Azure logs from different subscriptions

allen schroers 1

Our company has 9 Azure subscriptions - can we send logs from all 9 to a single IP address that is a collector inside Azure so it can send them to our on premise SIEM solution?

1 answer

James Westall 161 Reputation points

2021-03-04T07:31:12.667+00:00

Hey @allen schroers

You can most definitely ship logs to a remote location, provided you have access to the relevant configuration areas & your SIEM Supports shipping. The following links should provide some context.

Azure AD activity logs in Azure Monitor
Create diagnostic settings to send platform logs and metrics to different destinations

Cheers,

James

If my answer helped your problem, please select mark as answer.
Please sign in to rate this answer.
allen schroers 1 Reputation point

2021-03-04T15:38:59.05+00:00

My primary question has to do with not understanding how much separation there is with separate subscriptions; can separate subscriptions communicate with a single IP address in one Azure subscription or is each separate? Its more of an administration question, I know we can stand up log collectors in each of 9 subscriptions, I'm wondering if its possible to just have 1 log collection IP point and have all 9 send to it.

James Westall 161 Reputation points

2021-03-06T10:35:05+00:00

Hey Mate,

You could definitely do this, provided you apply appropriate network controls. For the purposes of your subscription understanding, it's best to think about subscriptions as a billing and identity boundary and NOT a network boundary. As they sit within a single tenant, resource communication between them is possible.

You have the following options:

Setup peering between subscription deployed virtual networks. Your subscription resources could all then forward to a single internal IP.

Configure a public IP for your forwarder. This would allow you to send logs from anywhere, provided you have network line of sight. Make sure to apply appropriate NSG rules on the service.

allen schroers 1 Reputation point

2021-03-06T22:13:36.697+00:00

Thanks for the detailed response. One aspect of which option to use pertains to cost and as such I assume the peering between subscriptions option would not incur outbound data charges as perhaps the public IP option might, am I correct in my assertions?

James Westall 161 Reputation points

2021-03-16T11:43:45.037+00:00

No worries @allen schroers

There would be a cost for both options. Azure costing can be a bit nebulous, and the answer is "It depends". The Microsoft costing for data movement is available here.

https://azure.microsoft.com/en-au/pricing/details/bandwidth/

Allen Schroers 1 Reputation point

2021-03-16T14:37:05.983+00:00

Do you know if there's outbound between subscriptions? If so, there would be 2X outbound using a single log collection point vs one in each subscription. Thank you
Sign in to comment