Azure subscription governance & best practice architecture pattern?

EnterpriseArchitect 4,621 Reputation points
2020-06-29T13:31:14.57+00:00

People,

I'd like to know what's the best practice and the recommended Azure architecture for Azure Governance & structuring?

As at the moment, I'm currently working in the company where the existing Tenant (the parent company) have three subscriptions like:

PROD-Subscription
 - rg_Product1 [Product1Owners & Product1Contributor]
 - rg_Product2 [Product2Owners & Product2Contributor]
 - rg_Product3 [Product3Owners & Product3Contributor]
...
TEST-Subscription
 - rg_Test-Product1 [Test-Product1Owners & Product1Contributor]
 - rg_Test-Product2 [Test-Product2Owners & Product2Contributor]
 - rg_Test-Product3 [Test-Product3Owners & Product3Contributor]
...
DEV-Subscription
 - rg_Dev-Product1 [Dev-Product1Owners & Product1Contributor]
 - rg_Dev-Product2 [Dev-Product2Owners & Product2Contributor]
 - rg_Dev-Product3 [Dev-Product3Owners & Product3Contributor]
...

I wonder if the above structure is correct or according to the best practice or is there any other deployment or architecture pattern?

Because the new Enterprise Architect person wanted to create new Azure Subscription for each Development Team instead of going like the above or existing pattern.

What are the limitations or disadvantages when we have many AzureSubscription that we create and delete or remove after each product team completed its project or dismissed?

Thank you in advance.

Azure Blueprints
Azure Blueprints
An Azure service that provides templates for quick, repeatable creation of fully governed cloud subscriptions.
69 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. DCtheGeek-MSFT 451 Reputation points Microsoft Employee
    2020-06-29T13:57:20.57+00:00

    This is a complex question and and can't really be answered by a "Yes, that's correct" or a "No, do it this way instead" response. The "right way" to design the hierarchy structure is dependent on a lot of business decisions and needs that aren't shared in the post (and likely shouldn't be publicly). There's a few things I can recommend, though:

    • First, read about what a management group is. It'll help you group subscriptions logically in ways that you can apply Azure Policy definitions, tags, and do cost management in ways that make sense to your business through inheritance and rollup.
    • Then, check out the Cloud Adoption Framework and specifically this page: Management group and subscription organization. This will help you identity and ask the right questions to land on the right design with both management groups and subscriptions. To take this a step further, use the Microsoft Assessments tool to analyze where you are today on this journey.
    • Lastly, check out Azure Resource Graph to help you quickly inventory your resources across all of the management groups and subscriptions within your tenant.

    /David

    1 person found this answer helpful.
    0 comments No comments

  2. EnterpriseArchitect 4,621 Reputation points
    2020-07-08T11:31:38.553+00:00

    Hi David,

    Thank you for the guides.

    I assume the resources cannot be shared when deployed across two different Azure Subscriptions?