Subscription vending enables the creation of multiple Azure subscriptions using code, treating subscriptions as the foundational unit for workload management.
Subscription vending is a process that enables the creation of multiple Azure subscriptions using code, based on organizational segregation or workload-specific requirements. Rather than relying on resource groups as the primary boundary, this approach treats subscriptions as the fundamental unit for workload management.
Diagram 1: Subscription Vending
Subscription vending follows the concept of subscription democratization and applies it within the Azure Landing Zone (ALZ) model. With this approach, subscriptions act as the foundational boundary for the organization. This makes it easier to scale environments while also enabling stronger regulation, governance, and security controls.
Subscription democratization is a scalable approach that helps accelerate application migration or new application deployment. It enables teams to work independently and deliver results faster, while still maintaining proper governance and security. Through subscription vending, multiple subscriptions can be deployed based on individual workload requirements
Subscription Vending Implementation Guidance
Subscription vending is achieved through automation and typically involves the following tasks:
- Collecting subscription request data
- Initiating platform automation
- Creating subscriptions using Infrastructure as Code (IaC)
There are multiple ways to implement subscription vending automation to complete these tasks. One example approach is GitFlow.
In this model, subscription request data is captured through a data collection tool and stored in a JSON or YAML parameter file. Once the request is approved, platform automation is triggered using a request pipeline, source control, and a deployment pipeline. IaC modules are then used to create the required subscription.
Diagram 2: Example of Subscription Vending GitFlow
Implementation Steps
The following steps describe the implementation flow shown in the diagram:
- A data collection tool is used to gather subscription request information.
- Once the subscription request is approved, platform automation is initiated through the request pipeline, source control, and deployment pipeline.
To standardize and regulate the foundational structure across environments, automation is implemented using Infrastructure as Code. This approach also enables new subscriptions to be deployed with minimal effort.
Resources Deployed During Subscription Creation
As a best practice, the following resources are deployed during subscription creation:
- Management Group: Management groups are created based on the organizational design and structure.
-
Subscription: Subscriptions are created using code according to design requirements. During creation, billing account details are configured to align with the billing scope. A subscription alias is also added at this stage. Once the subscription is created, it is associated with the appropriate management group. Capabilities such as renaming or cancelling subscriptions can also be managed. Cancelling a subscription through Terraform can deactivate it; the subscription can be reenabled within 90 days. After 90 days, the subscription is permanently deleted.
-
Budget: Subscription budgets can be defined based on required thresholds.
- Resource Provider Registration: Required resource providers are enabled by default, allowing the necessary REST operations for resource deployment.
- Identity Management: Required role assignments, including custom roles, can be applied at the subscription or scoped level. Custom RBAC roles can be created if prebuilt roles do not meet requirements and assigned at the subscription level.
Additional Notes
A subscription alias in Azure is a resource type used to create a new subscription, typically under an Enterprise Agreement (EA) billing model. An alias enables the creation of new subscriptions but cannot be used to update existing ones.
Azure provides Azure Verified Modules (AVM) for all the resources mentioned above. These modules help standardize implementation and follow best practices. The reference implementation is available through the AVM pattern for subscription vending.
Microsoft
