- 9 minutes to read

Release Notes

Prerequisites for the Nodinite Azure Monitoring agent

Get started with Nodinite Azure Monitoring Agent by ensuring your environment meets these prerequisites. This guide helps you set up a secure, reliable, and future-proof monitoring solution for your Azure EAI services.

✅ Ensure secure and least-privilege access to Azure resources
✅ Meet all software and network requirements for seamless operation
✅ Empower teams to monitor and manage Azure without direct portal access
✅ Stay up to date with supported versions and best practices

This page explains what you need to install and run the Nodinite Azure Monitoring Agent.

graph LR subgraph "Nodinite Instance" roNI(fal:fa-monitor-waveform Azure agent) end subgraph "Azure Cloud / Subscriptions" roAzureAPI(fal:fa-cloud Microsoft Azure API)---roLA(fal:fa-business-time Web Jobs) roNI --> |X-API-KEY / Kusto queries| roAI("Application Insights") roAI --> roFx(fal:fa-function Functions Monitoring) roNI --> |REST| roAzureAPI roNI--- |Connection String| roAS(fab:fa-bitbucket Azure Storage) end

Diagram: Nodinite Azure Monitoring Agent architecture and required connections.

Note

No Inbound Rules on Azure (general guidance): In most deployments the Agent Server initiates outbound connections to Azure services (for example the Management API, Storage, Event Hubs and Application Insights) using HTTPS (port 443). For these common public Azure endpoints you do not need to create inbound firewall rules in Azure.

However, there are important exceptions where additional inbound or resource-level network configuration may be required:

  • Resource-level firewalls or service-endpoint restrictions (for example Storage account firewall rules, Event Hubs IP filters, or Function App access restrictions) can block outbound calls unless their allowed client IP ranges or service endpoints include the Agent Server or the network from which it connects. In such cases, add the Agent Server's outbound IP address or virtual network to the service's allow list.
  • Azure Private Link / Private Endpoint configurations make services accessible only via private networking. When Private Link is used, ensure the Agent Server has network connectivity to the Private Endpoint (for example by being in the same VNet, using VNet peering, or via VPN/ExpressRoute).
  • Network Security Groups (NSGs), Azure Firewall, or custom virtual appliance rules applied to subnets or VNets can restrict traffic. Verify that outbound HTTPS (TCP 443) from the Agent Server to the required Azure service endpoints is allowed, or add explicit rules to permit the traffic.
  • Non-HTTPS protocols or custom ports (rare) used by an integration may require additional ports to be opened; verify the target service protocol and ports before deploying.

If you're unsure whether a resource-level rule or Private Link is in effect, review the specific Azure service's Networking/Networking/Access settings in the Azure Portal or consult your cloud network administrators. The Azure Agent is a Windows Service and is usually installed on the Nodinite application server.

Product
Windows Server Windows 2025
Windows 2022
Windows 2019
Windows 2016
Windows 2012 R2
Windows 2012
.NET Framework .NET Framework 4.8 or later New 6.0

Earlier versions of this agent made use of .NET Framework 4.7.2.

Supported Versions

Cloud technologies evolve quickly, and Microsoft deprecates older API versions regularly. Nodinite always supports the APIs that Microsoft supports. You need to update Nodinite and the Nodinite Azure Agent periodically to stay current.

Make sure to subscribe to our Release Notes

What Azure User rights and Services does the Azure agent require?

For the Least Privileges, review the Azure Access page, least privileges section; Carefully read and follow the instructions detailed in the Azure Applications Access user guide for specific use, and insights about the least privileges required.

The agent provides features to Read, Write, Manage, and Post data to many Azure-related services.

The agent uses the Azure REST API to read and manage Azure services and resources, and it uses a Connection String to access the Storage account.

  1. To ease administration, assign the ApplicationId/ClientId the Contributor role.
  2. To send messages to the Azure Event Hub, add the Azure Event Hubs Data Sender to the ApplicationId/ClientId.
    Azure Event Hubs Data Sender
    Example: Assigning the Azure Event Hubs Data Sender role in the Azure Portal.
  3. To monitor Azure Storage, the agent uses Connection Strings to read content from Azure Storage (Blobs, Queues, Files). See also RBAC reading for Azure Storage.
  4. To monitor Azure Key Vault, assign the App Registration (Application/Client) the Key Vault Reader role.
  5. To monitor Azure Functions, enable Azure Monitoring. You must tie an Application Insights instance to the Azure Function Web Site hosting the Functions you want to monitor. Include access rights as described in the next bullet.
  6. Application Insights Monitoring (Kusto query execution and Functions Monitoring) requires the App Registration to have Delegated permissions to read data. Filter on Application Insights API and check the Data.Read checkbox.
  7. Some features, like Web Jobs History, require you to set SCM Basic Auth Publishing Credentials to On.
  8. The APIM Monitoring requires membership in the API Management Service Contributor role.

What Windows User Rights does the Azure agent require?

The agent installs as a Windows Service, usually on the Nodinite application server. Virtual machines are supported.

What Firewall settings are required for the Azure agent?

