Feature Request: regional setup for monitoring

[steph409]

Describe the solution you'd like

Many scenarios, e.g. regulatory or data compliance requirements, require a more finegranular approach to logging. For instance, logs from EU should be stored in europe, while logs from US should be stored in US. It would be great, if enterprise scale would support such scenarios. A big milestone was added lately, where the diagnostic logs initiative now has a parameter resourceLocationList to specify which logs should go to the log analytics workspace.
This concept should be extended to Azure Monitor (using datacollection rules) and azure activity logs.

Activity logs are often most critical, as they contain PII. Is it possible to configure activity logs to stream to a specific LAW depending on the region the resource is in? Would you then set the activity log setting on each resource rather than on subscription level? What are the downsides from this?

Best regards,
Stephanie

[Springstone]

Thanks @steph409! Great feedback. Will discuss on our next leads call and let you know the outcome, as it looks like this will need some validation and updates to guidance.

[Springstone]

Hi @steph409. There isn't a pretty or easy way to implement this, however it is possible.
The easiest way to implement this would be to have management groups per regulated region and change the policies for each regions management groups. That way you can have all diag settings and activity logs go to a specific LAW using policy (Corp-EU mgmt group - assign all the diag/activity log policies to this management group pointing to a LAW in EU, etc.).
Otherwise, you would have to configure where for example activity logs get sent on a per subscription basis (which would be a nightmare in large organizations), of course this assumes that all resources in a subscription are bound to a specific region. I would not recommend going down to resource group level, way too easy to make mistakes, and impossible to automate.

[steph409]

Hi @Springstone,
thank you for taking the time to come up with a solution.

I don't think it is possible to have one management group, in which only the resources of one region are. Let's say we have a connectivity subscription, where we deploy a vWAN. vWAN typically has hubs, which are in different regions. As far as I am aware, it is not possible to create the vWAN in one subscription, but the Hubs in other subscriptions and associate them to the vWAN. Now if my users connect to Azure using vWAN P2S. Let's say I want to write those logs to regional workspaces - would this be possible with your solution? If yes how?

[mundayn]

which are in different regions. As far as I am aware, it is not possible to create the vWAN in one subscription, but the Hubs in other subscriptions and associate them to the vWAN

vWAN HUBs are kept within the same RG/Sub as the vWAN.

But you can have different diagnostic logs per vHUB - so you can send your Region A to Log Analytics A and Region B to Log Analytics B - See this article:
https://learn.microsoft.com/en-us/azure/virtual-wan/monitor-virtual-wan

[jtracey93]

Resource Selectors on assignments are a good fit here https://learn.microsoft.com/en-us/azure/governance/policy/concepts/assignment-structure#resource-selectors