Configure Bring Your Own Storage (BYOS) for Application Insights Profiler for .NET and Snapshot Debugger

Article
2025-04-03

When you use Application Insights Profiler for .NET or Snapshot Debugger, artifacts generated by your application are uploaded by default into Azure Storage accounts over the public internet. For these artifacts and storage accounts, Microsoft controls and covers the cost for:

Processing and analysis.
Encryption-at-rest and lifetime management policies.

Meanwhile, when you "bring your own storage" (BYOS), artifacts are uploaded into a storage account that only you control and cover the cost for:

The encryption-at-rest policy and the Lifetime management policy.
Network access.

Note

BYOS is required if you're enabling Azure Private Link or customer-managed keys.

In this guide, you learn how to:

Grant Diagnostic Services access to your storage account.
Link your storage account with your Application Insights resource.
Learn how your storage account is accessed.

Prerequisites

Verify you created your storage account in the same location as your Application Insights resource.
If you enabled Private Link, allow connection to our Trusted Microsoft Service from your virtual network.

Grant Diagnostic Services access to your storage account

A BYOS storage account is linked to an Application Insights resource. Start by granting the Storage Blob Data Contributor role to the Microsoft Entra application named Diagnostic Services Trusted Storage Access via the Access Control (IAM) page in your storage account.

Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Assign the following role.

Setting Value

Role Storage Blob Data Contributor

Assign access to User, group, or service principal

Members Diagnostic Services Trusted Storage Access

Once assigned, you can see the role under the Role assignments section.

Setting	Value
Role	Storage Blob Data Contributor
Assign access to	User, group, or service principal
Members	Diagnostic Services Trusted Storage Access

Note

If you're also using Private Link, one more configuration is required to allow connection to our Trusted Microsoft Service from your virtual network. For more information, see Storage network security documentation.

Link your storage account with your Application Insights resource

You have three options for configuring BYOS for code-level diagnostics like the .NET Profiler and Snapshot Debugger:

Azure PowerShell cmdlets
The Azure CLI
Azure Resource Manager templates

Before you begin, install Azure PowerShell 4.2.0 or greater.

In the PowerShell terminal, install the Application Insights PowerShell extension.
```
Install-Module -Name Az.ApplicationInsights -Force
```
Sign in with your Azure account subscription.
```
Connect-AzAccount -Subscription "{subscription_id}"
```
For more information on how to sign in, see the Connect-AzAccount documentation.

Remove any previous storage account linked to your Application Insights resource.

Pattern:

Get-AzApplicationInsights -ResourceGroupName "{resource_group_name}" -Name "{application_insights_name}" | Remove-AzApplicationInsightsLinkedStorageAccount

Example:

Get-AzApplicationInsights -ResourceGroupName "byos-test" -Name "byos-test-westus2-ai" | Remove-AzApplicationInsightsLinkedStorageAccount

Connect your storage account with your Application Insights resource.

Pattern:

$storageAccount = Get-AzStorageAccount -ResourceGroupName "{resource_group_name}" -Name "{storage_account_name}"
New-AzApplicationInsightsLinkedStorageAccount -Name "{application_insights_name}" -LinkedStorageAccountResourceId $storageAccount.Id

Example:

$storageAccount = Get-AzStorageAccount -ResourceGroupName "byos-test" -Name "byosteststoragewestus2"
New-AzApplicationInsightsLinkedStorageAccount -Name "byos-test-westus2-ai" -LinkedStorageAccountResourceId $storageAccount.Id

Before you begin, install the Azure CLI.

Install the Application Insights CLI extension.
```
az extension add -n application-insights
```

Connect your storage account with your Application Insights resource.

Pattern:

az monitor app-insights component linked-storage link --resource-group "{resource_group_name}" --app "{application_insights_name}" --storage-account "{storage_account_name}"

Example:

az monitor app-insights component linked-storage link --resource-group "byos-test" --app "byos-test-westus2-ai" --storage-account "byosteststoragewestus2"

Expected output:

{
  "id": "/subscriptions/{subscription}/resourcegroups/byos-test/providers/microsoft.insights/components/byos-test-westus2-ai/linkedstorageaccounts/serviceprofiler",
  "linkedStorageAccount": "/subscriptions/{subscription}/resourceGroups/byos-test/providers/Microsoft.Storage/storageAccounts/byosteststoragewestus2",
  "name": "serviceprofiler",
  "resourceGroup": "byos-test",
  "type": "microsoft.insights/components/linkedstorageaccounts"
}

Note

For performing updates on the linked storage accounts to your Application Insights resource, see the Application Insights CLI documentation.

