Db2

Db2

Connect with Db2, open source, and other data experts to gain value from your data, share insights, and solve problems.

 View Only

Leveraging Azure-Native Solutions for Audit Log Archival in BYOC Deployments

By Brigitte DeLoren posted 3 days ago

  

Bring Your Own Cloud (BYOC) Benefits

Bring Your Own Cloud (BYOC) allows customers to deploy vendor services (like IBM Db2 Warehouse) inside their own Azure subscription rather than relying on a vendor-managed environment. This approach offers several benefits:

  • Control & Compliance: Full governance over networking, security, and data residency.
  • Integration: Seamless use of Azure-native services (Key Vault, Managed Identities, Private Endpoints).
  • Security: Aligns with enterprise IAM and RBAC policies for zero-trust architectures.

This solution fits perfectly into a cloud-centric strategy because it leverages Azure’s identity, storage, and networking capabilities while maintaining customer ownership of resources.

Azure BYOC Provisioning for Audit Logs

When provisioning Db2 Warehouse in BYOC mode, IBM creates foundational resources in the customer’s Azure account for audit log archival.

⚠️ Important Do not remove or modify these resources. Altering them can lead to system instability and service interruptions.

Resource Group: rg-ibmbyoc-<id>-audit

Storage Account: stibmbyoc<short-id>audit

Managed Identity: id-ibmbyoc-<id>-database (assigned Storage Blob Data Contributor role)

The customer remains responsible for creating and maintaining the Blob container inside the storage account.

Conceptual Overview

1. Resource Group: A logical container for Azure resources, organizing and managing lifecycle (create, update, delete).

2. Storage Account: Provides Blob, File, Queue, and Table services; must reside inside a resource group.

3. Managed Identity: Entra ID identity managed by Azure, enabling secure authentication without credentials.

Relationship for Blob Access

To access Blob storage securely:

1. Db2 service uses its managed identity to request a token from Entra ID.

2. Entra ID issues a token scoped to the storage account.

3. Managed identity uses RBAC permissions (e.g., Storage Blob Data Contributor) to write audit logs.

Key Point: Storage account and managed identity do not directly interact; Entra ID mediates authentication.

Step-by-Step Setup Guide

1. In Db2, create a storage alias using predefined IBM configuration.

2. Select "Azure Blob Storage" in the Create Object Storage Alias flow.A screenshot of a computer AI-generated content may be incorrect.

3. Complete the authentication handshake to allow Db2 to list containers in your account.

4. Choose the container for audit logs, configure audit policies, and monitor log flow.

A screenshot of a computer AI-generated content may be incorrect.

About the Author

Brigitte DeLoren is a 13-year software engineering veteran who thrives at the intersection of cloud technology, code craftsmanship, and team leadership. Known for elevating engineering quality and demystifying complex systems, she has built expertise in Db2 auditing while also shaping teams through clear technical direction and documentation. This marks her debut into technical blogging, where she brings her hands-on experience to a broader audience.

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/brigitte-deloren/2025/12/03/leveraging-azure-native-solutions-for-audit-log