reasoning, or the exercise is worthless. Nothing is stored; this is between you and the page.

Drill 01Recall · telemetry types
In App Insights, checkout requests take 2.1 seconds. Which telemetry type tells you where inside those 2.1 seconds the time is going?
Marked

B. The request row says that checkout took 2.1 seconds; the dependency rows say why — 1.8 of them waiting on one SQL call, which is precisely how the case file's mystery got solved. A stops at the total (necessary, not sufficient); C conflates slow with broken — most slowness raises no exception at all; D measures from outside and can only confirm the slowness, not localise it. The professional habit this drill encodes: when someone says "the app is slow," your first move inside App Insights is the dependency view of a slow transaction, because in real systems the app is rarely slow — something the app waits on is.

Drill 02Recall · availability
Why run an availability test from five locations and alert only when three fail — rather than one location, alerting on any failure?
Marked

C. A single test point cannot tell the difference between your outage and its own bad day — transient network wobbles between one Azure region and your site are routine, and alerting on any of them is a fatigue machine (about eighty percent of single-location failures vanish on retry, which is why retries default on). Five locations voting, with a three-of-five threshold — the locations-minus-two rule — means the alert fires only on failures visible from multiple continents at once, which is what "down" actually means to customers. A, B, and D are invented mechanics. The deeper lesson generalises beyond availability: every good alert has some form of corroboration built in, because a page that fires on a single noisy signal is §4's graveyard, arriving early.

Drill 03Select three
Which three genuinely cause alert fatigue?
Marked

Unactionable, unowned, untuned — the three failures of §4's checklist, inverted. Each teaches the same lesson: on-call ignores alerts because ignoring them has been the correct response, repeatedly. An FYI alert trains "reading this changes nothing"; an alias-routed alert trains "someone else has it"; a threshold that fires on normal Tuesday traffic trains "red is the usual colour." The rejects are backwards on purpose: scarcity is the cure — three meaningful alerts hold authority precisely because each one has always meant something — and severity levels reduce anxiety rather than cause it, because a defined Sev2 tells you exactly how fast you must move. Fatigue is never caused by the humans who stopped responding; it is caused by the system that taught them to.

Drill 04Spot the error
This alerting proposal is about to be approved. One line guarantees the whole plan fails within months. Which?
# memo: storefront alerting plan
1.  Availability: standard test on checkout, 5 locations,
    alert at 3/5 failures — Sev1, pages on-call.
2.  Errors: every individual 5xx response emails the
    engineering@ alias — Sev0, so nobody misses one.
3.  Batch job: failed execution alerts the storefront team —
    Sev2, runbook: rerun after reading the execution log.
4.  Disk: the disk-space-low query, scheduled — Sev2,
    platform channel.
Marked

Line two — it fails all three §4 tests at once, at volume. Individual 5xx responses happen in the healthiest systems — a bot probing, a client timeout, a transient retry — so this rule fires constantly on normality (untuned). It goes to an alias, so no one owns any given firing (unowned). And there is nothing to do about one 500 (unactionable). The cruellest part is the stated motive: "Sev0 so nobody misses one" achieves the exact opposite, because a Sev0 that fires hourly redefines Sev0 as noise — and the day line one's genuine Sev1 fires, it arrives in an inbox trained to skim past red. One bad rule does not merely waste attention; it devalues the currency the good rules spend.

The repair keeps the intent and fixes the mechanics: alert on the error rate — 5xx above a tuned threshold over a window, corroborated the way Drill 02 taught — Sev1, routed to the owned on-call group, with the per-error detail living in a workbook the alert links to. The other lines are the case file, and they are healthy: availability paging on-call (A), runbook lines in alerts (C — they are exactly where runbooks belong), and scheduled log-query alerts (D) are all standard machinery. Reviewing an alerting plan is §4's checklist applied line by line; one firehose fails the whole plan, because attention is shared infrastructure.

Situation 01Write before you reveal
Forty alerts fired last night. All forty were ignored — including, it turns out, one real one. The engineering manager wants to "retrain on-call about taking alerts seriously." You are asked for your view. Fix the system, not the people.
On-call behaved rationally. Start from that sentence and the rest follows.
Reasoning

The trap is the premise — ignoring forty alerts was the correct decision, thirty-nine times. Say it plainly: on-call did not fail to take alerts seriously; on-call learned, from months of evidence, that these alerts do not merit seriousness — and last night they were right thirty-nine times out of forty. Retraining people to respond to noise does not make the noise signal; it makes the people slower and resentful, and it lasts until the next quiet week undoes it. A system that fires forty times a night has a design defect, and the one missed real alert is the defect's cost, not the on-call engineer's.

