azure eventhub to prism integration

Question

azure eventhub to prism integration

Sunil Sigroha 0

We are planning to forward logs from approximately 800 VMs to an Event Hub that will be connected to PRISM via a private endpoint. Could you please advise how many Event Hubs are required for security log ingestion and whether there are any limitations?

Pravallika KV 14,155 Reputation points Microsoft External Staff Moderator

2026-04-01T17:58:29.48+00:00

Hi @Sunil Sigroha ,Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Praveen Kumar Gudipudi 2,285 Reputation points Microsoft External Staff Moderator

2026-04-07T17:34:51.81+00:00

Hi @Sunil Sigroha ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

3 answers

Your answer

Pravallika KV 14,155 Reputation points Microsoft External Staff Moderator

2026-04-01T17:58:29.48+00:00

Hi @Sunil Sigroha ,Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Praveen Kumar Gudipudi 2,285 Reputation points Microsoft External Staff Moderator

2026-04-07T17:34:51.81+00:00

Hi @Sunil Sigroha ,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Hi @Sunil Sigroha ,

Thanks for reaching out to Microsoft Q&A.

In most cases you don’t need 800 separate Event Hubs, one Event Hub inside a single namespace with your private endpoint configured can ingest logs from all 800 VMs, provided you size your throughput units (TUs) and partitions correctly.

Single Event Hub vs. Multiple
- Azure Event Hubs is built for high-volume ingestion (millions of events/sec).
- You can host all VM log senders in one Event Hub and simply scale up by adding TUs or partitions if you hit throughput limits.
- If you need tenant or workload isolation (audit separation), you could spin up additional hubs or consumer groups, but it’s not a performance requirement.
Throughput Units and Partitions
- Each TU provides 1 MB/sec ingress (or up to 1,000 events/sec, whichever comes first) and 2 MB/sec egress.
- You can purchase up to 20 TUs per standard namespace by default.
- An Event Hub supports up to 32 partitions, which you’d leverage if you have multiple concurrent readers or high-parallel ingestion.
Private Endpoint Scope
- Private endpoints are scoped at the namespace level, so once you’ve configured your private link, any Event Hub in that namespace can be reached privately no extra P.E. needed per hub.
When to Add More Hubs
- If your combined VM log traffic exceeds what the max TUs (or partitions) can handle in a single namespace, you can:
- Increase TUs (up to your subscription/namespace limit)
- Or deploy a second namespace/event hub pair (and P.E.) to split the load

Limitations:

Max 32 partitions per Event Hub
Default max of 20 TUs per standard namespace (can be raised via support request)
Single event max size is 1 MB
Retention defaults (1 day up to 90 days) and consumer group counts (7 standard per hub)

Hope this helps!

If the resolution was helpful, kindly take a moment to click on User's image and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Sunil Sigroha 0 Reputation points

2026-04-02T06:36:48.24+00:00

@Pravallika KV can you help me with steps to to onboard all vm to send logs to eventhub. i think i need to install AMA agent on all the vms then dc collector somethings need to create?
Pravallika KV 14,155 Reputation points Microsoft External Staff Moderator

2026-04-02T23:48:41.6966667+00:00

@Sunil Sigroha , Yes correct, to send logs from all VMs to Azure Event Hub, the usual approach is to install the Azure Monitor Agent (AMA) and create a Data Collection Rule (DCR).

Set up Event Hub

Create an Event Hub Namespace and Event Hub and Get Connection String

Go to Shared Access Policies => RootManageSharedAccessKey

Copy the Connection String-Primary Key and note the Event Hub name.

Install Azure Monitor Agent (AMA) on VMs

AMA collects telemetry (logs/metrics) from your VMs.

Install-Module -Name Az.ConnectedMachine Install-AzConnectedMachineAgent

Create a Data Collection Rule (DCR)

DCR defines what logs to collect and where to send them.

Go to Azure Monitor → Data Collection Rules → + Create

Configure:

Resource Group / Name

Data Sources

Destination: Select Event Hub and provide:

Namespace connection string

Event Hub name

Save the DCR.

