Azure Resource Groups & Subscriptions
Organizing Your Azure Resources
Table of Contents
- Introduction to Azure Organization
- Subscriptions Deep Dive
- Resource Groups Best Practices
- Resource Manager
- Tags Strategy
- Cost Management
- Azure Policy & Governance
- Best Practices
1. Introduction to Azure Organization
Azure resources need to be organized logically. Azure provides a hierarchy for this purpose.
Azure Resource Hierarchy:
┌─────────────────────────────────────────────────────────────────┐
│ AZURE MANAGEMENT HIERARCHY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Management Group │
│ └── Subscription │
│ └── Resource Group │
│ └── Resources │
│ ├── VMs, Storage, Databases │
│ └── Apps, Functions, Networks │
│ │
└─────────────────────────────────────────────────────────────────┘
Hierarchy Levels:
| Level | Purpose | Count |
|---|---|---|
| Management Groups | Organize multiple subscriptions | 10,000+ |
| Subscriptions | Billing boundary + access control | 100s per tenant |
| Resource Groups | Logical container for resources | 100s per subscription |
| Resources | Individual Azure services | Thousands per group |
2. Subscriptions Deep Dive
What is a Subscription?
A subscription is a logical container that maps to a billing account. It isolates resources and enables granular access control.
Subscription Types:
┌─────────────────────────────────────────────────────────────────────┐
│ SUBSCRIPTION TYPES │
├───────────────────────┬─────────────────────────────────────────────┤
│ Type │ Description │
├───────────────────────┼─────────────────────────────────────────────┤
│ Free │ Limited services, $200 credit for 30 days │
├───────────────────────┼─────────────────────────────────────────────┤
│ Pay-As-You-Go │ Standard billing, no upfront │
├───────────────────────┼─────────────────────────────────────────────┤
│ Enterprise Agreement │ Volume discounts, annual commitment │
├───────────────────────┼─────────────────────────────────────────────┤
│ Cloud Solution │ Partner-managed, resale model │
│ Provider (CSP) │ │
└───────────────────────┴─────────────────────────────────────────────┘
Common Subscription Strategies:
By Environment:
Subscription: Production
└── RG: prod-webapps
└── RG: prod-databases
└── RG: prod-storage
Subscription: Development
└── RG: dev-webapps
└── RG: dev-databases
By Business Unit:
Subscription: Marketing
└── RG: campaigns
└── RG: analytics
Subscription: Sales
└── RG: crm
└── RG: leads
By Application:
Subscription: App-A
└── RG: app-a-infra
└── RG: app-a-compute
Subscription: App-B
└── RG: app-b-infra
└── RG: app-b-compute
Managing Subscriptions:
# List all subscriptions
az account list -o table
# Set default subscription
az account set --subscription "My Subscription"
# Show subscription details
az account show
# Get subscription ID
az account show --query id -o tsv
3. Resource Groups Best Practices
What is a Resource Group?
A resource group is a container that holds related resources for an Azure solution. All resources share the same lifecycle - deploy, update, delete together.
Key Rules:
- Same subscription - All resources must be in one subscription
- Same location - Not required, but recommended for metadata
- Shared lifecycle - Resources should be deployed/updated/deleted together
- Logical grouping - Based on workload, environment, or project
Resource Group Naming:
┌─────────────────────────────────────────────────────────────────┐
│ NAMING CONVENTIONS │
├─────────────────────────────────────────────────────────────────┤
│ Pattern: <company>-<env>-<region>-<service> │
│ │
│ Examples: │
│ - contoso-prod-eastus-webapp │
│ - contoso-dev-weu-storage │
│ - adventure-works-staging-sql │
│ │
│ Bad Examples: │
│ - rg1 (too vague) │
│ - productionresources (too long) │
│ - my_rg (inconsistent) │
└─────────────────────────────────────────────────────────────────┘
Creating Resource Groups:
# Create resource group
az group create \
--name myResourceGroup \
--location eastus
# Create with tags
az group create \
--name prod-rg \
--location eastus \
--tags Environment=Production CostCenter=IT
# List resource groups
az group list -o table
# Show resource group details
az group show --name myResourceGroup
# Update resource group
az group update \
--name myResourceGroup \
--set tags.Dept=Marketing
# Delete resource group (and all resources)
az group delete --name myResourceGroup --yes
4. Azure Resource Manager
What is ARM?
Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a consistent management layer to create, update, and delete resources.
ARM Deployment Modes:
┌─────────────────────────────────────────────────────────────────┐
│ ARM DEPLOYMENT │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────┐ │
│ │ ARM Template │ │
│ │ (JSON) │ │
│ │ │ │
│ │ { │ │
│ │ "resources": [ │ │
│ │ { ... } │ │
│ │ ] │ │
│ │ } │ │
│ └────────┬─────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────┐ │
│ │ Resource Manager │ │
│ │ │ │
│ │ • Validates template │ │
│ │ • Creates resources │ │
│ │ • Handles dependencies │ │
│ └──────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ Resources Deployed │ │
│ │ ┌────────┐ ┌────────┐ ┌────────┐ │ │
│ │ │ VM │ │ VNet │ │ Blob │ │ │
│ │ └────────┘ └────────┘ └────────┘ │ │
│ └──────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
ARM Template Example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": {
"type": "string",
"minLength": 3,
"maxLength": 24
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"storageAccountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[parameters('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "[variables('storageAccountType')]"
},
"kind": "StorageV2",
"properties": {
"accessTier": "Hot"
}
}
],
"outputs": {
"storageAccountId": {
"type": "string",
"value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
}
}
}
Deploying Templates:
# Deploy from local file
az deployment group create \
--resource-group myResourceGroup \
--template-file template.json \
--parameters params.json
# Deploy from URI
az deployment group create \
--resource-group myResourceGroup \
--template-uri "https://raw.githubusercontent.com/..." \
--parameters storageAccountName=myaccount
# What-if (preview changes)
az deployment group what-if \
--resource-group myResourceGroup \
--template-file template.json
5. Tags Strategy
What are Tags?
Tags are name/value pairs that help you categorize and organize resources. They're essential for cost allocation, automation, and compliance.
Tagging Hierarchy:
┌─────────────────────────────────────────────────────────────────┐
│ TAG ORGANIZATION │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Resource │
│ ├── Name: my-web-app │
│ ├── Tags: │
│ │ ├── Environment: Production │
│ │ ├── Application: CRM │
│ │ ├── Owner: team-infrastructure@company.com │
│ │ ├── CostCenter: IT-001 │
│ │ └── Version: 2.0 │
│ │
└─────────────────────────────────────────────────────────────────┘
Common Tag Schema:
| Tag | Description | Example |
|---|---|---|
| Environment | Dev, Test, Staging, Prod | Production |
| Application | App name | CRM, ERP, Web |
| Owner | Responsible person/team | team-crm@company.com |
| CostCenter | Budget code | IT-001, MARKETING-23 |
| Project | Project name | Migration-2024 |
| Version | Deployment version | v2.0 |
| DataClassification | Confidential, Public, etc. | Confidential |
Managing Tags:
# Add tag to resource
az tag update \
--resource-id /subscriptions/.../storageAccounts/myaccount \
--tags Environment=Production
# List all unique tags
az tag list --query "[].name" -o tsv
# Apply tags to resource group (inherits to all resources)
az group update \
--name myResourceGroup \
--set tags.Environment=Production
# Query resources by tag
az resource list --tag Environment=Production -o table
# Remove tag
az tag update \
--resource-id /subscriptions/.../storageAccounts/myaccount \
--operation delete \
--tag-name Environment
Enforce Tags with Policy:
{
"mode": "All",
"policyRule": {
"if": {
"field": "tags.Environment",
"exists": "false"
},
"then": {
"effect": "deny"
}
},
"parameters": {
"tagName": {
"type": "String",
"defaultValue": "Environment",
"metadata": {
"displayName": "Required Tag Name"
}
}
}
}
6. Cost Management
Azure Cost Management Tools:
- Azure Cost Management - Built-in billing dashboard
- Budget Alerts - Notify when spending exceeds threshold
- Resource Graph - Query resource costs
- Advisor - Cost optimization recommendations
Cost Analysis:
# Show costs by resource group
az costmanagement query \
--from-time 2024-01-01 \
--to-time 2024-01-31 \
--granularity Monthly \
--group-by ResourceGroup
# Export cost data
az costmanagement export \
--name "MonthlyCosts" \
--type ActualCosts \
--timeframe MonthToDate \
--storage-account mystorage \
--storage-container costs
Cost Optimization Tips:
┌─────────────────────────────────────────────────────────────────┐
│ COST OPTIMIZATION CHECKLIST │
├─────────────────────────────────────────────────────────────────┤
│ ✓ Use Azure Advisor recommendations │
│ ✓ Enable auto-shutdown for dev VMs │
│ ✓ Right-size underutilized resources │
│ ✓ Use Reserved Instances for stable workloads │
│ ✓ Delete unused resources │
│ ✓ Use tags for cost allocation │
│ ✓ Set budget alerts │
│ ✓ Use Azure Hybrid Benefit for Windows │
└─────────────────────────────────────────────────────────────────┘
7. Azure Policy & Governance
What is Azure Policy?
