1.3.2. π‘ First Principle: Subscriptions
First Principle: An Azure Subscription defines a billing boundary and a security scope for resources, serving as the fundamental unit for organizing and managing Azure cloud usage and costs.
What It Is: A "Subscription" is a logical container for your Azure services and a billing unit. All Azure resources must belong to a subscription.
Key Concepts:
- "Billing Boundary": Usage and costs are aggregated at the "subscription level", making it a key unit for cost management and chargeback.
- "Security Scope": "Role-Based Access Control (RBAC)" permissions can be applied at the "subscription level", and these permissions are inherited by all Resource Groups and resources within that subscription.
- "Resource Deployment Boundary": All Azure resources must be deployed within a subscription.
- "Linked to Entra ID": Each subscription is linked to a single "Entra ID" (formerly Azure Active Directory) tenant, which manages user identities and access.
Visual: Azure "Subscription" Structure
Scenario: Your development team needs a separate Azure environment for testing new features, completely isolated from your production environment. You also need to track the costs incurred by the development team independently.
Reflection Question: How does using multiple Azure Subscriptions for different environments or departments fundamentally simplify cost management and enhance security isolation compared to developing everything within a single, monolithic subscription?
π‘ Tip: For enterprise cloud adoption, plan your subscription strategy early. It provides a natural boundary for billing, compliance, and access control.
