Dedicated clusters for Azure Monitor Log Analytics with data encryption at rest and Lockbox
Published date: September 22, 2020
Log Analytics dedicated clusters from Azure Monitor are available for production deployment (registration is required to ensure capacity), supporting high scale and advanced scenarios such as data encryption at rest with Customer-Managed Keys (CMK) and Lockbox. These dedicated clusters are collections of workspaces rolled into a single managed cluster, which can be used to better handle large scale deployments. Clusters will only contain workspaces that you select, enabling you to also benefit from cluster-level capacity reservation (starting at 1000GB/day) with discounted pricing.
- Data Encryption at Rest: Azure Monitor ensures that all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK). Azure Monitor also provides an option for encryption using your own key that is stored in your Azure Key Vault and accessed by storage using system-assigned managed identity authentication. This key (CMK) can be either software or hardware-HSM protected and is available only for dedicated clusters.
- LockBox: Lockbox is provided on the Log Analytics dedicated cluster where data is kept in storage accounts under your Lockbox protected subscription. Lockbox gives you control, allowing you to approve or reject Microsoft engineer request to access your data during a support request.
Some other benefits you can take advantage of with dedicated clusters:
- Rate limit: You can have higher ingestion rate limits only on dedicated cluster.
- Consistency: You have your own dedicated resources and so there is consistency in terms of performance and latency.
- Speed: Cross-workspace queries run faster if all workspaces are on the same cluster.