Create an Azure Resource Manager template file with the following content (byos.template.json):

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "applicationinsights_name": {
      "type": "String"
    },
    "storageaccount_name": {
      "type": "String"
    }
  },
  "variables": {},
  "resources": [
    {
      "name": "[concat(parameters('applicationinsights_name'), '/serviceprofiler')]",
      "type": "Microsoft.Insights/components/linkedStorageAccounts",
      "apiVersion": "2020-03-01-preview",
      "properties": {
        "linkedStorageAccount": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageaccount_name'))]"
      }
    }
  ],
  "outputs": {}
}

Run the following PowerShell command to deploy the preceding template:

Syntax:

New-AzResourceGroupDeployment -ResourceGroupName "{your_resource_name}" -TemplateFile "{local_path_to_arm_template}"

Example:

New-AzResourceGroupDeployment -ResourceGroupName "byos-test" -TemplateFile "D:\Docs\byos.template.json"

Provide the following parameters when you're prompted in the PowerShell console:

Parameter	Description
`application_insights_name`	The name of the Application Insights resource to enable BYOS.
`storage_account_name`	The name of the storage account resource that you use as your BYOS.

Expected output:

Supply values for the following parameters:
(Type !? for Help.)
application_insights_name: byos-test-westus2-ai
storage_account_name: byosteststoragewestus2

DeploymentName          : byos.template
ResourceGroupName      : byos-test
ProvisioningState       : Succeeded
Timestamp               : 4/16/2020 1:24:57 AM
Mode                    : Incremental
TemplateLink            :
Parameters              :
                          Name                            Type                       Value
                          ==============================  =========================  ==========
                          application_insights_name        String                     byos-test-westus2-ai
                          storage_account_name             String                     byosteststoragewestus2

Outputs                 :
DeploymentDebugLogLevel :

Enable the .NET Profiler or Snapshot Debugger on the workload of interest through the Azure portal. In this example, it's App Service > Application Insights.

Troubleshooting

For assistance with troubleshooting BYOS for, see the dedicated troubleshooting documentation for:

Frequently asked questions

This section provides answers to common questions about configuring BYOS for .NET Profiler and Snapshot Debugger.

If I enabled the .NET Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?

No, it won't.

Does BYOS work with encryption-at-rest and customer-managed keys?

Yes. To be precise, BYOS is a requirement to have the .NET Profiler/Snapshot Debugger enabled with customer-manager keys.

Does BYOS work in an environment isolated from the internet?

Yes. BYOS is a requirement for isolated network scenarios.

Does BYOS work with both customer-managed keys and Private Link enabled?

Yes, it's possible.

If I enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?

Yes, you can, but we don't currently support data migration from your BYOS.

Yes.

How is my storage account accessed?

Agents running in your virtual machines or Azure App Service upload artifacts (profiles, snapshots, and symbols) to blob containers in your account.

This process involves contacting the .NET Profiler or Snapshot Debugger to obtain a shared access signature token to a new blob in your storage account.
The .NET Profiler or Snapshot Debugger:
- Analyzes the incoming blob.
- Write back the analysis results and log files into blob storage.
Depending on available compute capacity, this process might occur anytime after upload.
When you view Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.

Next steps

Troubleshoot BYOS for .NET Profiler and Snapshot Debugger
Learn more about Application Insights Profiler for .NET
Learn more about Snapshot Debugger

Share via

Configure Bring Your Own Storage (BYOS) for Application Insights Profiler for .NET and Snapshot Debugger

Prerequisites

Grant Diagnostic Services access to your storage account

Link your storage account with your Application Insights resource

Troubleshooting

Frequently asked questions

If I enabled the .NET Profiler/Snapshot Debugger and BYOS, is my data migrated into my storage account?

Does BYOS work with encryption-at-rest and customer-managed keys?

Does BYOS work in an environment isolated from the internet?

Does BYOS work with both customer-managed keys and Private Link enabled?

If I enabled BYOS, can I go back to using Diagnostic Services storage accounts to store my collected data?

After I enable BYOS, do I take over all the related costs of storage and networking?

How is my storage account accessed?

Next steps

Feedback

Additional resources