Learning about Activity Tracker Event Routing architecture and workload isolation

Review the following sample architecture for IBM Cloud® Activity Tracker Event Routing, and learn more about different isolation levels so that you can choose the solution that best meets the requirements of the workloads that you want to run in the cloud.

IBM Cloud Activity Tracker Event Routing architecture

IBM Cloud Activity Tracker Event Routing is a multi-tenant, regional service that is available in IBM Cloud. With Activity Tracker Event Routing, you can manage collection and storage of auditing data to monitor and audit activity in your account.

The following figure shows the high level architecture for IBM Cloud Activity Tracker Event Routing:

Activity Tracker Event Routing sample architecture

Activity Tracker Event Routing is deployed and managed per region. See List of supported regions. In each region, the service runs in three physically separate data centers to ensure availability.

All data and the configuration for each service deployment is retained within the region in which it is hosted.

You can use the following to manage the service in your account:

The IBM Cloud Activity Tracker Event Routing CLI
The IBM Cloud Activity Tracker Event Routing API
The IBM Cloud Activity Tracker Event Routing Terraform

You must define targets and routes to define how to manage auditing events per region in your account.

A target is a resource where you can collect auditing events.
A route defines the rules that determine where auditing events that are genererated in the account are routed.

You can define account settings to define global configuration parameters that apply when you configure the account.

In your account, auditing events are automatically collected from IBM Cloud services that run in the account, with the exception of some services that require additional configuration to enable auditing events.

For more information about services that generate events, see Cloud services.
For more information about services that require additional configuration to generate events, see Enabling Activity Tracker events.

After you configure targets and routes in the account, auditing events that are collected are uploaded to the destination target of your choice. You are responsible for managing the auditing data in the target resources.

Connections

You can use private and public endpoints to configure Activity Tracker Event Routing resources in your account.

Private connections

You cannot disable private endpoints.

Public connections

You can choose to disable public endpoints for Activity Tracker Event Routing.

Disabling public endpoints will disable the Activity Tracker Event Routing UI.

For more information, see Enforcing private endpoints to configure Activity Tracker Event Routing resources.

Dependencies to other IBM Cloud services

Review the IBM Cloud services that Activity Tracker Event Routing connects to over public or private connections.

Activity Tracker Event Routing dependencies to other IBM Cloud services.
The first column is the service. The second column is a description of the service.
Service name	Description
IBM Cloud Internet Services	IBM Cloud Internet Services is used as a provider for DNS and load-balancing capabilities.
IBM Cloud Kubernetes Service	Activity Tracker Event Routing uses IBM Cloud Kubernetes Service to run its service.
IBM Cloud Monitoring	Activity Tracker Event Routing integrates with Monitoring, by using a private connection, to send platform metrics. For more information, see Monitoring metrics for Activity Tracker Event Routing.
IBM Cloud Object Storage	Activity Tracker Event Routing stores customer data in Object Storage by using a private connection. All data is encrypted in transit and at rest. For more information, see Managing your data in Activity Tracker Event Routing.
Event Streams	Activity Tracker Event Routing routes customer data to Event Streams by using a public connection unless the Event Streams target is running the Enterprise plan. All data is encrypted in transit and at rest. For more information, see Managing your data in Activity Tracker Event Routing.
IBM Cloud Platform	To authenticate requests to the service and authorize user actions, Activity Tracker Event Routing implements platform and service access roles in Cloud Identity and Access Management (IAM). For more information about required IAM permissions to work with the service, see Managing access for Activity Tracker Event Routing. Connections from Activity Tracker Event Routing to IAM do not use private connections.
IBM Cloud Databases for PostgreSQL	Activity Tracker Event Routing uses IBM Cloud Databases for PostgreSQL for storing metadata.
IBM Cloud Logs	Activity Tracker Event Routing routes customer data to IBM Cloud Logs by using a private connection. All data is encrypted in transit and at rest. For more information, see Managing your data in Activity Tracker Event Routing.

Workload isolation

Each regional deployment serves multiple tenants that are identified by the IBM Cloud account ID.

There is 1 deployment per region that is responsible for running user workloads in the region.
In a region, the deployment is highly available.
The data that is collected is associated with the IBM Cloud account ID and not visible to the other users by virtue of this association.
Data for all tenants is co-located in the same data stores and segmented by the tenant-specific IBM Cloud account ID to enforce access control policies.
You can use IBM Cloud Identity and Access Management (IAM) to control which users see, create, use, and manage resources.