Welcome back for the third layer of our cake. The second layer was management groups. Today, we look at subscriptions, design strategies, cost management, and Azure Policy.
There are multiple design strategies for management groups and subscriptions. We went through the most comprehensive approach in the previous layer: the enterprise-scale landing zone architecture framework. We’re reviewing the other design strategies and their benefits in this layer.
Subscriptions, in their simplest, are containers for your resource groups and resources. When you deploy and use resources, the costs are billed to the subscription. The subscription is your agreement with Microsoft, allowing you to use their platform and services. Subscriptions are mandatory when you want to deploy resources—without them, this is impossible.
The subscription is also the administrative security boundary. In most cases, the role-based access control configuration is assigned to the subscription and inherited by the underlying resource groups and their resources.
There are limitations within Azure. The limits (or quotas) are in place for lots of services, as well as for subscriptions. For example, a subscription can have up to 980 resource groups and 50 tags. These limits can change over time. You can find more information about the subscription and service limits, quotas, and constraints in the documentation.
There are lots of offers and subscription types that you can find on the Microsoft Azure Offer Details page. Today, we’re going through the four most common.
Enterprise Agreement: This is a manageable volume licensing program that offers the best value to organizations with 500 or more users. It’s a three-year agreement where you pay in advance using standardized payments. One of the benefits is activating so-called Dev/Test subscriptions with reduced development and test rate.
Pay-As-You-Go: This subscription allows you to pay only for what you use monthly. The costs are slightly higher, but there’s no upfront commitment, and you can cancel anytime.
Free Trial: This is a free Azure trial valid for 30 days with €170 worth of spending credits. After 30 days, the trial gets converted to a Pay-As-You-Go subscription, billed using the assigned credit card. You’ll also get 12 months of selected free services with monthly limits. The free trial is a great place to start getting comfortable with Azure.
Cloud Solution Provider: This is a Pay-As-You-Go subscription purchased by invoice through a Microsoft partner. You don’t need a credit card; the partner manages your subscription.
Every organization is different. Therefore, management groups and subscriptions are designed to be flexible. There are multiple design strategies for management groups and subscriptions.
Workload separation strategy: This is the most straightforward approach. You have two management groups, one for production and one for pre-production workloads. Both management groups contain multiple subscriptions, where ownership or responsibility is the differentiator. This approach isn’t best suited for applying different policies across your subscriptions and workloads because of the limited use of management groups.
Application category strategy: This builds on the workload separation approach by adding application categories under the production and pre-production management groups. The workload categories differ for every organization and are based on various topics, such as business criticality, access controls, data protection needs, or compliance requirements.
Geographic strategy: This is best suited for an international organization with a global infrastructure, where the management group structure and subscriptions are based on geographic regions.
Functional strategy: This uses a management group structure to organize your subscriptions based on IT, finance, or sales functions.
Business unit strategy: This follows the same approach as the functional strategy, where the functions are swapped for profit center, business unit, or division.
As discussed in the previous layer, management groups, the management group hierarchy can be six levels deep, giving you the flexibility to combine multiple strategies to satisfy your needs.
Azure enables you to build and deploy solutions leveraging the cloud’s power using the needed resources and performance. Eventually, you’re paying for the resources and services you use. Therefore, it’s crucial to manage your costs.
Cost management starts with proper planning. What services to select? Which service tier or virtual machine size do you need? Collecting the requirements and using the Azure Pricing Calculator to estimate your application’s cost.
Design your workloads as efficiently as possible. Focus on consumption models where you only pay for the number of transactions or run time of the application. And use managed services when possible. Although the cost per unit is often higher, they have lower operational costs because you’re not managing the underlying infrastructure.
Organize your environment for cost awareness. Use Azure Policy to configure limits for specific virtual machine sizes that are more expensive. These policies will prevent unexpected costs. In the next chapter, we’ll go through Azure Policy in more detail.
After deploying your solution, you should regularly review costs to optimize your resources and Azure spending. Azure Cost Management shows you where your money is going and is integrated with Azure Advisor to advise you on underutilized resources. Another way to reduce costs is to use reserved instances. You commit to a one-year or three-year plan with the reservation, giving you a discount of up to 72%.
Configure cost alerts to notify you when a budget or department spending quota is reached. Setting up these budgets and quotas supports organizational accountability. Are we staying within our budgets?
Azure Policy enables you to govern your platform by creating, assigning, and managing policies. The policies enforce rules over your resource configurations to ensure these comply with organizational standards.
Policies are evaluated when:
- Resources are created, updated, or deleted.
- Policies or initiatives are assigned or updated.
- The standard compliance evaluation cycle runs (every 24 hours).
You can define individual policies or combine them into so-called initiatives. There are a lot of built-in policy definitions and initiatives. Next to these, you can create custom policies and initiatives. You save these in a management group or subscription. If you plan to assign the policy or initiative to multiple subscriptions, the management group that contains them would be the best place to save them.
It’s possible to assign policies to management groups, subscriptions, or resource group levels, where the lower levels inherit the assigned policy configuration.
When a policy detects a non-compliant resource, the actions include:
- Deny the resource change.
- Log the resource change.
- Modify the resource before or/and after the change.
- Deploy related resources to become compliant.
- Remediate existing resources by changing them.
When you start with Azure Policy in an existing Azure environment, the advice is to evaluate the impact with an audit effect. This way, you won’t interrupt production workloads. And always use initiatives when assigning policies, even when assigning a single policy. When you want to add another policy assignment, you can easily add the policy to the initiative.
Thank you so much for taking the time to read this post. I’d love to hear what you think, and I hope to see you next week when we’re going through the next layer of our cake, resource groups. Bye for now!