Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Remote hubs enable cross-tenant cost data collection scenarios where a central tenant aggregates cost data from multiple tenants or subscriptions. In this setup, "satellite" FinOps hubs in different tenants send their processed data to a central "primary" hub for consolidated reporting and analysis.
Remote hubs work across different Azure clouds, supporting:
- Azure Commercial
- Azure Government
- Azure operated by 21Vianet
When to use remote hubs
Consider remote hubs when you have:
- Multiple Azure tenants with separate billing relationships
- A centralized FinOps team that needs visibility across multiple organizations
- Subsidiaries or business units in separate tenants
- Partners or customers who want to contribute cost data to a shared analysis
- Multi-cloud scenarios where you need cost data from different Azure cloud environments
Architecture overview
In a remote hub configuration:
- Primary hub: Central FinOps hub that receives and stores aggregated data from all tenants
- Remote (satellite) hubs: FinOps hubs in remote tenants that process local cost data and send it to the primary hub
Configure the primary hub
- Deploy a standard FinOps hub in your central tenant using the regular deployment process
- Note the storage account name (found in the resource group after deployment)
- Get the Data Lake storage endpoint:
- Navigate to the storage account in the Azure portal
- Select Settings > Endpoints
- Copy the Data Lake storage URL (format:
https://storageaccount.dfs.core.windows.net/)
- Get the storage account access key:
- Navigate to Security + networking > Access keys
- Copy key1 or key2 value
Configure remote hubs
When deploying remote hubs, provide the primary hub's storage details:
- When deploying the FinOps hub template, navigate to the Advanced tab
- Expand Remote hub configuration
- Enter the Remote hub storage URI from the primary hub (copy from the primary hub's storage account Settings > Endpoints > Data Lake storage)
- Enter the Remote hub storage key from the primary hub (copy from the primary hub's storage account Security + networking > Access keys > key1/2 > Key)
- Complete the deployment normally
Security considerations
- Version requirement: Remote hubs support requires FinOps hub template version 0.4 or later
- Storage keys: Treat storage keys as secrets. They provide full access to the storage account
- Network access: Consider using private networking for both primary and remote hubs
- Key rotation: Regularly rotate storage keys and update remote hub configurations
- Least privilege: The storage key provides broad access; consider using Azure AD authentication when available
Data flow and processing
Remote hubs process data locally and then send processed (not raw) cost data to the primary hub. This approach:
- Reduces data transfer costs
- Maintains data sovereignty for initial processing
- Centralizes only the final, processed cost data
- Preserves full granularity in the primary hub