Best practices for an optimal Log Analytics workspace design:

• Use as few Log Analytics workspaces as possible, consolidate as much as you can into a “central” workspace

• Avoid bandwidth costs by creating “regional” workspaces so that the sending Azure resource is in the same Azure region as your workspace

• Explore Log Analytics RBAC options like “resource centric” and “table level” RBAC before creating a workspace based on your RBAC requirements

• Consider “Table Level” retention when you need different retention settings for different types of data

• Use ARM templates to deploy your Virtual Machines, including the deployment and configuration of the Log Analytics VM extension. Ensure alignment with Azure Policy assignments to avoid conflicts

• Use Azure Policy to enforce compliance for installing and configuring Log Analytics VM extension. Ensure alignment with your DevOps team if using ARM templates

• Avoid multi-homing, it can have undesired outcomes. Strive to resolve by applying proper RBAC Be selective in installing Azure monitoring solutions to control ingestion costs

Choosing the right technical design versus the right licensing model

In the on-premises world, a technical design would dominantly be CapEx driven. In a pay-as-you-go model - the Azure model - it is primarily OpEx driven. OpEx will more likely drive a Log Analytics workspace design based on the projection of costs; related to data sent and ingested. This is a valid concern but if wrongly addressed, it can have a negative OpEx outcome based on operational complexities when using the data in Azure Security Center or Azure Sentinel. The additional OpEx costs, caused by operational complexities, are often hidden and are less clear as your monthly bill. This document aims to address those complexities to help you make the right design choice.

Please refer  https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design 

for additional recommended reading.

Use as few Log Analytics workspaces as possible

Recommendation: Use one or more central (regional) workspace(s)

Having a single workspace is technically the best choice to make, it provides you the following benefits:

• All data resides in one place

• Efficient, fast and easy correlation of your data

• Full support of creating analytics rules for Azure Sentinel

• RBAC and delegation model to design

• Simplified dashboard authoring, using Azure Workbooks, avoiding cross-workspace queries

• Easier manageability and deployment of the Azure Monitor VM extension, you know which resource is sending data to what workspace

• Prevents autonomous workspace sprawl

• Clear licensing model, versus a mix of free and paid workspaces

• Getting insights in costs and consumption is easier with one workspace

Having one single workspace also has the following (current) disadvantages:

• Licensing model - this can be a disadvantage if you do not care about long term storing your data for specific data types*

• All data share the same retention settings*

• Configuring fine grained RBAC requires more effort

• If data is sent from Virtual Machines outside the Azure data center region where your workspace resides, it will incur costs

• Charge back is harder, versus every business unit having their own workspace

Avoid bandwidth costs by creating “Regional” workspaces Recommendation: Locate your workspace in the same region as your Azure resources

If your Azure resources are deployed outside your Azure workspace region, additional bandwidth costs will negatively affect your monthly Azure bill.

All inbound (ingress) data transfers to Azure data centers from, for example, on-premises resources or other clouds, are free. However, Azure outbound (egress) data transfers from one Azure region to another Azure region, incur charges.

At the writing of this , there are currently 54 regions in 140 countries available. Please check this link for the latest updates.

All outbound traffic between regions is being charged, pricing information can be found here. All inbound traffic is free of charge. For example sending data from Europe West and Europe North will be charged.