|
1 | 1 | --- |
2 | | -id: full-vnet-integration |
3 | | -title: Collect Logs from Azure Blob Storage with Full VNet Integration |
4 | | -sidebar_label: Collect Block Blob with Full VNet Integration |
5 | | -description: Configure a pipeline to ship logs from the Azure Blob Storage all throughout a VNet and then to an HTTP source on a hosted collector in Sumo Logic. |
| 2 | +id: block-blob-full-vnet-integration |
| 3 | +title: Collect logs from Azure Blob Storage with full Virtual Network (VNet) Integration |
| 4 | +sidebar_label: Collect block blob with full Virtual Network integration |
| 5 | +description: Configure a pipeline to ship logs from the Azure Blob Storage throughout the Virtual Network and then to an HTTP source on a hosted collector in Sumo Logic. |
6 | 6 | --- |
7 | 7 |
|
8 | 8 | import useBaseUrl from '@docusaurus/useBaseUrl'; |
9 | 9 |
|
10 | | -The current solution to bring the block blob data from a storage account in Sumo Logic creates a pipeline which assumes that the storage account being monitored will have public access enabled. If you just want your storage account behind a firewall, follow the instruction [here](/docs/send-data/collect-from-other-data-sources/azure-blob-storage/block-blob/collect-logs/#enabling-vnet-integration-optional). But if you want that all of the components which are created through the ARM template in Azure to be behind Azure VNet (this includes Event Hub, Azure functions, storage account, and Service Bus) then follow the below instructions: |
11 | | - |
12 | | -1. Download this template: [https://github.com/SumoLogic/sumologic-azure-function/blob/azure\_premium\_template\_vnet\_integration/BlockBlobReader/src/blobreaderdeploywithPremiumPlan.json](https://github.com/SumoLogic/sumologic-azure-function/blob/azure_premium_template_vnet_integration/BlockBlobReader/src/blobreaderdeploywithPremiumPlan.json). It creates Service Bus with Premium tier. |
13 | | -1. Create a Virtual Network (for example, `brvnet`), a subnet ( `brsubnet`) and NSG ( `brnsg`). < br/>Following is a screenshot of the Virtual Network. Only the storage service endpoint is required in the same subnet which is associated with the functions and storage accounts. < br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-vnet-creation.png')} alt="Virtual Network creation with storage service endpoint" style={{border: '1px solid gray'}} width="800" />< br/>Following is a screenshot of the NSG rules. Everything can be set to default.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-NSG-rules.png')} alt="NSG rules configuration" style={{border: '1px solid gray'}} width="800" /> |
14 | | -1. Enable VNet integration in all the function apps by going to **Function App > Networking > Outbound traffic configuration**. |
15 | | -< br/>Following is a screenshot of TaskConsumer VNet integration of the Function.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-task-consumer-with-vnet-integration-outbound.png')} alt="TaskConsumer VNet integration outbound configuration" style={{border: '1px solid gray'}} width="800" />< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-vnet-in-task-consumer.png')} alt="VNet integration in TaskConsumer" style={{border: '1px solid gray'}} width="800" /> |
16 | | -1. You can restrict its access of the storage account containing flow logs to selected networks by going to **Storage Account > Networking**. The subnet of the storage account is the same as the subnet configured in the `SUMOBRTaskConsumer` and `SUMOBRDLQProcessor` VNet integration step. |
17 | | -< br/>Below is the screenshot of the storage account where NSG flow logs are stored. Even the IP addresses are not required to be whitelisted in the firewall (this we will fix in our docs).< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-sa-flow-logs-networking.png')} alt="Storage account flow logs networking configuration" style={{border: '1px solid gray'}} width="800" /> |
18 | | -1. The storage account is the one created by the ARM template. You can restrict its access to selected networks by going to **Storage Account > Networking **.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-arm-template-sa-networking.png')} alt="ARM template storage account networking configuration" style={{border: '1px solid gray'}} width="800" /> |
19 | | -1. In all the three Azure functions you can restrict inbound traffic by going to **Function App > Networking > Inbound traffic configuration > Access restrictions ** allowing only the subnet created in step 1. < br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-task-consumer-with-vnet-integration-inbound.png')} alt="TaskConsumer VNet integration inbound configuration" style={{border: '1px solid gray'}} width="800" /> |
