Our great sponsors
-
Enterprise-Scale
The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
We are deploying all our App Gateways in the hub subscription (a hub and spoke architecture). Occasionally, App Gateways are created without the diagnostic settings enabled on them (I know, this can be automated with IaC, but there more to it on a org level, and not worth discussing here, but yes, this could be a solution). However, I’m planning to use the following policy definition provided by the Azure Enterprise Scale project https://github.com/Azure/Enterprise-Scale/blob/main/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway.json I’ve imported it, tested, works. BUT, as of today all App Gateways are sitting in one resource group, meaning that when app/dev teams want to access the logs, they get to potentially view logs for others as well (different teams, countries etc.). Not sure how this could be a problem from a regulatory, compliance standpoint, but the IT team was thinking about splitting the App Gateways per individual resource groups scope to the countries (one rsg for country x, another for country y …) where people from subscription x would be granted access to only rsg x within the transit subscription. Each would then have a dedicated Log analytics workspace in that resource group (the central IT team would still have access to all logs, countries only scope with RBAC to the respective resource groups). I could then of course assign per resource group the above policy n-time to make sure that the parameters reflected in each policy assignment point to the correct Log Analytics workspace.