Assign DCR to VMs

Go to the DCR → + Add Resource, select all the VMs you want to onboard and Click Apply

Verify Logs Flowing

Go to Event Hub → Metrics → check Incoming Messages

Also, you can use Log Analytics Workspace or Stream Analytics to verify logs.
Pravallika KV 14,155 Reputation points Microsoft External Staff Moderator

2026-04-04T00:09:05.6566667+00:00

@Sunil Sigroha , Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.

Answer 2

kagiyama yutaka 1,825

one hub is enough — the only real failure case is a hot‑partition outrunning PRISM’s read‑lag, so start Std/Prem with TU +1 and 4–8 partitions, and if it still slows just add TU +1 again and move the noisiest sender to its own partition…that’s always held up in the field.

0 comments

Answer 3

A single Event Hub is typically sufficient for ingesting security logs from 800 VMs, provided throughput and partition limits are respected. The main design dimension is not the number of VMs but throughput units (TUs/PUs/CUs) and partition count.

Key points for sizing and limitations:

Number of Event Hubs

One Event Hub (in one namespace) can handle logs from hundreds or thousands of VMs as long as the aggregate throughput stays within tier limits.
Multiple Event Hubs are generally only required for:
- Isolation by workload/tenant or environment (prod vs non-prod)
- Different retention or access policies
- Very high throughput that needs to be split across hubs

Partitions and parallelism

Partitions provide parallelism for consumers (such as PRISM) and scale-out capacity.
Recommended starting point for monitoring/log scenarios is 4 partitions if unsure, as each partition can support up to 20 MB/s or ~20,000 messages/sec.
Maximum partitions per Event Hub by tier:
- Basic/Standard: up to 32 partitions per event hub
- Premium: up to 100 partitions per event hub (with namespace-level limits)
- Dedicated: up to 1,024 partitions per event hub
Choose enough partitions to cover peak ingestion and PRISM’s consumption model. If PRISM can consume from multiple partitions, 4+ partitions is appropriate; if it expects a single stream, fewer partitions may be used.

Throughput and quota limits

Throughput is governed by the namespace capacity:
- Basic/Standard: per throughput unit (TU), ingress is 1 MB/s or 1,000 events/s; egress is 2 MB/s or 4,096 events/s.
- Premium/Dedicated: no fixed per-unit throughput limit, but constrained by partitions and resource allocation.
Subscription-level limits (per region) include:
- Max TUs/PUs/CUs per namespace/tier
- Max partitions per event hub and per namespace
- Max event hubs per namespace
Ensure the chosen tier and number of TUs/PUs/CUs can handle the combined log volume from 800 VMs.

Private endpoint and network limitations

Private endpoints for Event Hubs are not supported in the Basic tier; use Standard, Premium, or Dedicated.
Up to 120 private endpoints per Event Hubs namespace.
When private endpoints are enabled:
- Public access is effectively blocked at the application layer, but TCP-level checks (like nslookup or TCP connect) to the public endpoint may still succeed.
- Other Azure services, Azure portal, and logging/metrics may be blocked unless explicitly allowed as trusted services.
All traffic from PRISM to Event Hubs will traverse the private endpoint over the Microsoft backbone network.

General design guidance for this scenario

Use a single Standard (or higher) Event Hubs namespace with one Event Hub dedicated to security logs from the 800 VMs.
Configure an appropriate number of partitions (for example, 4–8) based on expected peak log rate and PRISM’s ability to consume from multiple partitions.
Scale TUs (or PUs/CUs) as needed if ingestion or egress approaches limits.
Use a private endpoint to connect PRISM to the Event Hub, and review the impact on other Azure services that may need to access the namespace.

There is no hard limit in the provided information that directly restricts the number of VMs sending to a single Event Hub; design is driven by throughput, partitions, and private endpoint constraints.

References:

Stream Azure monitoring data to an event hub and external partner
Azure Event Hubs quotas and limits
Azure subscription and service limits, quotas, and constraints
Allow access to Azure Event Hubs namespaces via private endpoints
[Allow access to Azure Event Hubs namespaces via private endpoints

Share via

azure eventhub to prism integration

3 answers

Limitations and design considerations](https://learn.microsoft.com/azure/event-hubs/private-link-service#limitations-and-design-considerations)

Your answer