20 | | -1. To enable functions to access the storage account created by the ARM template, you need to do the following steps: |
21 | | - 1. Select **Content storage ** in **Configuration Routing ** and select **Outbound internet traffic ** under **Application routing ** in Azure Function VNet integration for each function.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-function-networking-config.png')} alt="Function networking configuration" style={{border: '1px solid gray'}} width="800" /> |
22 | | - 1. Set **WEBSITE_CONTENTOVERVNET ** to **1 ** in environment variables for each function.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-setting-env-variable-function.png')} alt="Setting environment variable in function" style={{border: '1px solid gray'}} width="800" /> |
23 | | -1. Event Hub can restrict access to selected networks to the subnet created in step 1. Ensure that **Allow trusted Microsoft services to bypass this firewall ** is set to **Yes **.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-networking.png')} alt="Event Hub networking configuration" style={{border: '1px solid gray'}} width="800" /> |
24 | | -1. The event grid needs to be secured with managed identity so that it can access Event Hub. You need to do the following steps: |
25 | | - 1. Enable system-assigned identity for the topic.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-system-assigned-identity-topic.png')} alt="System-assigned identity for topic" style={{border: '1px solid gray'}} width="800" /> |
26 | | - 1. Add the identity to the Azure Event Hubs Data Sender role on the Event Hubs namespace under **Access Control > Role assignments **.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-namespace-add-identity.png')} alt="Adding identity to Event Hub namespace" style={{border: '1px solid gray'}} width="800" /> |
27 | | - 1. Then, configure the event subscription that uses an Event Hub as an endpoint to use the system-assigned identity.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-subscription-identity.png')} alt="Event Hub subscription identity configuration" style={{border: '1px solid gray'}} width="800" /> |
28 | | -1. The Service Bus created by ARM template is on standard tier, which does not support VNet integration. Follow the below steps to create a new Service Bus on the premium tier: |
29 | | - 1. Create new Service Bus namespace with the premium plan with the following: |
30 | | - 1. Same resource group as old Service Bus. |
31 | | - 1. Same location. |
32 | | - 1. Partition enabled. |
33 | | - 1. Public access for starting (under **Networking** tab). |
34 | | - 1. Once the Service Bus namespace is created, go to **Entity > queue** and create a new queue by the name "**blobrangetaskqueue**", with the following parameters: |
35 | | - - Max queue size: `40` |
36 | | - - Message size: `1024` |
37 | | - - Max delivery count: `3` |
38 | | - - Time to live: 14 days |
39 | | - - Message lock duration: 5 min |
40 | | - - Enable dead letter queue |
41 | | - 1. Update the connection string to the below format in all three Azure functions (Producer, consumer, and DLQ) from the newly created Service Bus on the premium tier under **Shared access policies**. There you can select the [RootManageSharedAccessKey](https://portal.azure.com/#) and copy the primary key from it as the value of `shared_access_key_value`: |
42 | | - `Endpoint=sb://<servicebus_namespace_name>.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=<shared_access_key_value>` |
43 | | - 1. Go to the newly created **Service Bus > networking**. Change public network access from all networks to selected networks, and select the VNet and subnet previously created and used with other resources. |
44 | | -1. Enable Service endpoints for below services in your VNet.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-service-endpoint-enabling-vnet.png')} alt="Enabling service endpoints in VNet" style={{border: '1px solid gray'}} width="800" /> |
45 | | -1. Go to **Function App > BlobTaskConsumer > Invocations **. You should be able to see below logs.< br/><img src={useBaseUrl('/img/send-data/blockblob/block-blob-validation.png')} alt="Block blob validation logs" style={{border: '1px solid gray'}} width="800" /> |
| 10 | +The current solution for ingesting block blob data from an Azure Storage Account into Sumo Logic sets up a pipeline that assumes public access is enabled on the storage account being monitored. |
