This sample reference architecture demonstrates how to integrate OCI Logs, Events and Metrics with Microsoft Azure Cloud Observability services such as Azure Monitor and Microsoft Sentinel.
This architecture supports export of OCI Observability data to two Azure service destinations. Downstream Observability & SIEM services support integrations with one or the other.
Event Hubs is a fully managed, real-time data ingestion service that lets you build dynamic data pipelines capable of handling source events at scale.
Azure Monitor Data Platform is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from multi-cloud and on-premises environments. Azure Monitor's persistent store is the Logging Analytics Workspace.
Choose whichever destination service is the more appropriate for your use case.
The Service Connector Hub supports a number of patterns for marshalling OCI logs, metrics, messages and streams to various target sources for processing. This architecture uses OCI Functions as the target service. OCI Functions is a serverless platform that enables you to create, run, and scale business logic without managing any infrastructure.
Regardless of which Azure Destination Service you choose, you can use the following
sample steps to set up OCI for testing of these patterns. The following shows example
IAM configurations that you need to have in place. These are examples ... You are strongly
advised to consult your SecOps teams BEFORE DEPLOYING IN PRODUCTION ENVIRONMENTS.
Name: ABC
We recommend testing in a compartment built for this purpose. You will need to provision the following:
- Virtual Cloud Network
- Application + Function
- Service Connector
Name: functions-developers
Create a User Group where we can assign developer related policies. If you are testing as a member of the Administrator's Group, this step can be skipped.
Here is a sample Policy that permits members of the functions-developers Group to perform typical types
of actions in OCI. If you are testing as a member of the Administrator's Group, this step
can be skipped. Here are some common policies
to review.
Allow group functions-developers to manage repos in tenancy
Allow group functions-developers to manage serviceconnectors in tenancy
Allow group functions-developers to manage logging-family in tenancy
Allow group functions-developers to manage functions-family in tenancy
Allow group functions-developers to use cloud-shell in tenancy
Allow group functions-developers to use virtual-network-family in tenancy
Allow group functions-developers to read metrics in tenancy
Create your VCN within the ABC compartment.
Functions must bind to a VCN subnet to communicate with Azure.
Best practices is to bind to a private subnet which can use a NAT Gateway to connect
with Azure resources. A NAT Gateway also provisions a public IP which can be used to
whitelist from Azure side added security.
Create your Fn Application within the ABC compartment.
Fn Applications serve as collections of Functions. We have only one function here. Also, the Fn Application is where you configure your Function with the parameters it needs to connect with Azure.
We will need to build and deploy a function. This guide takes you through the process step by step.
Quick Start guide on OCI Functions before proceeding.
If you need to export OCI Events to Azure, best practices call for using OCI Streaming as a durable store-and-forward mechanism. Use of an OCI Stream also means your Service Connector is doing 100% of the integrations work in terms of passing message payloads across to Azure. See Events and Notifications Strategy for more details.
The Service Connector Hub allows you to direct logs, events and raw metrics to the Function for processing. Create your Service Connector within the ABC compartment. Use this guide to understand how to set up a service connector for your chosen sources.
When creating your Service Connector, the Console presents the opportunity to CREATE REQUIRED POLICIES for the connections you have elected. You must accept these or create the Policies yourself manually.
Please see OCI Tag Enrichment Task resource for details on how to accomplish this.
Please see these references for more details.
Copyright (c) 2014, 2024 Oracle and/or its affiliates The Universal Permissive License (UPL), Version 1.0