Azure Policy evaluates resources for compliance against rules you define.
Policy Definition:
{
"properties": {
"displayName": "Allowed VM SKUs",
"description": "Restrict VM sizes to approved list",
"mode": "All",
"parameters": {
"allowedSKUs": {
"type": "Array",
"metadata": {
"displayName": "Allowed VM SKUs"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"notIn": "[parameters('allowedSKUs')]"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
Built-in Policies:
| Policy | Description |
|---|---|
| Allowed locations | Restrict resource regions |
| Allowed resource types | Limit deployable resource types |
| Storage account encryption | Require encryption |
| SQL encryption | Require transparent data encryption |
| Audit diagnostic logs | Enable logging for resources |
Assigning Policies:
# Assign policy at subscription level
az policy assignment create \
--name "AllowedLocations" \
--display-name "Allowed Locations Policy" \
--scope /subscriptions/<sub-id> \
--policy /providers/Microsoft.Authorization/policyDefinitions/allowed-locations \
--params '{
"listOfAllowedLocations": {
"value": ["eastus", "westus"]
}
}'
# List policy assignments
az policy assignment list --scope /subscriptions/<sub-id>
# List non-compliant resources
az policy state list --filter "complianceState eq 'NonCompliant'"
8. Best Practices
Organizational Structure:
┌─────────────────────────────────────────────────────────────────┐
│ RECOMMENDED RESOURCE HIERARCHY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Root Management Group │
│ ├── Company HQ │
│ │ └── Production Subscription │
│ │ ├── rg-webapps-prod │
│ │ ├── rg-data-prod │
│ │ └── rg-shared-prod │
│ │ │
│ └── Dev/Test Subscription │
│ ├── rg-webapps-dev │
│ ├── rg-data-dev │
│ └── rg-shared-dev │
│ │
└─────────────────────────────────────────────────────────────────┘
Resource Group Design:
| Scenario | Recommendation |
|---|---|
| Per environment | Separate RGs for prod, dev, staging |
| Per application | One RG per application |
| Shared resources | Shared RG for networking, monitoring |
| Lifecycle together | Group resources deployed together |
Security Checklist:
- Use Management Groups for policy inheritance
- Separate production from non-production
- Implement RBAC at appropriate scope
- Enable resource locks on critical resources
- Use Azure Security Center recommendations
- Regular access reviews
Quick Reference - CLI Commands:
┌─────────────────────────────────────────────────────────────────┐
│ RESOURCE MANAGEMENT COMMANDS │
├─────────────────────────────────────────────────────────────────┤
│ List subscriptions: az account list -o table │
│ Set default: az account set --subscription <name> │
│ Create RG: az group create -n <name> -l <location> │
│ List RG: az group list -o table │
│ Delete RG: az group delete -n <name> --yes │
│ Deploy template: az deployment group create │
│ List resources: az resource list -o table │
│ Add tag: az tag update --resource-id <id> --tags │
└─────────────────────────────────────────────────────────────────┘
Hands-On Lab:
Exercise 1: Create Resource Groups
- Create 3 RGs: prod, dev, staging
- Add appropriate tags
- Deploy a storage account to each
Exercise 2: Deploy ARM Template
- Create a template with multiple resources
- Deploy to resource group
- Verify all resources created
Exercise 3: Tagging Strategy
- Apply tags to all resources
- Query costs by tag
- Create policy to require tags
Exercise 4: Cost Management
- Set budget alerts
- Review Azure Advisor recommendations
- Identify underutilized resources
Next Steps:
- Learn about Azure Resource Mover
- Explore Management Group best practices
- Implement enterprise-scale landing zones
Azure Integration Hub - Learning Roadmap Level: Beginner | Topic: Resource Groups & Subscriptions