terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Feature Request: Log Analytic instances in multiple regions

Open giovannifl-wpp opened this issue 2 years ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem? I have the requirement to use multiple Azure regions ( i.e. UK South and UK West) and they may be deployed under the same MG structure. This is means that in the Management Zone at least two Log Analytic instances should be deployed ( as per Microsoft Best Practices), one for UK West and one for UK South. Currently ESLZ (Enterprise Scale Landing Zone) approach, forces all Azure resources, deployed in ANY regions to send their logs into the "only" Log Analytic that exists in the Management Zone.

Describe the solution you'd like Extend Management Zone to support the concept of "Regions": a user can provide a list of Azure regions (as a parameter) for the Management Zone and ESLZ Terraform module will take care of:

  • Deploy a Log Analytic instance in each region provide by the user
  • Configure Azure policy so that Azure resources will send their logs to the "regional" Log Analytic ( A custom policy will be required for this )

Additional context

giovannifl-wpp avatar May 04 '22 16:05 giovannifl-wpp

Thank you for logging this request.

Because this module is designed around the recommended ALZ architecture and design patterns, we only support a central Log Analytics workspace. However you can technically deploy only the management resources by setting deploy_core_landing_zones = false along with deploy_management_resources = true and using default_location (or the location settings within configure_management_resources) to target the desired location.

This would give you a consistent approach for deployment, and you could even standardise the configure_management_resources input when inheriting location from the default_location input variable.

However, as you rightly identify you would need to develop and deploy custom policies to ensure logs of each type are sent to the desired target Log Analytics workspace.

Another reason beyond our ALZ recommendations as to why we haven't developed this as a feature is because there are also variations on how this can be implemented depending on how an organisation operates. Some go for a Log Analytics workspace per location, whilst others align to larger geographical regions such as Americas, EMEA, and APAC. These variations would each require different solutions.

We also differentiate between logs for the platform (centralised) and then have guidance which allows for dedicated Log Analytics workspace(s) per application or application stack for APM. The former is what we're concerned by with ALZ, whilst the latter is operated by the individual application teams based on their requirements.

Happy to further consider and discuss your scenario, but hope this additional context helps.

krowlandson avatar May 05 '22 11:05 krowlandson

Hi @giovannifl-wpp

Thank you for your feedback request.

This module is an implementation of the ALZ conceptual architecture, and the log analytics (Azure monitor logs) workspace recommendation is to have a single workspace.

Logging centralization drives reports about change management, service health, configuration, and most other aspects of IT operations. Focusing on a centralized workspace model reduces administrative effort and the chances for gaps in observability.

https://docs.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/landing-zone/design-area/management-platform#inventory-and-visibility-recommendations

You are able to deploy multiple workspaces outside the context of this module. You may wish to consider the effect of this on the DeployIfNotExists policies that are used, adding a customization for resource location.

You can use multiple instances of this module to deploy management resources to multiple locations should this be of use.

matt-FFFFFF avatar May 05 '22 11:05 matt-FFFFFF

  • Linking this issue to #392 as this will make it easier to understand how to implement just the Management resources at different scopes
  • Worth noting that at this point there is no intention of updating the policies needed for this scenario as it doesn't align to the ALZ recommended approach of a centralized Log Analytics workspace

krowlandson avatar Jun 10 '22 14:06 krowlandson

Trigger ADO Sync

jtracey93 avatar Sep 09 '22 15:09 jtracey93

Thank you very much for the feedback and explanation. We'll investigate further.

AlexcFrench avatar Sep 12 '22 07:09 AlexcFrench

Trigger ADO Sync

krowlandson avatar Oct 14 '22 07:10 krowlandson

We are leaving this open for tracking and are discussing all up ALZ architecture for this request

matt-FFFFFF avatar Oct 31 '22 15:10 matt-FFFFFF

AB#23916

matt-FFFFFF avatar Mar 03 '23 15:03 matt-FFFFFF

Unplanned

matt-FFFFFF avatar Mar 03 '23 15:03 matt-FFFFFF