Azure Subscription and Resource Groups

When onboarding to the cloud, the first thing you will create is a subscription. Under a Subscription, you will create one or more resource groups. Resource groups are logical containers. This is used to group a collection of resources such as VMs, VNets, storage accounts, etc. This logical grouping helps in provisioning, monitoring, and access control.

Resources in a Resource Group can span across multiple regions. One way to create Resource Groups is thinking of the deployment stage, for example, dev resources, test resources, and production resources. This will help group and manage resources based on criticality.

Another important aspect one needs to be aware of Role Based Access Controls (RBAC). There are four key roles.

  • Contributor: Manage resources but not user accounts
  • Owner: Manage Resources and can assign user roles/ access
  • Reader: View only access
  • User access Administrator: Can manage access for users but cannot manage resources

Azure Security Center: Creates a default security policy automatically for each azure subscription.

Example Policies

  • System Updates (any updates missing for a system e.g. a VM)
  • Security Configurations
  • Endpoint Protection
  • Disk Encryption
  • Network Security Groups
  • Web Application Firewall
  • Next-Generation Firewall
  • SQL auditing and Threat Detection
  • SQL Encryption
  • Vulnerability assessment
  • Storage Encryption
  • JIT Network Access

Resource Policies: Resource policies can be set for a subscription, for example. only a certain size of VMs are allowed or resources can be created in a specific location.

Resource Locks: Two type of locks can be applied to resources, CannotDelete and ReadOnly.

Tagging: Another powerful mechanism to logically group and organize the resources. This helps in billing and management, for example, you can create a billing report based on the tag “XYZ” as Project Name.

Note that one can also move resources between Resource Groups. During the movement, both target and source groups will be locked. While the movement of resources, the location of the resource is not changed, only the Resource Group is updated.