Governance Policies Azure Monitoring Log Analytics - Azure/az-prototype GitHub Wiki
Governance policies for Log Analytics
Domain: azure-monitoring
| Name | Description |
|---|---|
| Log Analytics Workspace with private endpoint | Complete Log Analytics deployment with PerGB2018 SKU, private access, and DNS configuration |
| Description | Instead |
|---|---|
| Do not deploy resources without routing diagnostics to Log Analytics | Create diagnostic settings on every PaaS resource pointing to the shared workspace |
| Do not use Free SKU for shared workspaces | Use PerGB2018 for predictable pricing and full feature set |
| Check | Severity | Description |
|---|---|---|
| AZ-LA-001 | Required | Create Log Analytics Workspace with PerGB2018 SKU and appropriate retention |
| AZ-LA-002 | Required | Output workspace ID and customer ID for downstream diagnostic settings |
| AZ-LA-003 | Recommended | Set retention to 30 days for POC, 90 days for production |
Create Log Analytics Workspace with PerGB2018 SKU and appropriate retention
Severity: Required
Rationale: PerGB2018 is the standard pricing tier; retention controls cost and compliance requirements
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.OperationalInsights/workspaces
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-log-analytics | Private endpoint for Log Analytics ingestion — required when publicNetworkAccessForIngestion is Disabled |
| Microsoft.Network/privateDnsZones | privatelink.oms.opinsights.azure.com | Private DNS zones for Log Analytics private endpoint resolution (requires multiple zones) |
Output workspace ID and customer ID for downstream diagnostic settings
Severity: Required
Rationale: All PaaS resources need the workspace ID for diagnostic settings; Container Apps need the customer ID
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.OperationalInsights/workspaces
Set retention to 30 days for POC, 90 days for production
Severity: Recommended
Rationale: Longer retention increases cost; 30 days is sufficient for POC troubleshooting
Agents: cloud-architect, cost-analyst
- Microsoft.OperationalInsights/workspaces