Today we will cover a topic that is one of the main concerns of most cutomers. The question about the right Azure Structure or Hierarchy is commonly asked. And to be honest: There is not “the” answer .. the right way depends on your organization, your needs and your goals.
So let us have a look into the options to structure your Azure environment…
The first option we are looking at is the Azure Hierarchy described in the Azure Enterprise Scaffold. If you are using Azure via an Enterprise Enrollment, you have the option to create a billing hierarchy to structure and separate your cost.
In an Azure Enrollment your can have a structure of Departments and Accounts. This will help to create a structure outside the Azure Portal. It can be created and managed by Controlling or Management, without giving them access to Azure itself.
Departments are a logical unit to create a separation on business units, departments, countries or similar. It has no impact on Azure Resources itself. It is just going through to the usage details, so you can group costs by Departments. So you can use it for chargeback or showback.
Accounts are used to give people access to the Azure Portal. The so called “Account Owners” are able to create Azure Subscriptions and to spin up services. These accounts are normally used to separate responsibility and access for different areas or environments … as said already, depending on you structure.
This all leads to an Azure Structure like this:
As Microsoft is nowadays moving more and more away from Enterprise Enrollments, like the discontinuation of SCE contracts, many things are moved to the Azure Cost Management Portal…
The modern way to create an Azure Structure for Cost purposes is in the Azure Portal. The Cost Management section now allows to do a lot action that were previously available in EA-Portal only. For customers with an MCA contract or who are purchasing direct PAYG it is all in Azure Cost Management.
The new model works with so called Billing Profiles, which reflects your contract scope. In this Billing Profile you can have Invoice sections, which are comparable to the “old” Departments. But they do not have the exact same capability.
For an Invoice section you can have Role-Based-Access roles assigned. If you are an “Azure Subscription Creator” this is comparable to the “old” Account Owner.
Another layer of Azure Structure can be created outside the billing area. While Management Groups can also be used to get a consolidated view on cost, the main benefit out of Management Groups is on the Management side.
Management Groups can be used to create a structure inside the Azure Portal. So similar to Department you can create a structure of business units, geographies, or whatever is your structure.
A Management Group can contain other Management Groups or subscriptions.
With this, you can create the structure that reflects your needs.
Management Groups can be used to assign role-based access and policies. While you could assign this to a single subscription, assignments to a Management Group have the benefit, that every subscription that is created later will follow the same rules and configurations.
Another chance you have to create a structure is to choose, when and how to create an Azure Subscription.
You can start your Azure journey with a single subscription. But over time you will get to a point where you do not want to have everything in the same Subscription.
Maybe you want to separate internal from external services, you want to differentiate between production and non-production workloads or any other reason.
When creating new subscriptions you can assign them to different Management Groups, which for example will result in different access rights and policies attached.
Microsoft Docs contains a Decision Guide to understand the options and benefits of different models.
Last but not least Resource Groups can be used to structure your Azure environment. Depending on you decisions on the topics above you may or may not need a structure in Resource Groups.
A commonly seen approach is the separation of DEV-TEST-PROD into different RGs like:
As you can assign RBAC rights on Resource Groups level and also scope Policies to Resource Groups, it would also be an option for a valid structure.
But you also could do this on subscription level … you have the choice
As you can see there are several options to create a structure in Microsoft Azure for different reasons. In the end it really depends on your structure, your way to operate and your regulatory and legal requirements.
So go ahead and find the right Azure Structure for your environment.
Dieser Post ist auch verfügbar auf:
German
Leave a comment