Before you start using Azure, you need to first design how you want your workloads to run and consider whether to use multiple Azure subscriptions for each workload/client or to use 1 Azure tenant with multiple Azure Resource Groups and restrict access at the Resource Group level to your users/workloads.
I’ve put together this best practice model with pros and cons for each design model. This can be used as a starting point when designing your Azure patterns.
In this tutorial i will walk you through the following:
- First you need to choose how you want to design your Azure subscription model. I’ve put together 2 options below.
- Next you need to decide how you want to design your Azure Resource Group model. I’ve put together 2 options below
- Then you need to plan how you’re going to manage access and implement an role based access control strategy.
- You also need to think about your naming standards best practice, especially if you have several teams deploying resources into Azure.
Ok lets first start with choosing your Azure Subscription Model:
awesome amalgamation
Thanks Deepak 🙂
After deploying both models previously, I have to disagree on the multiple subscription being more complex. The single subscription requires significantly more complex RBAC configuration as well as Azure policy and management group considerations. Resource Groups should not be treated as ‘mini-subscriptions’; organizations which have administrative control over certain workloads should have a subscription created to contain the workloads they maintain. Additionally, infrastructure items like hub vnets and NVAs, certificate authorities / identity servers, and monitoring resources should be in separate subscriptions for easier RBAC & Azure Policy application.
Thanks for sharing your experience on this topic Rob, much appreciated.