Set up application monitoring

This document describes how you can configure Google Cloud Observability so that you can view the telemetry for an application that is registered with App Hub. You might deploy your application and then register it with App Hub, or you might deploy your applications by using the Application Design Center. Application Monitoring can help you understand the performance of your applications, services, and workloads.

Before you begin

To get the permissions that you need to configure the observability scope, ask your administrator to grant you the following IAM roles:

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Configure the observability scope

The observability scope controls how explorer and dashboard pages search for the data to display. Each Google Cloud project contains a single observability scope. You don't directly configure a project's observability scope. Instead, for your project, you configure the following:

  • The default log scope

    Configure this scope so that when you open the Logs Explorer page or view dashboards, your application's log data is displayed. Make sure this scope lists the projects and log views which store your application's log data.

  • The metrics scope

    Configure this scope so that your charts and alerting policies can display or monitor your application's metric data. Make sure this scope lists the projects which store your application's metric data.

  • The default trace scope

    Configure this scope so that when you open the Trace Explorer page, your application's trace data is displayed. Make sure this scope lists the projects which store your application's trace data.

The remainder of this section provides guidance about how to configure these scopes.

Configure and set the default log scope

Do one of the following:

  • If you have an organization-level aggregated sink that routes all log data in your organization to a centralized log bucket, then we recommend the following:

    1. Create a log view on the centralized log bucket for your application logs.

    2. In your App Hub host project, create a log scope and add your log view, and then set this scope as the default log scope.

  • If you aren't using aggregated sinks, then for your App Hub host project, configure the default log scope to list the storage locations of your application's log data. Instead of adding projects to your log scope, we recommend that you add log views on the log buckets that store your log data.

Configure the metrics scope

Configure the metrics scope for your App Hub host project to list all projects that store your application's metric data. For more information, see configure the metrics scope.

Configure and set the default trace scope

Do the following:

  1. In your App Hub host project, create a trace scope and add the projects that store your application's trace data.

  2. Set your custom trace scope as the default trace scope.

Associate an alerting policy with an App Hub application

To view your alerting policies from the context of Application Monitoring, you must associate them with a service or workload by adding application-specific labels to the alerting policy. These user-defined labels are also included in any incidents created for a policy. To learn more about labels, see Annotate incidents with labels. For a list of App Hub labels, see View application telemetry.

To associate an alerting policy with a workload or service by using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the  Alerting page:

    Go to Alerting

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  2. In the toolbar of the Google Cloud console, select your App Hub host project.
  3. Find the alerting policy, click View more, select Edit, and then go to the Notifications and name section.
  4. In the Application labels section, select your application and then select your workload or service.
  5. Click Save policy.

After you complete these steps, labels with the following keys are attached to your alerting policy. These labels identify your application and your service or workload:

  • apphub_application_location
  • apphub_application_id
  • apphub_application_container
  • apphub_service_id or apphub_workload_id

You can also add user labels to an alerting policy by using the Google Cloud CLI, Terraform, or the Cloud Monitoring API. However, you must use the label keys shown in the previous example. For more information, see the following:

Grant access

IAM manages access to your log, metric, and trace data. This section summarizes roles that you might want to grant to principals:

  • Logs View Accessor (roles/logging.viewAccessor) on the log views listed in the default log scope of the your App Hub host project. To learn more about granting access to a log view, see Control access to a log view.

  • Logs Viewer (roles/logging.viewer) on your App Hub host project and on any other projects listed in its default log scope. This role grants access to most log entries in the _Default log bucket. For more information, see Logging roles.

  • Monitoring Editor role (roles/monitoring.editor) on your App Hub host project. For principals who don't need to create alerting policies, consider granting the Monitoring Viewer role (roles/monitoring.viewer).

  • Cloud Trace User (roles/cloudtrace.user) on your App Hub host project and on the projects listed in its default trace scope.

  • App Hub viewer (roles/apphub.view) on your App Hub host project.

What's next