If you ingest over 1Tb per day into your Azure Sentinel workspace and/or have multiple Azure Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Azure Sentinel.
NOTE: Although this blog refers to a “dedicated cluster for Azure Sentinel”, the dedicated cluster being referred to is for Log Analytics, the underlying data store for Azure Sentinel. You may find that linked official documents refer to Azure Monitor; Log Analytics is part of the wider Azure Monitor platform.
Overview
A dedicated cluster in Azure Sentinel does exactly what it says: you are given dedicated hardware in an Azure data center to run your Azure Sentinel instance. This enables several scenarios:
- Customer-managed Keys – Encrypt the cluster data using keys that are provided and controlled by the customer.
- Lockbox – Customers can control Microsoft support engineers access requests for data.
- Double encryption protects against a scenario where one of the encryption algorithms or keys may be compromised. In this case, the additional layer of encryption continues to protect your data.
Additionally, multiple Azure Sentinel workspaces can be added to a dedicated cluster. There are several advantages to using a dedicated cluster from a Sentinel perspective:
- Cross-workspace queries will run faster if all the workspaces involved in the query are added to the dedicated cluster. NB: It is still recommended to have as few workspaces as possible in your environment. A dedicated cluster still retains the limit of 100 workspaces that can be included in a single cross-workspace query.
- All workspaces on the dedicated cluster share the Log Analytics capacity reservation set on the cluster (not the Sentinel capacity reservation), rather than having to have one Log Analytics capacity reservation per workspace which can allow for cost savings and efficiencies. NB: By enabling a dedicated cluster you commit to a minimum capacity reservation in Log Analytics of 1Tb per day ingestion.
Considering migrating to a dedicated cluster?
There are some considerations and limitations for using dedicated clusters:
- The max number of clusters per region and subscription is 2.
- All workspaces linked to a cluster must be in the same region.
- The maximum of linked workspaces to cluster is 1000.
- You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days.
- You cannot move an existing workspace to a CMK cluster. You need to create it in the cluster.
- Cluster move to another resource group or subscription isn’t supported at the time of writing this article.
- Workspace link to cluster will fail if it is linked to another cluster.
The great news is that you can retrospectively migrate to a dedicated cluster, so if this feature looks like it would be useful to your organization, you can find more information and migration steps here.
