2 IT Departments split in Azure

Copper Contributor

Good Day All,

 

I do hope someone here could point me in the correct direction in finding an answer. I am a noob on the Azure platform so please go easy hahaha.

 

I work for a large corporate, within this organization we have 2 IT departments.

 

  1.  IT Department 1:
    Services internal organizational IT needs only. Purely on prem solutions, hosted on physical servers, using Hyper-V as a the only hypervisor. All solutions hosted in this department is accessed by internal staff ONLY. 
  2. IT Department 2: (Which I am part of)
    This department is tasked with cloud based solutions, predominantly making use of IaaS, which is hosted on a non-popular cloud vendor platform. 

    Let's break it down to properly understand this:
    Services internal departments solutions which are sold to external clients (So in Laymans terms, Our internal departments develop some super application, they sell it to external clients, and IT Department 2 is now responsible for hosting this solution)

    The reason for this , is due to the need for external client access, we have to segregate internal and external access. 

    Dilema: 
    IT Department 2, now needs to move all the servers from the "non Popular" cloud, to Azure. Which is easy enough. The problem is that IT Department 1, will at some stage start moving workloads to Azure as well. BUT we need to ensure that IT department 2 which is the main Azure account holder, has the highest control of the Azure portal, and when IT Department 1 comes on board at some stage, that there is limited access, and IT department 1 will not be able to see what IT Department 2 has and does in Azure.

    We are 2 completely different departments 

So i have done my research and I understand that this can be split using 2 different subscriptions, and things like RBAC. But how and what would be the best way to do this?

 

Please advise if possible

8 Replies

You are on the right track! This can be accomplished technically within one subscription and using Role Based Access Control. One item to consider is if you want detailed breakdown of billing you may want to split resources across two subscriptions. If you don't you will have to tag resources to disseminate costs. RBAC is the preferred and best method to accomplish this.  @Chavoos 

@Bryan Haslip

Thanks Bryan,

 

That being said, we would prefer to separate the billing for external and internal. BUT at the same time use tagging as for example:

 

For both Subscriptions

Multiple Resource groups, as each client will need its own resource group and under each resource group, tags will need to be associated with certain resources. 

 

However the 2 departments should not be able to see each others billing. (I'm of the assumption that this too will be done using RBAC)

 

I hope this makes sense?


 

@Chavoos

 

That makes perfect sense! Hopefully I did not convey that it was one or the other with the split subscription and tagging. You can certainly use both and I would suggest it.

 

As for limiting the view into the billing information you can certainly do this by using some of the predefined roles within Azure RBAC. The other option is you can create your own role with very specific privileges tailored to your exact need. Same rules apply that these are inherited to any nested resources. Example would be if they have that role on a resource group it would be automatically inherited to the resources contained within. One of the awesome features of RBAC is it can be applied to individual resources. One other suggestion is to create groups and assign the roles to those. This will help as things grow to keep track of permissions!

 

Hopefully you find this helpful!

The best means for permission in Azure is RBAC with Roles already defined, however you may have to customize these permissions where I advise:

Custom roles for Azure resources
https://docs.microsoft.com/bs-cyrl-ba/azure/role-based-access-control/custom-roles

Tutorial: Create a custom role for Azure resources using Azure PowerShell
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

Thank you all for the advice, we are currently busy looking at the options as well as the best practices and will try to incorporate this.

 

It seems that the RBAC way is where we will do the split as this is how our "mothership" does it on that side

 

thank you all once again

@Chavoos 

 

Hi, sounds like a scenario i heard about some times.

 

To go ahead with 2 Subscriptions for the Cost separation sounds like a good way and also pairing this with tagging of ressources to maybe split those costs a bit more visual afterwards is a common and well known way.

 

While using two Subscriptions you can use Azure Management Groups for the global Management of those Subscriptions, when it is wanted. A Management Layer above pure RBAC if you want.

 

https://docs.microsoft.com/en-us/azure/governance/management-groups/index

 

I don't know how your Azure Resources will be managed, maybe Dept. 1 will manage only their Stuff and Dept. 2 may manage only their Stuff, but maybe there will be Admins working in both Subscriptions as they are responsible for Network or Monitoring. Then for those Admins those Management Groups might be more useful instead of give them RBAC rights on each single Resource.

 

Especially Network should always be well documented and communicated between those two Depts as they otherwise might ran in big Problems. Also with the linking of OnPremise components.

 

Hope i could have been a bit helpful.

 

Kind Regards, Peter

"I don't know how your Azure Resources will be managed, maybe Dept. 1 will manage only their Stuff and Dept. 2 may manage only their Stuff, but maybe there will be Admins working in both Subscriptions as they are responsible for Network or Monitoring. Then for those Admins those Management Groups might be more useful instead of give them RBAC rights on each single Resource."

I see each department working on their own stuff. That being everything segregated for now, however, the networking part is a bit different as we will receive a "super-net" which we will need to split between internal and external, so indeed, we will need to design the network layer extremely well

@Chavoos 

 

Ok, understood.

I strongly recommend that there is a platform, whatever (Wiki, Teams Channel, ...) where the Admins of both Subscriptions can communicate and discuss about experience, new Features, Problems and grab some KnowHow from each other Team.