Oct 09 2019 01:18 AM
Oct 09 2019 01:18 AM
Has anyone tried centralizing events\metric\logs from other tenants, into one Log Analytics workspace? Or using other Azure Services like Cosmos, and creating reports or alerts from here?
Having one centralized "management repository" for security events and performance counters++ from VM's will be pretty powerful.
I've tried out the following guide: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect-tenants
but as a CSP responsible for IaaS, PaaS to SaaS for our customer there must be an easier way.
Oct 09 2019 01:56 AM
My experience shows that management at scale should be done by tenant. This means that resources are created per tenant otherwise you will have problems in billing your customers correctly, access management, setup, etc.. Azure Lighthouse can you bring data together by projecting customer subscriptions under your tenant. That way you can use built-in Azure Monitor features where you can query information from multiple workspace.
Oct 09 2019 05:24 AM
thanks @Stanislav Zhelyazkov,
Regarding billing, access management and things like data retention will be managed and contained within customer's subscriptions with pre-configured policies or other rulesets when "built".
And depending on which way data is exported from the tenant will depict the extra cost.
- Outbound from the customer tenant will be an extra cost for the customer.
- Initiated data collection from our tenant will be an extra cost for us.
Referring to the where the arrows are pointing in the link I provided.
Maybe I'm over-complicating things. Is it possible for the customer's Microsoft Monitoring Agent to connect to our "management" tenant?
Oct 09 2019 05:33 AMSolution
@AzureSensei For me this is just not the right way and I think it is a road that is filled with many obstacles just because when services are designed for cross-tenant setup. Of course you are free to follow your on path. I cannot tell if every single integration in Azure will work in such scenario ( I am sure it will not work in some). For sure you can install Log Analytics agent on a VM located in one tenant and workspace in another tenant. That is possible because the agent connects to the workspace by ID and key so it works even for on-premises setups or in other clouds.
It is important to consider in such scenario overall management of these resources like the workspace. You can set retention per table but not per data. So if one of your customers wants 2 years but all others want default 30 days? What happens if particular customer due to compliance reasons does not want the data to be contained in the same resource? What happens if a customer leaves you as CSP and they want their data to be given to them? What happens if customer asks for certain data to be deleted as there is some performance penalty when data is deleted that will affect all your customers? This is just a small part of the example scenarios that you might meet if you take such decision. So it is good to sit down and consider all the scenarios that might apply to your existing or future customers and take decision based on if you are ready with solutions for those or not.