This is the second of a five-part series focused on enterprise governance in Microsoft Azure.
Developing a strong governance strategy is a key step in the cloud adoption journey that is easily sidestepped or overlooked. Organizations often start cloud adoption with a development or testing environment, but then the technology gains momentum and the toothpaste is out of the tube with home grown environments. It becomes much harder to apply governance principles in this scenario and organizations end up facing rework or pushback that would not have existed in a greenfield environment. This blog post focuses on guiding principles behind dividing resources into resource groups and/or subscriptions as well as cost management measures that will help control and understand cloud spend.
guiding principles behind subscriptions and resource groups
In part one, we discussed the four levels of management in the Azure Enterprise Portal: the Enterprise Agreement, departments, accounts, and subscriptions. Once you have modeled your organization’s hierarchy and mapped it to an Azure hierarchy pattern, you can consider where to draw the line between subscriptions and resource groups based on your governance needs.
There can be multiple Azure subscriptions within an Enterprise Agreement (EA). Subscriptions can be created through either the Enterprise Portal or the Account Portal. Through the Account Portal, the account administrator can rename the subscription or reassign the service administrator to another user. In Azure, the ability to view resources is segregated at the subscription level. Billing for Azure consumption is also reported at the subscription level.
Resource groups serve as containers for Azure resources within a subscription and are a flexible way to define resource lifecycles, policies, and access control. Resources can be allocated to resource groups using different deployment models, depending on the needs of the organization. Applications are commonly segregated into resource groups because they share a common lifecycle of being provisioned, updated, and decommissioned and share similar role-based access control (RBAC) patterns.
Figure 1. Controlling Access to Resources with RBAC
when to use subscriptions or resource groups
The decision of whether to divide resources into separate subscriptions or resource groups often takes billing and departmental chargebacks into account, as well as the overall management structure of the organization. A common functional hierarchy pattern includes pre-production environments assigned to application development teams within functional groups (e.g., accounting, human resources, etc.) and production environments assigned to an IT engineering group. Business unit and geographic patterns may divide subscriptions between account holders within discrete business units, subsidiaries, or regions, with application owners and IT engineering teams assigned granular access within each subscription. Common reasons for dividing between separate subscriptions, rather than resource groups within a single subscription, are department groupings on billing statements, grouping resources into silos, separating access control between environments, and limiting access to services that should only be available to certain groups.
From a cost management perspective, the Enterprise Portal offers significant insight into commitment usage and charges at department, account, and subscription levels. Cost management capabilities also exist in the Azure portal through Azure Cost Management. Due to this, there are various ways to analyze, review, and mange cost within Azure. We take a deeper dive into cost management later in this post.
planning resource groups
Once you have taken billing and administrative factors into account to devise a subscription strategy, then the next step is to plan an approach to resource groups. When deploying resource groups, there are two primary approaches to their design:
Resource groups that encompass all resources and core infrastructure components for an application deployment, including storage accounts, virtual networks, subnets, VMs, web apps, load balancers, etc.
Centralized resource groups for core components such as storage accounts and virtual networks, with application resources such as VMs, web apps, load balancers, etc., set up in their own resource groups.
The centralized approach makes it easier to build and maintain hybrid network connectivity, protect data sovereignty, and enforce compliance requirements within the environment. With the centralized approach, application teams are empowered to develop and implement solutions efficiently while minimizing risk and optimizing the use of shared infrastructure. The alternative approach requires each solution to maintain its own core infrastructure and virtual networks, introducing additional management overhead and greater potential for conflicts.
Bearing these factors in mind, it is important to consider how they will apply to your organization, because ultimately any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. Starting with sound governance principles to guide separation of resources into subscriptions and resource groups can prevent costly reorganization efforts later. After establishing this critical framework, the next step is to establish guidelines around RBAC, policies, and auditing within your subscriptions.
azure cost management
To ensure appropriate visibility and awareness to billing structures, alerts can be set when thresholds of a spending quota are met. The intent is that if a lower environment were to suddenly begin consuming a far greater amount of compute, storage, or application services then an escalation can be made to the development manager for that product to initiate a review of the running services within Azure. Recipients of alerts should be planned out to ensure that the correct personnel are receiving adequate alerts. This is pertinent to ensure that alerts are relevant, do not create false alarms, and do not become so common they are ignored.
Using budgets, users can stay informed and see how spending changes over time for the Azure services consumed or subscribed to in a specific period. Notifications are triggered if set budget thresholds are exceeded, but consumption isn’t halted. Spending is updated against monthly budgets every four hours, and data and notifications for consumed resources become available within eight hours. Users require read access to view budgets, and contributor permissions are required to create or manage budgets. Individual budgets are available for EA subscriptions and resource groups.
Understanding the invoice for Azure Cloud services can be a confusing process, however, resource tagging can be utilized to provide clarity, track spending, and manage cloud costs. Azure invoices are broken down on a per resource basis which can yield a very large, hard-to-digest invoice with little indication of which charge is associated to what resource. Resource tags allow for granular tracking of resource costs on an application, business unit, or project basis. This provides a foundation to support a “charge-back” or a “show-back” model for cloud spend. This model allows an organization to analyze its cloud spend and classify costs by application, business unit, or department and show or charge said application group, business unit, or department for the incurred costs. A “charge-back” method allows IT to recoup costs of cloud resources while a “show-back” method adds visibility and accountability to these groups. This helps ensure resources are provisioned correctly, being turned off when not in use, and costs are being managed.
Bearing these factors in mind, it is important to consider how they will apply to your organization, because ultimately any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. Starting with sound governance principles to guide separation of resources into subscriptions and resource groups can prevent costly reorganization efforts later. Also, starting with visibility into Azure spend and alerts should help protect against a larger Azure invoice than expected. After establishing this critical framework, and visibility into financial management, the next step is to establish guidelines around RBAC, Azure Resource Manager (ARM) policies, and auditing within your subscriptions. We’ll discuss these topics in part three of our series.
Are you interested in exploring Microsoft Azure but concerned about governance and how to make public cloud fit within your IT model? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at firstname.lastname@example.org.