Learning about IBM Cloud Logs Routing architecture and workload isolation

Learn about the architecture and isolation model for IBM® Cloud Logs Routing. This information is provided so that you can understand which parts of the service are shared by multiple tenants and which are dedicated to a single tenant. Based on that information you can make an informed decision on how you want to use this IBM Cloud service.

IBM Cloud Logs Routing architecture

The IBM® Cloud Logs Routing service is a multi-tenant, platform service that is available in IBM Cloud.

You can use IBM® Cloud Logs Routing to collect and route platform logs to one or more configured target destinations. The routing is based on a customer-defined delivery configuration.

The service is deployed as:

  • A shared (multi-tenant) management plane, which runs on IBM-owned infrastructure.
  • A shared (multi-tenant) data plane, which runs on IBM-owned infrastructure.

The multi-tenant components of IBM® Cloud Logs Routing run on Red Hat OpenShift on IBM Cloud clusters, which are owned and managed by IBM Cloud. These clusters are hosted in IBM Cloud® Virtual Private Cloud instances for network isolation and security.

Control and data planes

The IBM Cloud Logs Routing data plane is responsible for ingestion, routing, and delivery of logs. The data plane is shared by all tenants, and there are no tenant-specific compute resources that are used to support it.

The control plane hosts the IBM Cloud Logs Routing API that is responsible for registration and deletion of both account and service-level tenants. It also includes information about the target destinations.

Both the control and data planes are hosted in a IBM Cloud® Virtual Private Cloud (VPC) fully managed by the IBM Cloud Logs Routing service. The VPC network is a fully isolated private network that is connected to the IBM Cloud Private network. Access to the VPC network is only by specific endpoints that are exposed by the IBM Cloud Logs Routing service.

IBM Cloud Logs Routing data and workload isolation

IBM® Cloud Logs Routing is deployed across multiple multi-zone regions (MZRs). Each MZR-specific deployment is fully independent from deployments in every other region, and no data is shared between regional deployments.

The data and control planes are shared between all tenants within the region. Within each, all compute resources are also shared.

All data within the control plane is associated with the owning IBM Cloud account and can be accessed only by members of that account with the appropriate IBM Cloud Identity and Access Management (IAM) permissions.

The management endpoints can be access by:

Logs are ingested by the data plane through a shared endpoint through either a Virtual Private Endpoint (VPE) or a Cloud Service Endpoint (CSE). Neither endpoint can be reached from the public internet.

Example routing scenario
Example routing scenario

Logs are delivered to user-specified targets by using tenant-specific output clients. This client usage means that the output client that delivers logs belonging to tenant A is authorized to connect only to the endpoint specified by tenant A and not to any other endpoint. Output clients are tenant-specific and are not reused across different tenants.