Open steph409 opened 3 months ago
Springstone
commented
3 months ago Thanks @steph409! Great feedback. Will discuss on our next leads call and let you know the outcome, as it looks like this will need some validation and updates to guidance.
Springstone
commented
3 months ago Hi @steph409. There isn't a pretty or easy way to implement this, however it is possible. The easiest way to implement this would be to have management groups per regulated region and change the policies for each regions management groups. That way you can have all diag settings and activity logs go to a specific LAW using policy (Corp-EU mgmt group - assign all the diag/activity log policies to this management group pointing to a LAW in EU, etc.). Otherwise, you would have to configure where for example activity logs get sent on a per subscription basis (which would be a nightmare in large organizations), of course this assumes that all resources in a subscription are bound to a specific region. I would not recommend going down to resource group level, way too easy to make mistakes, and impossible to automate.
steph409
commented
3 months ago Hi @Springstone, thank you for taking the time to come up with a solution.
I don't think it is possible to have one management group, in which only the resources of one region are. Let's say we have a connectivity subscription, where we deploy a vWAN. vWAN typically has hubs, which are in different regions. As far as I am aware, it is not possible to create the vWAN in one subscription, but the Hubs in other subscriptions and associate them to the vWAN. Now if my users connect to Azure using vWAN P2S. Let's say I want to write those logs to regional workspaces - would this be possible with your solution? If yes how?
mundayn
commented
2 months ago which are in different regions. As far as I am aware, it is not possible to create the vWAN in one subscription, but the Hubs in other subscriptions and associate them to the vWAN
vWAN HUBs are kept within the same RG/Sub as the vWAN.
But you can have different diagnostic logs per vHUB - so you can send your Region A to Log Analytics A and Region B to Log Analytics B - See this article: https://learn.microsoft.com/en-us/azure/virtual-wan/monitor-virtual-wan
jtracey93
commented
2 months ago Resource Selectors on assignments are a good fit here https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#resource-selectors
Springstone
commented
1 month ago @steph409 do the workarounds provided help you? Doing this at scale in ALZ would be very challenging, as we do this will policy assigned at management group scopes. However, customizing assignments with resource selectors would allow you to be more specific when logging. Kindly advise if we can close.
Describe the solution you'd like
Many scenarios, e.g. regulatory or data compliance requirements, require a more finegranular approach to logging. For instance, logs from EU should be stored in europe, while logs from US should be stored in US. It would be great, if enterprise scale would support such scenarios. A big milestone was added lately, where the diagnostic logs initiative now has a parameter resourceLocationList to specify which logs should go to the log analytics workspace. This concept should be extended to Azure Monitor (using datacollection rules) and azure activity logs.
Activity logs are often most critical, as they contain PII. Is it possible to configure activity logs to stream to a specific LAW depending on the region the resource is in? Would you then set the activity log setting on each resource rather than on subscription level? What are the downsides from this?
Best regards, Stephanie