The Azure Agent communicates both inbound and outbound:

  1. Between the Monitoring Service and the Azure Agent.
  2. Between the Azure Agent and Azure Management API and/or the Connection String.
graph LR subgraph "Nodinite Instance" roMonitoringService(fal:fa-watch-fitness Monitoring Service) roNI(fal:fa-monitor-waveform Azure agent) roMonitoringService --> |8000/443| roNI end subgraph "Azure Cloud / Subscriptions" roAzureAPI(fal:fa-cloud Microsoft Azure API)---roLA(fal:fa-business-time Web Jobs) roNI --> |443| roAzureAPI roNI--- |443| roAS(fab:fa-bitbucket Azure Storage) end

1. Between the Monitoring Service and the Azure agent

Allow these ports on the Windows server where you install and run the agent:

Port Name Inbound Outbound TCP UDP Nodinite Version Comment
53 DNS All The Agent needs to know where your other servers/services are (can sometimes optionally be solved using entries in the local hosts file)

And further with 'Option 1' or 'Option 2' as documented next:

Option 1a (Nodinite v7 - IIS hosted on local network)

Port Name Inbound Outbound TCP UDP Nodinite Version Comment
Custom HTTP/HTTPS v7 Agent IIS site port (configured during installation in the Portal). Only required if agent is on a remote IIS server

Note

Nodinite v7 IIS Hosting: When agents are hosted in IIS on the same server as the Nodinite application (typical installation), firewall rules are not required between the Monitoring Service and the agent. The custom port is assigned during installation via the Nodinite Portal and only needs to be opened if the agent is hosted on a remote IIS Windows Server.

Option 1b (Nodinite v6 and earlier - Windows Service on local network)

Port Name Inbound Outbound TCP UDP Nodinite Version Comment
8000 RPC v6 and earlier Communication is initiated by the Monitoring Service. Only used with legacy MSI installer on remote Windows servers

Note

Nodinite v6 Legacy: Port 8000 is only used when agents have default installations on remote Windows servers using the legacy MSI installer. This port is not required for Nodinite v7 IIS-hosted agents.

Option 2 (Cloud/Hybrid - All versions)

Use Service Bus Relayed connections when Nodinite and the agent run on different networks.

Nodinite uses the same technique as the On-Premise data gateway. Review the 'Adjust communication settings for the on-premises data gateway' user guide.

Port Name Inbound Outbound TCP UDP Nodinite Version Comment
443 HTTPS All Secure outbound traffic
5671, 5672 Secure AMQP All
9350 - 9354 Net.TCP All

2. Between the Azure Agent and Azure Cloud Services

Server types: Agent Server (Azure Monitoring Agent), Azure Cloud (Azure Management API, Azure Storage, Azure Functions).

Azure Management API Connection (Agent → Azure Cloud)

The agent connects to the Azure Management API to monitor Azure resources (Functions, WebJobs, Storage, etc.).

Direction Source Destination Protocol Port(s) Purpose Notes
Outbound Agent Server Azure Cloud (Management API) TCP 443 (HTTPS) Azure REST API communication Monitor Azure resources and services
Inbound Azure Cloud Agent Server TCP 443 (HTTPS) Response traffic Allowed automatically by stateful firewalls

[!NOTE] No Inbound Rules on Azure (general guidance): In most deployments the Agent Server initiates outbound connections to Azure services (for example the Management API, Storage, Event Hubs and Application Insights) using HTTPS (port 443). For these common public Azure endpoints you do not need to create inbound firewall rules in Azure.

However, there are important exceptions where additional inbound or resource-level network configuration may be required:

  • Resource-level firewalls or service-endpoint restrictions (for example Storage account firewall rules, Event Hubs IP filters, or Function App access restrictions) can block outbound calls unless their allowed client IP ranges or service endpoints include the Agent Server or the network from which it connects. In such cases, add the Agent Server's outbound IP address or virtual network to the service's allow list.
  • Azure Private Link / Private Endpoint configurations make services accessible only via private networking. When Private Link is used, ensure the Agent Server has network connectivity to the Private Endpoint (for example by being in the same VNet, using VNet peering, or via VPN/ExpressRoute).
  • Network Security Groups (NSGs), Azure Firewall, or custom virtual appliance rules applied to subnets or VNets can restrict traffic. Verify that outbound HTTPS (TCP 443) from the Agent Server to the required Azure service endpoints is allowed, or add explicit rules to permit the traffic.
  • Non-HTTPS protocols or custom ports (rare) used by an integration may require additional ports to be opened; verify the target service protocol and ports before deploying.

If you're unsure whether a resource-level rule or Private Link is in effect, review the specific Azure service's Networking/Networking/Access settings in the Azure Portal or consult your cloud network administrators.

Note

DNS Resolution: All servers (Agent Server) require outbound access to DNS on TCP/UDP port 53 for name resolution. This is already listed in section 1 and applies universally. You can optionally solve this using entries in the local hosts file on each server.

Important

Stateful Firewalls: Most modern Windows Firewall implementations are stateful, meaning inbound response traffic for established outbound connections is automatically allowed. The inbound rules listed above are primarily for reference and troubleshooting scenarios where stateful inspection may be disabled or restricted.

What Azure Services does the Functions Monitoring require?

You must enable Application Insights for Azure Functions to use with Nodinite Monitoring.

The agent uses custom Kusto queries to get logs and evaluate the state and metrics of executions.

This topic appears in the How to configure monitoring for Azure Functions user guide.

Frequently asked questions

Additional solutions to common problems and the Nodinite Azure Monitoring Agent FAQ appear in the Troubleshooting user guide.

How do I enable Logging using Azure API Management Services?

Review the APIMGMT - Logging user guide to enable Nodinite Logging with Azure API Management Service APIs.

How do I enable Logging using Azure Functions?

Review the Serilog user guide to enable Nodinite Logging with Azure Functions.

Next Step

Install the Azure agent

Add or manage a Monitoring Agent Configuration
Monitoring Agents
Administration
Monitoring Agents