This is a continuation of an article that describes operational considerations for hosting solutions on Azure public cloud.

Log analytics workspace does not always follow a one-size-fits-all. These map to the Centralized, Decentralized or Hybrid structures of IT in the organizations.  In the case of centralized IT infrastructure, all logs are stored in a centralized workspace and administered by a single team, with Azure Monitor providing differentiated access per team. This is an easy solution to manage. It helps with searching across resources and cross-correlating logs. The decentralized department or teams run their own workspaces in a resource group they own and manage. Even in this case, the workspace can be kept secure and access control can be kept consistent with resource access, but it is difficult to cross-correlate logs without involving third-party log indexes. Without a combined index, every addition of a workspace will require a rewrite of the queries. In the hybrid environment, both deployments are deployed in parallel. The hybrid case results in complex, expensive and hard to maintain configuration. The log analytics workspace can be in any region, but the destination storage account or event hub must be in the same region as the Log Analytics workspace. The jump from centralized to decentralized log analytics workspace is warranted when cross-correlation queries are not required.

In all these cases, access to data logs and workspaces must be managed. The workspace must be managed using workspace permissions. Users who need access to log data from specific resources can be granted permission using Azure role-based access control (Azure RBAC) and those who need access to specific tables in the workspace can have restrictive access. The access control mode can be configured on a workspace from Azure Portal.

The workspace context and resource context have different access. All logs in the workspace can be accessed with the workspace context. The Resource context is aimed at Application teams. Administrators of Azure resources that are monitored can be granted access. The view for these users gets restricted based on their role and scope.

The Azure Monitor has an ingestion pipeline as well as the Log Analytics workspace. It is possible to set it up with a central Storage Account. The incoming data feeds the ingestion pipeline which then sends the data to the storage account or the Event Hub.

Design decisions depend on factors such as whether a central location with all data is required and should there be one workspace per application or each team manages their own workspaces. Data Location, data retention, data access, and data collection must be decided for a streamlined data path. A good data path will be short and clean.