Skip to main content

Setting Azure Blob Storage Permissions

You can archive your logs for long-term storage by sending them to a Microsoft Azure Storage container.

Minimal permissions

Logz.io will need the following:

  • Storage Blob Data Contributor permissions to archive data to a Microsoft Azure Storage account.
  • Storage Blob Data Reader permissions to restore data from a Microsoft Azure Storage account.

Setting up a Storage container and App registration

Before you begin, you'll need: Permission to manage a Storage container and App registration in Microsoft Azure.

1. Create an App registration

Open your Azure Portal. Select Azure Active Directory > App registrations from the left-menu.

Create Azure Storage account

If you have an existing App registration you can use, select it. Otherwise create a new one.

Click + New registration to create an App registration. Name it, leave the default settings and click Register.

Create new App registration

2. Copy the App registration parameters

The App Overview page provides 2 of the credentials required to fill-in the form in Logz.io: Application (client) ID & Directory (tenant) ID.

Copy them for future reference.

Create Azure Storage account

3. Create & copy the Client secret password

On the same App registration page, select Certificates & secrets from the left-menu. Click + New client secret to create a new one. Select a time frame for its expiration, add a description, and click Add.

Copy the secret for future reference. (Note that the password value will not be available once you leave the page.)

Create Azure App Client secret

note

If the secret is set to expire, you will need to remember to renew the credentials and reconfigure archiving in Logz.io!

4. Create a Storage account

Click the main menu in the top-left corner, and select Storage account.

If you have an existing Storage account you can use, select it. Otherwise create a new one.

Click + Create to create a new account.

Create Azure Storage account

5. Create a Storage container

In the Storage account, create a storage container (or select an existing one).

Create Azure Storage container

6. Assign App & role to your Storage container

Still on the Storage container page, select Access Control (IAM) from the left-menu.

Assign App & Role to your Storage container

Select Add role assignments.

Add role assignment to your Storage container

Fill in the form:

  • Role - Select Storage Blob Data Contributor.
  • Assign access to - Leave the defaults unchanged. They should be User, group, or service principal
  • Select - Start typing in the name of the app and select it from the dropdown list.
  • Click save.

Add role assignment to your Storage container

7. Configure Logz.io Archive & Restore

Open your Logz.io app.

In the Archive configuration tab, select the Azure tab, and fill in the form with the credentials you created and copied in the previous steps.

Configure Logz.io connection to Azure

Rehydrate Azure Blob Archive

If you're using Azure Blob Archive tier, there is an additional step you need to take before you can search or restore it to Logz.io.

Azure Blob Archive tier is an offline tier mainly used to store data you rarely need access to. If you want to read or modify its data, you will need to rehydrate the blob to an online tier, and set it to either Hot or Cool.

To access data stored in the archive tier, you'll need to rehydrate it through one of the following options:

  • Copy an archived blob to an online tier - Use the Copy Blob option to copy it to a Hot or Cool tier. This is Microsoft's recommended option for most scenarios.
  • Change an archived blob's access tier to an online tier - Use the Set Blob option to change the tier to Hot or Cool, which will rehydrate an archived blob. This option usually takes a few hours to complete.

Read more about rehydrating a blob in Microsoft's Blob rehydration from the Archive tier guide.

Allowlist IPs per region

If your Logz.io account is hosted in AWS regions and you wish to archive to an Azure Cloud Service, you will need to whitelist AWS IP addresses to enable this functionality.

If necessary, allowlist the relevant IPs in your firewalls. These depend on the region where your Logz.io account is hosted. For accounts hosted in the Azure regions West Europe (Netherlands) or West US 2 (Washington), contact our Customer Success team to discuss your requirements.

note

us-east-1 IP address has recently changed. Make sure you update your configuration accordingly to ensure uninterrupted access to Logz.io.

RegionAllowlisted IPCloud
us-east-13.218.102.38AWS
eu-central-152.28.84.118AWS
ca-central-13.97.162.114AWS
eu-west-218.168.65.253AWS
ap-southeast-23.104.195.194AWS
ap-northeast-154.238.45.227AWS
note

Azure Hosting is now deprecated; however, Azure Shipping and Azure Marketplace remain active and will continue to be supported.