Using Azure Blob for Data File Output

If you want to store data files in external storage, Azure Blob can be a good and relatively cheap option. You can use the OpenDotNetDiagnostics.Counters.Sinks.AzureBlob NuGet package to output dotnet-counters data to a designated Azure Blob storage. Here are the steps to use it:

Authentication and Authorization

First, decide how to authenticate to Azure Storage. Two approaches are supported today:

1. Connection string - Sets a connection string to the Azure Blob Storage. It's easy to use, but not as secure.
2. Passwordless - Uses `DefaultAzureCredential` for authorization. It's more secure but has a bit of a learning curve.

We will use connection string in this post for simplicity and later show how to use passwordless authorization. If you prefer to follow an example, check out here.

Using connection string

1. Configure authentication/authorization to write to Azure Blob

   In the configuration file, for example, appsettings.json, add the connection string as shown below:

   "DotNetCounterAzureBlobSink": {
     "ConnectionString": "Your-connection-string-for-Blob-Storage-Portal"
   }

   Other common providers for configuration will work too. For example, you can put this configuration in the portal for deployed applications with the same effect:

   DotNetCounterAzureBlobSink__ConnectionString = "Your-connection-string-for-Blob-Storage-Portal"

2. Add the NuGet package

   • Assuming you have already exposed the endpoint for dotnet-counters, add the package OpenDotNetDiagnostics.Counters.Sinks.AzureBlob by running:

   dotnet add package OpenDotNetDiagnostics.Counters.Sinks.AzureBlob --version 1.0.0-beta1

3. Enable the sink as shown in the example code:

   ...
   builder.Services.AddDotNetCounterAzureBlobSink();
   ...

4. Run your application.

   When it succeeds, you will see dotnet-counter files show up in the Azure Storage:

   

Using Passwordless

1. We leverage DefaultAzureCredential to provide passwordless solution for authenticating/authorization. That means, any credential that is supported by the DefaultAzureCredential is also supported by the Azure Blob sink. For more details, refer to Authenticate to Azure and authorize access to blob data.

2. In our example code, we used the Azure CLI credentials. Here's a quick description of the steps:

   1. Follow the steps to grant Storage Blob Data Contributor role to the credential you are going to use. In our case, it is our developer account.

   2. Use a configuration like this:

      "DotNetCounterAzureBlobSink": {
        "ServiceUri": "https://yourtargetblob.blob.core.windows.net/"
      }

   3. Login locally using Azure CLI:

      az login

   4. Run the application.

3. It is also very common to use Managed Identity for the deployed application. It is almost the same except:

   1. The service principal in the role assignment step above needs to go to the managed identity.

   2. For User-Assigned managed identity, you will need to specify the managed identity client id:

      "DotNetCounterAzureBlobSink": {
        "ServiceUri": "https://yourtargetblob.blob.core.windows.net/",
        "ManagedIdentityClientId": "the-managed-identity-client-id"
      }

   3. Do NOT forget the assign the identity to the application you deployed.