question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked DCtheGeek commented

Azure subscription governance & best practice architecture pattern?

People,

I'd like to know what's the best practice and the recommended Azure architecture for Azure Governance & structuring?

As at the moment, I'm currently working in the company where the existing Tenant (the parent company) have three subscriptions like:

 PROD-Subscription
  - rg_Product1 [Product1Owners & Product1Contributor]
  - rg_Product2 [Product2Owners & Product2Contributor]
  - rg_Product3 [Product3Owners & Product3Contributor]
 ...
 TEST-Subscription
  - rg_Test-Product1 [Test-Product1Owners & Product1Contributor]
  - rg_Test-Product2 [Test-Product2Owners & Product2Contributor]
  - rg_Test-Product3 [Test-Product3Owners & Product3Contributor]
 ...
 DEV-Subscription
  - rg_Dev-Product1 [Dev-Product1Owners & Product1Contributor]
  - rg_Dev-Product2 [Dev-Product2Owners & Product2Contributor]
  - rg_Dev-Product3 [Dev-Product3Owners & Product3Contributor]
 ...

I wonder if the above structure is correct or according to the best practice or is there any other deployment or architecture pattern?

Because the new Enterprise Architect person wanted to create new Azure Subscription for each Development Team instead of going like the above or existing pattern.

What are the limitations or disadvantages when we have many AzureSubscription that we create and delete or remove after each product team completed its project or dismissed?

Thank you in advance.

azure-blueprints
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DCtheGeek avatar image
1 Vote"
DCtheGeek answered

This is a complex question and and can't really be answered by a "Yes, that's correct" or a "No, do it this way instead" response. The "right way" to design the hierarchy structure is dependent on a lot of business decisions and needs that aren't shared in the post (and likely shouldn't be publicly). There's a few things I can recommend, though:

  • First, read about what a management group is. It'll help you group subscriptions logically in ways that you can apply Azure Policy definitions, tags, and do cost management in ways that make sense to your business through inheritance and rollup.

  • Then, check out the Cloud Adoption Framework and specifically this page: Management group and subscription organization. This will help you identity and ask the right questions to land on the right design with both management groups and subscriptions. To take this a step further, use the Microsoft Assessments tool to analyze where you are today on this journey.

  • Lastly, check out Azure Resource Graph to help you quickly inventory your resources across all of the management groups and subscriptions within your tenant.

/David



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect answered DCtheGeek commented

Hi David,

Thank you for the guides.

I assume the resources cannot be shared when deployed across two different Azure Subscriptions?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not sure what you mean by shared in this context. A resource can only exist in a single subscription. RBAC and service principals make it possible for a resource in one subscription to "use" a resource in another subscription. Can you clarify what you are asking?

0 Votes 0 ·