In the introduction to this series, we listed the 4 high-level categories of Azure governance, namely resource organization, resource security, auditing, and cost.
In this part, we will focus on Resource Organization.
You can break Resource Organization down into the following sub-categories: Subscriptions, Management Groups, Resources Groups, and Tags. Let’s explore each of these.
Subscriptions
Put simply, an Azure Subscription is a container to hold your resources. This is very similar to Resource Groups (which we will touch on in a minute).
However, an Azure Subscription has a limited number of resource objects (both in overal quantity, as well as resource specific quantity) that it can contain.
For example, at the time of writing this article, a single Azure Subscription has a limit of 10,000 vCPUs, 200 storage accounts (per region), and 100 virtual networks, to list a few. Some of this may seem extremely high, but if you’re in a large enterprise with global operations, you realistically could reach these limits. For more information, check out the latest Azure subscription and service limits, quotas, and constraints.
In fact, I recently worked with a large global organization, that had a single Azure subscription dedicated to a specific business operation due to the global scale of resources required!
So what’s the point? My point is, you should first examine not only your immediate needs but also your projected future needs, in order to properly organize your Azure subscriptions.
Case in point, your organization could have a single Azure subscription for all Production workloads, and another for Non-Production.
For more information, check out this high-level article on What is an Azure subscription?
Another great reference is the Azure enterprise scaffold – prescriptive subscription governance, which includes some good pattern examples, along with some best practices around naming conventions.
Management Groups
New on the scene, and tied closely to Subscriptions, is the concept of Management Groups.
Management Groups is an obstraction layer above the Subscription layer. Taking the concept of a Subscription being a container for your resources, a Management Group is a container for your Subscriptions.
Why would you want/use this? Because all of your Subscriptions within a Management Group automatically inherit the conditions applied to the Management Group. This provides us with enterprise-level management at a large scale.
For example, you could have a Policy that restricts which Class/SKU of Virtual Machines allowed to be deployed or a Policy that restricts which geographies and regions resources can be deployed to. Instead of having to create (and manage) a copy of these policies in every single Subscription, you could create the policy once, apply it to a Management Group, and have all subsequent Subscriptions have that policy applied.
For more information, check out the article Organize your resources with Azure management groups.
Resource Groups
Just like we mentioned that Azure Subscriptions are a container for resources, Resource Groups are the same thing, just at a lower level.
Simply, Resource Groups are used to group resources together from a management perspective. The Resource Group holds the metadata for the resources.
You can group resources together that have the same life-cycle, like all of the resources/components that make up a specific application; or, you can group resources together that have the same use/function, like all of the networking components within your Azure subscription. It’s up to you how you use Resource Groups.
The current industry best practice, though, is to group resources together that have the same life-cycle (i.e. all of the resources that make up a specific application).
Resource Groups tie-in very closely with other concepts that will be covered later in this series, namely Role-Based Access Control (RBAC).
For some high-level information, check out the article What is an Azure Resource Group?
Tags
The last sub-category within Resource Organization is Tags.
Tagging gives us the ability to apply additional metadata to our resources and further allows us to use categories.
A great example of this, is using Tags to identify which environment a resource belongs to (i.e. Production, Non-Production, etc.), which department is using/has ownership of the resource (i.e. IT, Finance, Human Resources, etc.), or even which Cost Center the utilization charges should be billed against.
All of this is imporant, as it can help you with being able to more granularily break down the showback/chargeback on a per environment, department, cost center, project, etc. level.
This is also one of the more difficult things to implement well within an environment, especially in an existing “brownfield” environment. But, we have something that can help us with this, called Azure Policy, which will be covered in the next portion of this series under the Resource Security category.
For additional information, check out the article Use tags to organize your Azure resources, and Azure Subscription Governance – Controlling resources with Tags, Policies, and Locks.
Now that we’ve covered Resource Organization, let’s move onto the next high-level category, Resource Security.