1.3.2. š” First Principle: Subscriptions
š” First Principle: A subscription serves as the fundamental unit for billing, access control, and resource deployment, providing the primary boundary for governance and financial accountability in an enterprise cloud environment.
Scenario: You are designing the cloud environment for a large enterprise. Different departments need to manage their own resources and costs independently. Additionally, production environments must have stricter security policies than development environments.
An Azure Subscription is a logical container for your Azure services and a billing unit. All Azure resources must belong to a subscription.
Key Concepts:
- Billing Boundary: Usage and costs are aggregated at the subscription level, making it a key unit for cost management and chargeback.
- Security Scope: Role-Based Access Control (RBAC) permissions can be applied at the subscription level, and these permissions are inherited by all Resource Groups and resources within that subscription.
- Resource Deployment Boundary: All Azure resources must be deployed within a subscription.
- Linked to Azure AD: Each subscription is linked to a single Azure Active Directory (Azure AD) tenant, which manages user identities and access.
ā ļø Common Pitfall: Using a single subscription for an entire large enterprise. This leads to chaotic cost management, complex permission models, and difficulty enforcing different policies for different environments (e.g., dev vs. prod).
Key Trade-Offs:
- Isolation vs. Management Overhead: Multiple subscriptions provide strong isolation for billing and security but increase the complexity of managing cross-subscription resources and connectivity.
Reflection Question: How does using multiple Azure Subscriptions for different departments or environments fundamentally simplify cost management, enhance security isolation, and enable granular policy enforcement for large organizations in Azure?