| 11 | +If you prefer to restrict access and keep your storage account behind a firewall, refer to the instructions [here](https://help.sumologic.com/docs/send-data/collect-from-other-data-sources/azure-blob-storage/block-blob/collect-logs/#step-3-enabling-vnet-integration-optional). However, if your security requirements demand that all Azure resources deployed via the ARM template, including the Storage Account, Event Hub, Azure Functions, and Service Bus, are fully integrated with a Virtual Network, follow the steps outlined below. |
46 | 12 |
|
| 13 | +1. Download the ARM template [https://github.com/SumoLogic/sumologic-azure-function/blob/azure\_premium\_template\_vnet\_integration/BlockBlobReader/src/blobreaderdeploywithPremiumPlan.json](https://github.com/SumoLogic/sumologic-azure-function/blob/azure_premium_template_vnet_integration/BlockBlobReader/src/blobreaderdeploywithPremiumPlan.json) that provisions the required resources, including a premium-tier Service Bus. |
| 14 | +2. Create the following networking resources: |
| 15 | + - Virtual Network. For example, `brvnet`. |
| 16 | + :::note |
| 17 | + Only the Storage service endpoint associated with the functions and storage accounts is needed for the subnet. |
| 18 | + ::: |
| 19 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-vnet-creation.png')} alt="Virtual Network creation with storage service endpoint" style={{border: '1px solid gray'}} width="800" /> |
| 20 | + - Subnet. For example, `brsubnet`. |
| 21 | + - Network Security Group (NSG). For example, `brnsg`. |
| 22 | + :::note |
| 23 | + NSG rules remain as default; no changes required. |
| 24 | + ::: |
| 25 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-NSG-rules.png')} alt="NSG rules configuration" style={{border: '1px solid gray'}} width="800" /> |
| 26 | +3. Enable the Virtual Network integration on each function app by navigating to **Function App** > **Networking** > **Outbound Traffic Configuration**. |
| 27 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-task-consumer-with-vnet-integration-outbound.png')} alt="TaskConsumer VNet integration outbound configuration" style={{border: '1px solid gray'}} width="800" /> |
| 28 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-vnet-in-task-consumer.png')} alt="VNet integration in TaskConsumer" style={{border: '1px solid gray'}} width="800" /> |
| 29 | +4. Follow the steps below to restrict access to the Storage Account storing NSG flow logs, so that only certain networks can access it: |
| 30 | + 1. Navigate to **Storage Account** > **Networking** > **Firewalls and virtual networks**. |
| 31 | + 2. Choose the selected networks. |
| 32 | + 3. Select the same subnet that was configured for **SUMOBRTaskConsumer** and **SUMOBRDLQProcessor** during Virtual Networ integration. |
| 33 | + :::note |
| 34 | + No IP address whitelisting is needed. |
| 35 | + ::: |
| 36 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-sa-flow-logs-networking.png')} alt="Storage account flow logs networking configuration" style={{border: '1px solid gray'}} width="800" /> |
| 37 | +5. Follow the steps below to restrict access to the ARM-created storage account, so that only certain networks can access it: |
| 38 | + 1. Navigate to **Storage Account** > **Networking**. |
| 39 | + 2. Choose the selected networks and allow access from your subnet. |
| 40 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-arm-template-sa-networking.png')} alt="ARM template storage account networking configuration" style={{border: '1px solid gray'}} width="800" /> |
| 41 | +6. Configure the inbound restrictions on all three Azure Functions: |
| 42 | + 1. Navigate to **Function App** > **Networking** > **Inbound Traffic Configuration** > **Access Restrictions**. |
| 43 | + 2. Allow only the subnet you created in Step 2. |
| 44 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-task-consumer-with-vnet-integration-inbound.png')} alt="TaskConsumer VNet integration inbound configuration" style={{border: '1px solid gray'}} width="800" /> |
| 45 | +7. For each function app, enable the function access to the Storage Account created by the ARM template by following the steps below: |
| 46 | + 1. Navigate to **Function App** > **Networking** > **VNet Integration** > **Configuration Routing**. |
| 47 | + 2. Select **Content storage**. |
| 48 | + 3. Select **Outbound internet traffic** under **Application routing**. |