Run the triage that should have existed: the 3am test over all forty, with the data. Pull last month's firing history and put every rule through §4's three questions — actionable, owned, rare — with its actual numbers attached: fired N times, acted on M. The arithmetic is usually devastating and therefore persuasive: most rules will show M = 0, and a rule acted on zero times in ninety days is a dashboard panel wearing a pager. Sort the survivors into the case file's shape — a handful of Sev0/Sev1 rules that page a named rotation with a runbook line, a Sev2 tier that lands in a channel during business hours, and everything else demoted to workbooks. The target number is single digits, and saying the number out loud in the meeting is half the fix.

Then install the ratchet so the graveyard does not refill. Two standing rules: every alert that fires without producing action gets retuned or deleted at a short weekly review, and every new alert must arrive with its owner, severity promise, and runbook line written down — no orphans admitted. Give the manager the reframe they can carry upward: the incident was not "on-call ignored an alert" but "we buried one real signal under thirty-nine false ones, and last night we paid for it." Teams that fix the people have this incident again in six months. Teams that fix the system get what Campux got — a pager quiet enough that nobody has ever learned to sleep through it.

Situation 02Write before you reveal
Leadership requests "a big dashboard for the office TV — all our metrics, so everyone can see the system is healthy." You suspect this produces sixteen charts nobody will read. How do you respond, and what do you actually build?
The request is legitimate; the specification is wrong. Find the question leadership is actually asking.
Reasoning

Concede the need before correcting the spec. Leadership's underlying question is real and fair: is the system healthy, and would we know if it weren't? The TV wall is their proposed answer, and the honest critique is that "all our metrics" answers no question at all — sixteen charts require an expert to interpret, decay into wallpaper within a month, and give a false comfort worse than nothing, because a wall that is always slightly red teaches everyone that red is fine (the §4 disease, in visual form). Say yes to the question, and negotiate the answer.

Build the small, honest version: one screen, five panels, each a named question. Is checkout up? (the availability test's last hour — one green/red tile.) Are customers succeeding? (order rate against the same hour last week.) Are we erroring? (5xx rate versus the tuned threshold.) Did the nightly run? (last POS execution's status.) Is anything paging? (open alerts — a number, usually zero.) Every panel passes the §5 test: someone asks it, on a rhythm, and can act on the answer. A non-engineer can read the whole screen in five seconds, which is what an office TV is actually for. Behind it, the team's real workbooks stay parameterised and investigative — different audience, different tool, per §5's separation.

Then close the loop that makes it credible. A health screen is a claim, and claims need audits: the screen shows green because the three real alerts are quiet — so leadership's confidence rests on the alerting discipline of this whole class, and the alert history review is what keeps the green trustworthy. Offer that as the monthly one-line report ("three alerts, two firings, both acted on, mean response four minutes") — a sentence worth more to a director than sixteen charts. The deliverable was never a dashboard; it was justified confidence. Build the smallest thing that delivers it, and the TV wall request will be quietly forgotten by everyone who watches the five tiles actually work.

Examination record · first attempt
0/4
Class Thirty · Complete
Retain this much

Five things worth carrying out of this class

  1. App Insights watches from inside: requests, dependencies, exceptions, traces — correlated, so "slow" localises to the one dependency the app was waiting on. The application map draws the system from its own telemetry.
  2. Availability tests are the robot customer: five-plus locations, content match, proactive certificate checks, alerting at locations-minus-two — corroboration is what separates "down" from "a region blinked."
  3. Alert rules detect; action groups deliver. Route by severity promise (Sev0 wakes someone now, Sev2 waits for morning), keep destinations in reusable groups, and let state-based firing mean one incident, one notification.
  4. Every alert must be actionable, owned, and rare — the 3am test decides. Fatigue is a design defect, not a personnel one: on-call ignoring noisy alerts is learning, working exactly as designed.
  5. Alerts interrupt, dashboards answer, workbooks investigate. Build every panel backwards from a named question and its asker — and treat "deleted an alert" as monitoring work of equal rank with creating one.
Notes
  1. Instrumentation today means OpenTelemetry — the vendor-neutral standard Azure Monitor now builds on — via the Azure Monitor OTel distro for code-based setups, with automatic instrumentation available for several hosting platforms and a JavaScript SDK for the browser side. The moving parts get renamed with some regularity; the concept underneath is stable — a package in the app, a connection string, telemetry out — and OpenTelemetry skills transfer to every observability vendor at once, which makes them unusually good career value.
  2. The retry statistic in Drill 02 — roughly eighty percent of single-location availability failures vanish on retry — is Microsoft's own figure for its test infrastructure; treat the number as approximate and the direction as settled. It generalises into a useful prior: most single-source anomalies in any monitoring system are the observer's problem, not the observed's, which is why corroboration thresholds exist everywhere from availability tests to alert windows.
  3. Three alerts is Campux's right number, not a universal one — a payments platform or a hospital runs more, a side project fewer. The transferable rule is the ratio, not the count: every alert acted on when it fires, reviewed on a cadence, retired when it stops earning attention. If your firing-to-action ratio drifts far from one, you have either too many alerts or too many incidents, and both are findings.