When you start working on Azure, you need to first create an account and an Azure Subscription to host your services. Azure Subscriptions are a unit of management, billing, and scale within Azure, and they play a critical role when designing for large-scale Azure adoption.
As a startup or a beginner to Azure, you might be wondering how to create and manage your Azure subscriptions effectively? How many subscriptions do you need? How do you organize them? How do you apply policies and security controls to them? How do you monitor and optimize their costs?
In this blog post, we will cover some of the best practices and recommendations for designing and managing your Azure subscriptions, based on the Microsoft Cloud Adoption Framework for Azure and experience we get from the field.
Analyzing Workloads and Clients
The first step to plan your Azure subscriptions is to analyze your workloads and clients (end users). What are the types of applications and services you want to run on Azure? What are their requirements and expectations?
Depending on your answers, you might need different subscriptions for different purposes, such as:
- Environment type: You might want to separate your development, test, and production environments into different subscriptions, to avoid accidental changes or interference between them.
- Ownership and governance model: You might want to assign different subscriptions to different teams, departments, or business units, to give them more autonomy and accountability over their resources.
- Organizational structure: You might want to align your subscriptions with your organizational hierarchy, to reflect your reporting lines and decision-making processes.
- Application portfolios: You might want to group your applications by their functionality, architecture, or lifecycle, to facilitate their management and optimization.
Azure Management Groups and its structure
Once you have identified your workloads, you can use Azure Management Groups to organize and manage your subscriptions. Azure Management Groups are containers that can hold one or more subscriptions. You can create a hierarchy of management groups in your Azure Active Directory (Azure AD) tenant, up to six levels deep (this limit doesn't include the root or subscription level), to match your needs.
The top level of the hierarchy is called the root management group. All new subscriptions are initially placed in the root management group, but you can move them to other child management groups later. A subscription can only belong to one management group at a time.
Azure Management Groups provide a way to efficiently manage resource access, Azure policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. This way, you can enforce consistent governance and security across your subscriptions and resources.
The advantage of using Azure Management Groups is that they provide flexibility for your subscription design. You can create multiple management groups for different purposes, such as:
- Billing: You can use management groups to mirror your billing hierarchy, so that you can easily track and allocate your costs across your organization.
- Scale: You can use management groups to divide your workloads into smaller units, so that you can avoid hitting the subscription resource limits or quotas.
- Isolation: You can use management groups to separate your workloads by their security or compliance needs, such as PCI or HIPAA.
- Democratization: You can use management groups to delegate management responsibilities to different teams or individuals, according to their business needs and priorities.
Governance with Azure Policies and Blueprints
Once you have created your initial subscriptions, you can apply governance and security controls to them using Azure Policies and Blueprints.
Azure Policies are rules that define what actions are allowed or denied for your resources. For example, you can use policies to:
- Restrict the Azure regions where resources can be deployed
- Enforce naming conventions or tagging standards for resources
- Audit the compliance status of resources
- Remediate non-compliant resources automatically or manually
Azure Blueprints (In preview while writing) are templates that define a set of resources and policies that can be deployed together so that all your subscription can have a standard baseline of minimum required resources. If you don’t use blueprints, you need to create the required resources each time a new Azure subscription is created.
For example, you can use blueprints to:
- Create a consistent environment for your applications
- Simplify the deployment process and reduce errors
- Ensure compliance with regulatory or organizational requirements
- Track changes and versions of your blueprints
You can apply policies and blueprints at any level of the management group hierarchy, and they will inherit down to all the lower levels. You can also assign policies and blueprints to individual subscriptions or resource groups if needed.
Azure Landing Zone
An Azure landing zone is a set of best practices and guidelines for creating a scalable and secure foundation for your Azure workloads. It is a concept that provides a foundation for building a well-architected and standardized environment in Azure. It serves as a baseline for deploying and managing workloads securely, efficiently, and consistently.
An Azure landing zone can help you:
- Accelerate your cloud adoption by providing a proven methodology and best practices
- Reduce risks and costs by ensuring compliance and security across your cloud resources
- Increase agility and innovation by enabling faster deployment and iteration of your cloud solutions
An Azure landing zone consists of platform landing zones and application landing zones.
Platform landing zone: A platform landing zone is a subscription that provides shared services (identity, connectivity, management) to applications in application landing zones. Consolidating these shared services often improves operational efficiency.
Application landing zone: An application landing zone is a subscription for hosting an application. You pre-provision application landing zones through code, and use management groups to assign policy controls to them.
To avoid overwhelming at the start and keeping things simple, it's important to start with a lightweight and scalable landing zone design. Begin with a basic set of well-defined Blueprints and Azure policies that address common requirements. Gradually introduce additional components and features as your organization's needs evolve.
Embracing Azure Best Practices
When designing and managing your Azure subscriptions, it is essential to follow some of the best practices recommended by Microsoft and experts in the field.
Here are some of them:
- Create separate platform subscriptions for management (monitoring), connectivity (networking), and identity (Active Directory) when they are required. This way, you can isolate these foundational services from your other workloads and ensure their availability and performance. This is where Platform landing zone helps.
- Establish a dedicated management subscription in your platform management group to support global management capabilities like Azure Monitor Log Analytics workspaces and Azure Automation run books.
- Establish a dedicated identity subscription in your platform management group to host Windows Server Active Directory domain controllers when required.
- Establish a dedicated connectivity subscription in your platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS) and other networking resources. A dedicated subscription ensures that all your foundation network resources are billed together and isolated from other workloads.
- Use subscriptions as a scale unit, so component workloads can scale within platform subscription limits. Make sure you consider subscription resource limits as you design your workloads.
- Use subscriptions as a management boundary for governance and isolation that clearly separates concerns. Different environments, such as development, test, and production, are often removed from a management perspective.
- While creating virtual networks, make sure that the CIDR ranges don’t overlap with each other in order to have future peering needs. You cannot peer vnets with similar/overlapping CIDR ranges.
In conclusion, mastering Azure subscriptions management is crucial for startups or beginners embarking on their Azure journey. By following best practices and recommendations, such as analyzing workloads, leveraging Azure Management Groups, implementing governance with Azure Policies and Blueprints, and embracing Azure landing zones, you can establish a solid foundation for success in the Azure environment. Start with a lightweight and scalable approach, gradually introducing additional components and features as your organization's needs evolve. With effective Azure subscriptions management, you can achieve scalability, security, cost optimization, and streamlined operations, enabling you to leverage the full potential of Azure for your business growth and innovation.