| 49 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-function-networking-config.png')} alt="Function networking configuration" style={{border: '1px solid gray'}} width="800" /> |
| 50 | + 4. Set `WEBSITE_CONTENTOVERVNET` to `1` in environment variables for each function. |
| 51 | + <img src={useBaseUrl('/img/send-data/blockblob/block-setting-env-variable-function.png')} alt="Setting environment variable in function" style={{border: '1px solid gray'}} width="800" /> |
| 52 | +8. Restrict access to **Service Bus** and **Event Hub** by following the steps below, so that only certain networks can access them: |
| 53 | + 1. Navigate to **Service** > **Networking**. |
| 54 | + 2. Set access to **Selected networks**, and select the previously created subnet in step 1. |
| 55 | + 3. Set **Allow trusted Microsoft services to bypass this firewall** to **Yes**. |
| 56 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-networking.png')} alt="Event Hub networking configuration" style={{border: '1px solid gray'}} width="800" /> |
| 57 | +9. Secure the Event Grid with managed identity to allow Event Grid to publish to Event Hub: |
| 58 | + 1. Enable **System assigned** identity on the Event Grid Topic. |
| 59 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-system-assigned-identity-topic.png')} alt="System-assigned identity for topic" style={{border: '1px solid gray'}} width="800" /> |
| 60 | + 2. Assign the identity to the Azure Event Hubs Data Sender role on the Event Hub namespace under **Access Control (IAM)** > **Role Assignments**. |
| 61 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-namespace-add-identity.png')} alt="Adding identity to Event Hub namespace" style={{border: '1px solid gray'}} width="800" /> |
| 62 | + 3. Configure the Event Grid subscription that uses an **Event Hub** as an endpoint and choose **System Assigned** identity for authentication. |
| 63 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-event-hub-subscription-identity.png')} alt="Event Hub subscription identity configuration" style={{border: '1px solid gray'}} width="800" /> |
| 64 | +10. Ensure your Virtual Network has service endpoints enabled for: |
| 65 | + - Storage |
| 66 | + - Service Bus |
| 67 | + - Event Hub |
| 68 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-service-endpoint-enabling-vnet.png')} alt="Enabling service endpoints in VNet" style={{border: '1px solid gray'}} width="800" /> |
| 69 | +11. To validate the function execution, navigate to **Function App** > **BlobTaskConsumer** > **Monitoring** > **Invocations**. |
| 70 | + :::note |
| 71 | + You should see the invocation logs if everything is correctly configured. |
| 72 | + ::: |
| 73 | + <img src={useBaseUrl('/img/send-data/blockblob/block-blob-validation.png')} alt="Block blob validation logs" style={{border: '1px solid gray'}} width="800" /> |
| 74 | +12. Replace the standard Service Bus with a premium tier. |
| 75 | + :::note |
| 76 | + The Service Bus provisioned via the current ARM template is configured with the standard tier, which does not support Virtual Network integration. To enable Virtual Network integration, it is recommended to create a new Service Bus with the premium tier. |
| 77 | + ::: |
| 78 | + Follow the steps below to create a new Service Bus on the premium tier: |
| 79 | + a. Create a new premium Service Bus namespace: |
| 80 | + 1. Use the same resource group and location as the old Service Bus. |
| 81 | + 2. Enable partitioning. |
| 82 | + 3. Initially allow public access (can restrict later). |
| 83 | + b. Create a new queue named `blobrangetaskqueue` with the following parameters: |
| 84 | + 1. Maximum queue size: 40 GB |
| 85 | + 2. Maximum message size: 1024 KB |
| 86 | + 3. Maximum delivery count: 3 |
| 87 | + 4. Time to live: 14 days |
| 88 | + 5. Message lock duration: 5 minutes |
| 89 | + 6. Enable the dead letter queue. |
| 90 | + c. Update the connection strings in all three functions (Producer, Consumer, DLQ): |
| 91 | + Under **Shared access policies**, select the [RootManageSharedAccessKey](https://portal.azure.com/#) and copy the primary key from the newly created Service Bus on the premium tier as the value of `shared_access_key_value`: |
| 92 | + `Endpoint=sb://<servicebus_namespace_name>.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=<shared_access_key_value>` |
| 93 | + d. Restrict Public Access: |
| 94 | + 1. Navigate to **Service Bus** > **Networking**. |
| 95 | + 2. Set **Public** network access to **Selected** networks. |
| 96 | + 3. Choose the subnet created earlier. |
47 | 97 |
|
48 | 98 | ### References |
49 | 99 |
|
|
0 commit comments