Creating a routing configuration resilient to a regional disaster

IBM Cloud Activity Tracker Event Routing is a highly available, multi-tenant, regional service. However, you can also configure a routing configuration to a backup instance to mitigate data loss if a regional disaster occurs.

For more information about IBM Cloud Activity Tracker Event Routing availability and recovery that is provided by the service, see High availability and disaster recovery.

Understanding targets and routes

Before creating a backup region, you need to understand targets and routes.

Targets are created within a region but are global resources. For more information, see Managing targets.
Routes are global under an account and are evaluated in all regions where IBM Cloud Activity Tracker Event Routing is deployed. For more information, see Managing routes.
The account settings configuration defines information such as default targets where events are collected in the account, types of endpoints that are allowed to manage the configuration, configuration metadata locations, and allowed locations to store the data in the account. For more information, see Account configuration settings.

If both the primary metadata region and the backup metadata region configured in the account settings are unavailable, no events will be routed.

Routing to a backup target in a different region

You can configure a backup target for data that is routed by your IBM Cloud Activity Tracker Event Routing instance to a target that is running in a different region. You can then route all data to both your primary and backup targets. Configuring a backup target gives you targets that are in sync. You can switch to the backup with no downtime and minimal data loss if a regional disaster occurs.

Creating a second target for backup purposes results in additional charges for running the backup target instance.

Example of a routing configuration that creates a backup of all auditing events to a second target in a different region

In this example, the source of the auditing events is in the Toronto region (ca-tor). Auditing events from the IBM Cloud service are sent by IBM Cloud Activity Tracker Event Routing to an IBM Cloud Activity Tracker instance in Dallas (us-south). A regional disaster resilient routing configuration is created to route auditing events to an IBM Cloud Activity Tracker instance (Target 2) in the Washington region (us-east) as well. All events are sent to both the target in the Dallas region (us-south) and Washington region (us-east).

Target 2 provides the user with historical auditing events in the Washington region (us-east). If the Dallas region (us-south) is not available, users have Toronto (ca-tor) activity events available in the Washington region (us-east).

For users without a disaster resilient routing configuration, no historical auditing events are available in a second region.

For more information about configuring routes, see Managing routes.

In addition, you must define a backup metadata region for your metadata backup. The backup metadata region must be a different region from your primary metadata region.

Security considerations in an environment with two targets

When you configure an environment with a backup target, you need to consider the following:

Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud resources based on a rule's criteria. The criteria includes the network location of access requests, the endpoint type from where the request is sent, and sometimes the API that the request tries to access. These restrictions work with traditional IAM policies, which are based on identity, to provide an additional layer of protection. For more information, see What are context-based restrictions?

If context-based rules are configured in the account, make sure that the rules are defined for both the primary and backup locations.

You can configure context-based restrictions rules for IBM Cloud Activity Tracker, IBM Cloud Object Storage (COS),IBM Cloud Logs, and IBM® Event Streams for IBM Cloud® targets.

For a full list of services supporting context-based restrictions, see Services integrated with context-based restrictions.
IBM Cloud® Identity and Access Management (IAM) enables you to securely control access to all cloud resources consistently in the IBM Cloud. The IAM permissions and authorizations must allow the service to route events to both the primary and backup targets.

Automatic disaster management

You can choose to allow IBM Cloud Activity Tracker Event Routing to handle a regional disaster as described in High availability and disaster recovery.

In this case, no additional charges for a second target instance are charged. However, you also have the following risks:

No access is available to any historical data from the region that incurred the disaster.
Data is lost while you configure a new instance while the existing instance is not available.
Events routed to an IBM Cloud Activity Tracker target can be archived. However, a delay of archived data is possible and the data is not guaranteed to be available for the prior 24 hours. For information about IBM Cloud Object Storage (COS), see IBM Cloud Object Storage.
Any events that are routed to an IBM Cloud Logs target can be archived. For more information, see Understanding your responsibilities when you use IBM Cloud Logs.
Any events that are routed to an IBM Cloud Activity Tracker target that are then streamed to an IBM® Event Streams for IBM Cloud® instance are only maintained up to the buffer size for 24 hours. Data can then be lost. For more information, see Understanding your responsibilities when you use Event Streams.