Effective management of Microsoft Azure resources is essential for maintaining control over your cloud environment, ensuring robust security and compliance, as well as optimizing costs. Ergo, an Azure Expert MSP, and its Microsoft licensing consultancy subsidiary Micromail work closely with customers to advise them on best way how to organise their cloud resources and optimise cloud investments.
In this blog post, we will explore the basics of Azure cloud resource organisation and best practices we recommend organisations to follow.
Getting started with resource organisation
Resource organisation is one of the design areas of Azure Landing Zones. This aspect is vital for organizations aiming for scalable cloud adoption. A streamlined management group and subscription design, aligned with best practices, can significantly influence adoption, improve cloud governance and operational efficiency.
There are 4 levels of Azure resource management, as shown below:
What are Azure Management groups
On the top of the hierarchy, there are Management Groups. As organizations expand their use of Azure, controlling multiple subscriptions becomes increasingly complex. Management groups provide a structured way to organize and govern subscriptions, ensuring efficient and effective management. All subscriptions within a management group automatically inherit the conditions applied to the management group.
To get started with Azure management groups, we recommend the following:
• Separation Considerations: Evaluate the need for separate functions based on business, operational, regulatory, data residency, security and compliance, or sovereignty requirements. For instance, while the best practise is to utilise the standard Azure landing zone management group structure for multiregional deployments, if your organisation has specific location-based compliance requirements, consider creating a management group structure based on those locations.
• Leverage management groups to consolidate policy and initiative assignments using Azure Policy.
• Enhance authorization controls for management group by enabling Azure role-based access control (RBAC) to override default settings. If you’d like to learn more about protecting your cloud resources, please read our blog about Microsoft Defender for Cloud.
What are Azure Subscriptions
Subscriptions are a unit of management, billing, and scale within Microsoft Azure. They provide control over resource usage reporting and payments. Each subscription can have unique billing arrangements, allowing for differentiation by office, department, or project. Similarly to management groups, they play a critical role when you design for large-scale Azure adoption.
From our experience, sometimes there is a confusion between Azure Subscription and other units of resource organisation. Let’s explore the most common ones:
• What is the difference between Azure subscription and an account?
Azure subscriptions group resources and assign an owner responsible for billing and permissions management. An Azure account represents the billing relationships.
• What is the difference between Azure subscription and a tenant?
An Azure Tenant is an exclusive instance of Azure Active Directory that corresponds to an organization’s Azure subscription. When an organization subscribes to Azure, Microsoft creates a new Azure Tenant specifically for that organization. This Tenant is connected to the subscription and governs all the resources and services used within Azure.
• What is the difference between Azure Subscription and Resource Groups?
Resource Groups are the next level of resource organisation under Azure subscription. They serve as a container for deploying and managing Azure resources, such as applications or databases. The resource group can include all the resources for the solution, or only those resources that you want to manage together.
Key considerations for planning and creating Azure subscriptions:
Organisation and Cloud Governance Recommendations
Inform Subscription Owners of their roles and responsibilities:
• Conduct quarterly or yearly access reviews using Microsoft Entra Privileged Identity Management.
• Subscription owners should take ownership of budget spending and resource management.
• Ensure policy compliance and address any issues promptly.
New Subscription Requirements: Follow these principles when identifying the need for new subscriptions:
• Scale Limits: For high-volume workloads, it’s recommended to use separate subscriptions to avoid hitting platform limits.
• Management Boundary: For management purposes, it’s recommended separating development, test and production environments.
• Policy Boundary: Subscriptions serve as boundaries for Azure Policy assignments, ensuring compliance for secure workloads without additional overhead.
• Network Topology: Consider which workloads need to communicate with each other when deciding on new subscriptions.
• Group Subscriptions: Organise subscriptions under management groups aligned with your management structure and policy requirements. Ensure subscriptions with similar policies and Azure role assignments are grouped together.
• Use Flexible Grouping Criteria: Use flexible criteria to group subscriptions, allowing for adjustments as your organisation’s structure and workload composition change. Avoid an one-size-fits-all approach, as different business units may have varying needs.
Quota and Capacity Recommendations
• Scale Out Resources: Expand resources and subscriptions as needed to avoid hitting Azure platform limits.
• Capacity Reservations: Use capacity reservations to ensure availability for high-demand resources in specific regions.
• Monitoring Dashboard: Set up a custom dashboard to monitor capacity levels and configure alerts for critical thresholds, such as 90% CPU usage.
• Quota Limits: Ensure quota limits are set before workloads exceed default limits.
Tenant Transfer Restriction Recommendations
Prevent Subscription Transfers: Configure settings to prevent users from transferring Azure subscriptions to or from your Microsoft Entra tenant:
- Set “Subscription leaving Microsoft Entra directory” to “Permit no one.”
- Set “Subscription entering Microsoft Entra directory” to “Permit no one.”
Exempted Users: Configure a limited list of exempted users, including:
- Members of the Azure platform operations team.
- Accounts to be used in case of emergency.
Cost Management and optimisation
Optimising and controlling cost in Azure is vital to ensure best value for money and avoid overspend. Fortunately, Microsoft offers the tools to manage and govern Azure costs using the Cost Management blade in Azure Portal.
Collaboration with an experienced Azure specialist like Ergo and Micromail can ensure that the correct Cost Management settings are implemented for your organisation, and you are getting the best value out of the toolset. Some important areas where a partner delivered Cost Management solution can help:
- Setting cost alerts will flag sudden changes or budget thresholds. This can avoid unexpected bills and highlight potentials mistakes in Azure implementation
- If internal cross billing of Azure services is needed then this can only be effectively managed utilising Cost Management resources
- Internal reporting on growing Azure spend can easily be delivered via Cost Management solutions.
Talk to us about your requirements
If you’d like to learn more about how Micromail can help you with optimising Azure resource management, please fill in the form below.
