Blog: Azure Subscription Planning and Design Best Practices
Because every organization is different, Azure management groups are designed to be flexible. While subscriptions can be moved between different management groups, it is helpful to design an initial management group hierarchy that reflects your anticipated organizational needs.
The following subscription patterns reflect an initial increase in subscription design sophistication, followed by several more advanced hierarchies that may align well to your organization:
A single subscription per account may suffice for organizations that need to deploy a small number of cloud-hosted assets. This is the first subscription pattern when beginning your Azure adoption process to explore the more capabilities of the cloud.
Once you’re ready to deploy a workload to a production environment, you should add an additional subscription. This helps you keep your production data and other assets out of your dev/test environments. You can also easily apply two different sets of policies across the resources in the two subscriptions.
Workload Separation Pattern
As an organization adds new workloads to the cloud, different ownership of subscriptions or basic separation of responsibility may result in multiple subscriptions in both the production and preproduction management groups. While this approach does provide basic workload separation, it doesn’t take significant advantage of the inheritance model to automatically apply policies across a subset of your subscriptions.
Application Category Pattern
As an organization’s cloud footprint grows, additional subscriptions are typically created to support applications with fundamental differences in business criticality, compliance requirements, access controls, or data protection needs.
Each organization will categorize their applications differently, often separating subscriptions based on specific applications or services or along the lines of application archetypes. Some workloads that might justify a separate subscription under this pattern include:
- Mission-critical workloads.
- Applications with protected data.
- Experimental applications.
- Applications subject to regulatory requirements (such as HIPAA or FedRAMP).
- Batch workloads.
- Big data workloads such as Hadoop.
- Containerized workloads using deployment orchestrators such as Kubernetes.
- Analytics workloads.
The functional pattern organizes subscriptions and accounts along functional lines, such as finance, sales, or IT support, using a management group hierarchy.
Business Unit pattern
The business unit pattern groups subscriptions and accounts based on profit and loss category, business unit, division, profit center, or similar business structure using a management group hierarchy.
For organizations with global operations, the geographic pattern groups subscriptions and accounts based on geographic regions using a management group hierarchy.
One of the most critical items in the process of designing a subscription is assessing your current environment and needs.
Understanding how each component is limited and how each impacts the others is critical to a solution that can scale and be flexible enough to support the needs of the business.
Specifically, it is important to have a thorough understanding of the following aspects:
- Business requirements such as availability, recoverability, performance, cost Centers and chargebacks.
- Technical requirements like network connectivity, AD requirement, and considerations around management tools.
- Security considerations like policies, subscription administrators, and implementation of a least privilege administrative model among others.
- Additional considerations include Scalability plans, subscription owner, Office 365 AAD tenant set up, trial Power BI evaluation, trust issues between owners of a subscription and the owner of resources to be deployed.
- Rigid financial or geopolitical controls might require separate financial arrangements for specific subscriptions.
Speaking of security concerns in Azure, read the part-3 of this article series for to know how to put together an effective operational security plan to safeguard your data, applications, and other assets in Azure.
Subscription Naming Conventions – Best Recommendation(s)
When naming Azure subscriptions, verbose names make understanding the context and purpose of each subscription clear. When working in an environment with many subscriptions, following a shared naming convention can improve clarity.
A recommended pattern for naming subscriptions is:
<Company>-<Department (optional)>-<Product Line (optional)>-<Environment>
Company would usually be the same for each subscription. However, some companies may have child companies within the organizational structure. These companies may be managed by a central IT group.
Department is a name within the organization that contains a group of individuals. This item within the namespace is optional.
Product line is a specific name for a product or function that is performed from within the department. This is typically optional for internal-facing services and applications. However, it is highly recommended to use for public-facing services that require easy separation and identification (such as for clear separation of billing records).
Environment is the name that describes the deployment lifecycle of the applications or services, such as Dev, QA, or Prod.
Effective cloud governance is essential in order to reap maximum benefits. And, subscription planning is half the battle won. Write to us at firstname.lastname@example.org to understand the relationship between an Azure subscription and related expenses.