1.3.4. π‘ First Principle: Subscriptions
π‘ First Principle: An Azure Subscription serves as the fundamental unit for billing, resource organization, and access control, defining a clear boundary for deploying resources, applying policies, and managing costs.
Scenario: You are part of a large organization that needs to separate development, testing, and production environments, and also track costs independently for each.
A Subscription is a logical container for your Azure services and a billing unit. All Azure resources must belong to a subscription.
Key Concepts:
- Billing Boundary: Usage and costs are aggregated at the subscription level, making it a key unit for cost management.
- Security Scope: Role-Based Access Control (RBAC) permissions can be applied at the subscription level, and these permissions are inherited by all Resource Groups and resources within that subscription.
- Resource Deployment Boundary: All Azure resources must be deployed within a subscription.
- Linked to Entra ID: Each subscription is linked to a single Microsoft Entra ID (formerly Azure Active Directory) tenant, which manages user identities and access.
Visual: Azure Subscription Structure
β οΈ Common Pitfall: Using a single subscription for all workloads in a large enterprise. This leads to a lack of isolation, complex billing, and difficulty in applying granular governance policies.
Key Trade-Offs:
- Isolation (Multiple Subscriptions) vs. Management Simplicity (Single Subscription): While a single subscription is easier to manage initially, multiple subscriptions provide better security, governance, and cost accountability for larger organizations.
Reflection Question: How does using multiple Azure Subscriptions for different environments or departments fundamentally simplify cost management and enhance security isolation compared to using a single, monolithic subscription?
