Setting Azure Blob Storage Permissions
You can archive your logs for long-term storage by sending them to a Microsoft Azure Storage container.
Logz.io will need the following:
- Storage Blob Data Contributor permissions to archive data to a Microsoft Azure Storage account.
- Storage Blob Data Reader permissions to restore data from a Microsoft Azure Storage account.
Setting up a Storage container and App registration
Before you begin, you'll need: Permission to manage a Storage container and App registration in Microsoft Azure.
1. Create an App registration
Open your Azure Portal. Select Azure Active Directory > App registrations from the left-menu.
If you have an existing App registration you can use, select it. Otherwise create a new one.
Click + New registration to create an App registration. Name it, leave the default settings and click Register.
2. Copy the App registration parameters
The App Overview page provides 2 of the credentials required to fill-in the form in Logz.io: Application (client) ID & Directory (tenant) ID.
Copy them for future reference.
3. Create & copy the Client secret password
On the same App registration page, select Certificates & secrets from the left-menu. Click + New client secret to create a new one. Select a time frame for its expiration, add a description, and click Add.
Copy the secret for future reference. (Note that the password value will not be available once you leave the page.)
If the secret is set to expire, you will need to remember to renew the credentials and reconfigure archiving in Logz.io!
4. Create a Storage account
Click the main menu in the top-left corner, and select Storage account.
If you have an existing Storage account you can use, select it. Otherwise create a new one.
Click + Create to create a new account.
5. Create a Storage container
In the Storage account, create a storage container (or select an existing one).
6. Assign App & role to your Storage container
Still on the Storage container page, select Access Control (IAM) from the left-menu.
Select Add role assignments.
Fill in the form:
- Role - Select Storage Blob Data Contributor.
- Assign access to - Leave the defaults unchanged. They should be User, group, or service principal
- Select - Start typing in the name of the app and select it from the dropdown list.
- Click save.
7. Configure Logz.io Archive & Restore
Open your Logz.io app.
In the Archive configuration tab, select the Azure tab, and fill in the form with the credentials you created and copied in the previous steps.
Rehydrate Azure Blob Archive
If you're using Azure Blob Archive tier, there is an additional step you need to take before you can search or restore it to Logz.io.
Azure Blob Archive tier is an offline tier mainly used to store data you rarely need access to. If you want to read or modify its data, you will need to rehydrate the blob to an online tier, and set it to either Hot or Cool.
To access data stored in the archive tier, you'll need to rehydrate it through one of the following options:
- Copy an archived blob to an online tier - Use the Copy Blob option to copy it to a Hot or Cool tier. This is Microsoft's recommended option for most scenarios.
- Change an archived blob's access tier to an online tier - Use the Set Blob option to change the tier to Hot or Cool, which will rehydrate an archived blob. This option usually takes a few hours to complete.
Read more about rehydrating a blob in Microsoft's Blob rehydration from the Archive tier guide.
Limiting access to trusted networks
To make sure that your Azure Blob storage cannot be accessed by malicious actors who get hold of the access credentials, you can configure the Azure Blob account to only allow logins from trusted networks. Every storage account in Azure has Security rules, which define the access permissions. By default, the storage account is accessible by any network as long as the user has the access credentials.
Before you begin, you'll need: Azure CLI installed
To limit the access to trusted networks, add the network rules as follows:
az storage account network-rule add --subnet /subscriptions/ac7ee52c-3b51-43b5-b667-2498be58418b/resourceGroups/logzio-<REGION>-prod/providers/Microsoft.Network/virtualNetworks/logzio-<REGION>-prod-vnet/subnets/logzio-<REGION>-prod-vnet-subnet-archivers --account-name <CUSTOMER_STORAGE_ACCOUNT_NAME>
az storage account network-rule add --subnet /subscriptions/ac7ee52c-3b51-43b5-b667-2498be58418b/resourceGroups/logzio-<REGION>-prod/providers/Microsoft.Network/virtualNetworks/logzio-<REGION>-prod-vnet/subnets/logzio-<REGION>-prod-vnet-subnet-default --account-name <CUSTOMER_STORAGE_ACCOUNT_NAME>
az storage account network-rule add --subnet /subscriptions/ac7ee52c-3b51-43b5-b667-2498be58418b/resourceGroups/logzio-<REGION>-prod/providers/Microsoft.Network/virtualNetworks/logzio-<REGION>-prod-vnet/subnets/logzio-<REGION>-prod-vnet-subnet-aks-services --account-name <CUSTOMER_STORAGE_ACCOUNT_NAME>
<REGION> with the region of your account and
<CUSTOMER_STORAGE_ACCOUNT_NAME> with the name of your storage account.