If you ingest over 1Tb per day into your Azure Sentinel workspace and/or have multiple Azure Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Azure Sentinel.
NOTE: Although this blog refers to a “dedicated cluster for Azure Sentinel”, the dedicated cluster being referred to is for Log Analytics, the underlying data store for Azure Sentinel. You may find that linked official documents refer to Azure Monitor; Log Analytics is part of the wider Azure Monitor platform.
A dedicated cluster in Azure Sentinel does exactly what it says: you are given dedicated hardware in an Azure data center to run your Azure Sentinel instance. This enables several scenarios:
Additionally, multiple Azure Sentinel workspaces can be added to a dedicated cluster. There are several advantages to using a dedicated cluster from a Sentinel perspective:
There are some considerations and limitations for using dedicated clusters:
The max number of clusters per region and subscription is 2.
The maximum of linked workspaces to cluster is 1000.
You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days.
Cluster move to another resource group or subscription isn't supported at the time of writing this article.
Workspace link to cluster will fail if it is linked to another cluster.
The great news is that you can retrospectively migrate to a dedicated cluster, so if this feature looks like it would be useful to your organization, you can find more information and migration steps here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.