2.1.6 Describe Azure Management Infrastructure
Description of Azure management infrastructure.
Last updated
Description of Azure management infrastructure.
Last updated
A resource is the basic building block of Azure, anything you provision, deploy etc. is a resource. VMs, databases etc. are all considered resources.
Resource groups are groupings of resources. A resource group can contain many resources, but a resource can only be in one group at a time. Some resources can be moved between groups. Resource groups cannot be nested, meaning you can't put group B inside group A.
When you apply an action to a resource group, it applies to all resources in the group. If you delete a resource group, it deletes all resources in the group. Granting or denying access to a resource group will apply to all resources within the group. For example, if you setup a temporary environment, you could group all the resources together to make deprovisioning it easier, or, if you are provisioning resources that need different access, you could group them based on access required.
Subscriptions are a unit of management, billing and scale. These allow you to logically organize resource groups to facilitate billing.
Using Azure requires a subscription. This provides you authorized and authenticated access to products and services, and allows you to provision resources. A subscription links to an Azure account which is an identity in Microsoft Entra ID or in a directory that Microsoft Entra ID trusts.
Accounts can have multiple subscriptions, but only one is required. Azure subscriptions can be used to define boundaries around Azure products, there are two types of boundary:
Billing boundary: Determines how an account is billed for using Azure. Azure generates separate billing invoices and reports for each subscription to help organize and manage costs.
Access control boundary: Applies access-management policies at subscription level. For example, a business could apply different policies to different departments. This model allows you to manage and control access to resources that users provision with specific subscriptions.
Environments: can be used to separate environments for development and testing, security or to isolate data. Useful because access control is at subscription level.
Organizational structures: can be used to reflect different organizational structures. For example, one team could be limited to lower-cost resources whilst the IT team are allowed the full range. Allows control and management of the resources users provision.
Billing: can be used for billing purposes. Can be used to track and manage costs based on your needs. One subscription could be for testing and another for production.
Resources are gathered into resource groups, and resource groups are gathered into subscriptions. Management groups provide a level of scope above subscriptions. Subscriptions can be organised into containers called management groups, and governance conditions can then be applied to those groups. All subscriptions in a group automatically inherit the conditions applied to that group. These provide enterprise grade management on a large scale and they can be nested.
Above is an example of how a hierarchy could look. Some examples of how management groups can be used:
Create a hierarchy that applies a policy: you could limit VM locations to the US West region in a production group. This will inherit to all subscriptions under that group and apply to all VMs in those subscriptions. This can't be altered by the resource or subscription owner.
Provide access to multiple subscriptions: Azure RBAC can be used on the management group level to let all sub-management, subscriptions, resource groups and resources under that group inherit the permissions.
Important management group facts:
10,000 are supported in a single directory
Can support up to six levels of depth
Each group and subscription only supports one parent
