Telemetry and Data Flow — linux-update-cds¶

TL;DR¶

This accelerator does not send any telemetry to the maintainers of this project.

All operational telemetry (logs, metrics, and traces) is captured in your Azure subscription's Log Analytics workspace and Application Insights instance. Nothing leaves your tenancy boundary as a result of deploying this accelerator.

What Is Logged and Where¶

The table below covers every component that produces log or metric data.

Component	Log Destination	Default Retention	Contains Sensitive Data?
ACA app stdout/stderr (`pulp-api`, `pulp-content`, `pulp-worker`)	Log Analytics workspace in operator subscription	30 days (configurable)	Yes — may contain Pulp API request URIs, user-agents, and task details
ACA system events (replica scaling, revision activations)	Log Analytics workspace in operator subscription	30 days (configurable)	Low — resource identifiers only
PostgreSQL Flex Server connection and slow-query logs	Log Analytics workspace in operator subscription	30 days (configurable)	Yes — may contain database query text; restrict access to the workspace accordingly
Azure Cache for Redis access logs	Log Analytics workspace in operator subscription	30 days (configurable)	Low — command counts and latency only; no key names or values
Azure Key Vault audit log	Log Analytics workspace in operator subscription	30 days (configurable)	Yes — records every secret read/write with caller identity and timestamp
App Insights telemetry (traces, exceptions, dependencies)	Application Insights instance in operator subscription	90 days (configurable)	Yes — may contain exception stack traces and HTTP request URIs
Pulp content-download audit trail	Pulp internal PostgreSQL database	Per Pulp configuration	Yes — URI path and client IP per download event
Transfer bundle manifests	High-side storage (operator-controlled)	Per retention policy	Yes — classification label, operator identity, repository snapshot metadata
Container image base layers	Not logged at runtime	n/a	n/a — image contents are operator-controlled

Log Analytics workspace location: Created in your deployment resource group by infra/_shared/monitoring.bicep. The workspace is workspace-resource-permission scoped (enableLogAccessUsingOnlyResourcePermissions: true), so access is governed by Azure RBAC on the workspace resource itself.

What Is NOT Sent Anywhere¶

The following categories of telemetry are explicitly absent:

No telemetry to GitHub.com or any maintainer. The accelerator has no callbacks, usage-reporting endpoints, or phone-home mechanisms.
No usage analytics. There is no tracking of deployment counts, feature usage, or operator identities sent outside the operator's subscription.
No "improve product" telemetry. The only Microsoft platform telemetry is what Azure itself inherently collects (ARM deployment metadata, Azure Monitor ingestion). This is governed by the Microsoft Azure Privacy Statement and your customer agreement, not by this project.
No upstream Pulp project telemetry. Pulp 3 is self-hosted in your container runtime. Pulp does not phone home; there is no license key validation or usage reporting.
No dependency on public endpoints at runtime. After initial container image pull from ACR, all runtime traffic stays inside the VNet via private endpoints. The only intentional outbound path to the public internet is Pulp's upstream sync URL, which is operator-controlled (see Outbound Network Connections below).

How to Disable Optional Telemetry¶

Diagnostic settings (Log Analytics / ACA logs)¶

Diagnostic settings for ACA are configured at the Container Apps Environment level. They are enabled by default because audit logging is required for FedRAMP and DoD IL compliance. To disable:

Remove the diagnostic settings resource from the relevant Bicep module, or
Set the Log Analytics workspace ID to an empty string and redeploy.

Warning: Disabling diagnostic settings will break your AU-2/AU-12 control evidence. Do not disable in regulated environments.

Application Insights¶

Application Insights is deployed by infra/_shared/monitoring.bicep and its connection string is passed to ACA apps as an environment variable.

The current Bicep does not expose an appInsightsEnabled toggle parameter. To disable Application Insights:

Remove the applicationInsights resource from monitoring.bicep.
Remove the APPLICATIONINSIGHTS_CONNECTION_STRING environment variable from your ACA app definitions in infra/low-side/containerapps.bicep.
Redeploy.

Log Analytics retention¶

Increase retention from the 30-day default for compliance archival:

// infra/_shared/monitoring.bicep — pass retentionInDays when calling the module
module monitoring './monitoring.bicep' = {
  name: 'lowSideMonitoring'
  params: {
    location: location
    namePrefix: resourceSuffix
    retentionInDays: 365   // adjust to your policy requirement
    tags: tags
  }
}

FedRAMP High and DoD IL5+ typically require a minimum of 12 months online retention plus 3 years archival. Configure Log Analytics long-term retention or export to Azure Storage for archival periods beyond 2 years.

Data Residency¶

All data produced by this accelerator resides in the Azure region(s) you deploy to.

Log Analytics and Application Insights data is stored in the workspace region specified at deployment time.
Cross-region replication of Log Analytics data is opt-in only (not configured by default in this accelerator).
Azure Government regions do not replicate data to Azure Commercial regions. Deploying to usgovvirginia or usgovarizona keeps all data within the FedRAMP High / DoD IL authorization boundary.

Outbound Network Connections¶

The following table enumerates every outbound network connection this accelerator makes or enables. All connections use TLS 1.2 or higher.

Source	Destination	Protocol	Notes
ACA runtime	Azure Container Registry (private endpoint)	HTTPS	Intra-tenancy; never traverses public internet
ACA apps	PostgreSQL Flex Server (VNet-delegated subnet)	TLS/PostgreSQL 5432	Private, within VNet
ACA apps	Redis (private endpoint)	TLS/Redis 6380	Private, within VNet
ACA apps	Key Vault (private endpoint)	HTTPS	Private, within VNet
ACA apps	Azure Blob Storage (private endpoint / service endpoint)	HTTPS	Private, within VNet or service endpoint
Diagnostic agents	Log Analytics (Azure Monitor ingestion)	HTTPS	Flows to your workspace; private link available
Pulp worker	Upstream package archive (e.g., `archive.ubuntu.com`, `packages.microsoft.com`)	HTTPS	Operator-controlled via `upstreamUrl` parameter. Mirror this URL internally for air-gap deployments. This is the only intentional public-internet egress.
Nothing	github.com / any maintainer infrastructure	—	No runtime connection to project maintainer infra

Air-gap note: For fully disconnected high-side deployments, the Pulp worker never runs an upstream sync — it only imports from approved transfer bundles. The upstreamUrl parameter is only relevant on the low side.

Audit-Friendly Mode¶

To maximize logging for FedRAMP or DoD IL audits, apply the following configuration:

Increase Log Analytics retention — Set retentionInDays: 365 (or higher) in infra/_shared/monitoring.bicep.
Enable Key Vault audit logging — Ensure the Key Vault diagnostic setting is configured to send AuditEvent logs to the Log Analytics workspace. Verify with:
```
az monitor diagnostic-settings list \
  --resource "$(az keyvault list -g <rg> --query '[0].id' -o tsv)" \
  -o table
```
Capture RBAC change events — Configure an Azure Monitor Activity Log alert or diagnostic setting for the resource group to capture Microsoft.Authorization/roleAssignments/write events.
Export to SIEM — Configure a Log Analytics data export rule or Azure Sentinel connector to forward logs to your authoritative SIEM. This is required for FedRAMP continuous monitoring.
Collect deployment evidence — After each Bicep deployment, run the validation commands in docs/evidence/phase2-platform-security-checklist.md and store JSON output in your evidence archive.
Review compliance posture — See docs/compliance.md for the full NIST SP 800-53 Rev 5 control mapping and adopter responsibilities.