A big shout to Giovanna who brought this challenge!

Log Analytics ingestion is one of those Azure costs that behaves well for months, then doesn't. A noisy diagnostic setting, a new service sending verbose logs, a misconfigured Sentinel connector, and suddenly your monthly bill has a very different shape than the one you budgeted for.

Cost Management budgets and alerts exist for exactly this. But an email at 100% of budget doesn't stop the ingestion that's already happening. If you want something that actually intervenes, you need automation behind the alert, and automation that intervenes in production needs the same rigor you'd apply to any other change: a rollback plan, a real test, and an honest accounting of its blast radius.

This is the story of building that automation: a Logic App that gets triggered by a budget alert and caps daily ingestion on a set of workspaces. It's also the story of the two bugs that almost let it ship broken, because the failure mode for a safety net that silently doesn't work is worse than having no safety net at all. You find out during the next runaway bill, not during testing.

Why Log Analytics Costs Sneak Up on You