Forum Discussion

emvar's avatar
emvar
Copper Contributor
Jun 24, 2025

Sentinel and Chinese branches

Hi, is it possible to send logs from servers located in China to a Sentinel workspace in EU or to manage from a single pane of glass 2 istances, one of which is in China?

i am trying to figure out the best way to accomplish it given that the great chinese firewall could block DCR communications and that using a VPN to send logs to a log forwarder via VPN is very expensive (for the government license).

Is anyone aware if the multi workspace incident views is working with Lighthouse for a global tenant and a chinese one? Or the multitenant solution?

 

Thank you

data collection
siem

2 Replies

Sort By
  • corsec's avatar
    corsec
    Copper Contributor
    Jun 25, 2025

    I've never personally tried this with a tenant in the China region, but you could attempt to create a service provider offering using lighthouse and see if you can associate the tenant with your EU tenant that way? 

    That's a major shot in the dark though. Unfortunately, with China and even US Government being physically separate data centers, you likely aren't going to be able to get any sort of connection between the China region and EU without doing some sort of continuous export to a middleware service and ingesting those alerts into sentinel in the eu. Not very cost effective if you have a lot of data in the Chinese sentinel, and certainly not easy to investigate. 

    For context, I previously worked for an MSP that had customers in azure commercial and azure gcc high. We tried to setup a relationship in one of our commercial test tenants with a gcc high tenant and failed. We had 60+ customers spread across the two regions and it would have been great to see everything in one pane, but no dice. 

    • emvar's avatar
      emvar
      Copper Contributor
      Jun 26, 2025

      Unfortunately Lighthouse seems out of the games based on the latest point of these doc: Cross-tenant management experiences - Azure Lighthouse | Microsoft Learn. So MSSP/multitenat and Multi workspace incident view are cut out.

      We can use 2 different Sentinel instances like having two separate customers or try with a VPN from China to HK (azure dc) and a forwarder in a HK vnet (figuring out the VPN licensing costs part before).

      Setting up a middleware service should work, but i think that it would be complex for the amount of data we are talking about.

       

      Thanks

Resources