Azure Fundamentals (AZ-900)

Last Updated: 12/11/2022

Azure management infrastructure

  • The management infrastructure includes Azure resources and resource groups, subscriptions, accounts and management groups.
  • Understanding the hierarchical organization will help you plan your projects and products within Azure.

Resources

  • A resource is the basic building block of Azure.
  • Anything you create, provision, deploy, etc. is a resource.
  • Virtual Machines (VMs), virtual networks, databases, cognitive services, etc. are all considered resources within Azure.

Resource Groups

  • Resource groups are simply groupings of resources.
  • When you create a resource, you’re required to place it into a resource group.
  • When you’re provisioning resources, it’s good to think about the resource group structure that best suits your needs.
    • If you’re setting up a temporary dev environment, grouping all the resources together means you can deprovision all of the associated resources at once by deleting the resource group.
    • If you’re provisioning compute resources that will need three different access schemas, it may be best to group resources based on the access schema, and then assign access at the resource group level.
  • When you apply an action to a resource group, that action will apply to all the resources within the resource group.
    • If you delete a resource group, all the resources will be deleted.
    • If you grant or deny access to a resource group, you’ve granted or denied access to all the resources within the resource group.

Characteristics

  • A single resource can only be in one resource group at a time.
  • Resources may be moved between resource groups
  • Resource groups can't be nested,

Subscriptions

  • Subscriptions are a unit of management, billing, and scale.
  • Subscriptions allow you to logically organize your resource groups and facilitate billing.
  • Using Azure requires an Azure subscription
  • An Azure subscription links to an Azure account
  • An account can have multiple subscriptions. Eg Dev, Test, Production Subscriptions.

Boundaries

You can use Azure subscriptions to define boundaries around Azure products, services, and resources.

  • Billing boundary:
    • You can create multiple subscriptions for different types of billing requirements.
    • Azure generates separate billing reports and invoices for each subscription so that you can organize and manage costs.
  • Access control boundary:
    • Azure applies access-management policies at the subscription level, and you can create separate subscriptions to reflect different organizational structures.
    • An example is that within a business, you have different departments to which you apply distinct Azure subscription policies.

Create additional Azure subscriptions

You might choose to create additional subscriptions to separate:

  • Environments:
    • You can choose to create subscriptions to set up separate environments for development and testing, security, or to isolate data for compliance reasons.
  • Organizational structures:
    • You can create subscriptions to reflect different organizational structures.
    • For example, you could limit one team to lower-cost resources, while allowing the IT department a full range. This design allows you to manage and control access to the resources that users provision within each subscription.
  • Billing:
    • You can create additional subscriptions for billing purposes. Because costs are first aggregated at the subscription level.
    • For instance, you might want to create one subscription for your production workloads and another subscription for your development and testing workloads.

Management groups

  • You might need a way to efficiently manage access, policies, and compliance for multiple subscriptions.
  • Azure management groups provide a level of scope above subscriptions.
  • You organize subscriptions into containers called management groups and apply governance conditions to the management groups.
  • All subscriptions within a management group automatically inherit the conditions applied to the management group, the same way that resource groups inherit settings from subscriptions and resources inherit from resource groups.

Characteristics

  • Management groups can be nested.
  • 10,000 management groups can be supported in a single directory.
  • A management group tree can support up to six levels of depth. This limit doesn't include the root level or the subscription level.
  • Each management group and subscription can support only one parent.

Examples

  • Create a hierarchy that applies a policy: You could limit VM locations to the US West Region in a group called Production. This policy will inherit onto all the subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy can't be altered by the resource or subscription owner, which allows for improved governance.
  • Provide user access to multiple subscriptions. You can create one Azure role-based access control (Azure RBAC) assignment on the management group. Assigning Azure RBAC at the management group level means that all sub-management groups, subscriptions, resource groups, and resources underneath that management group would also inherit those permissions.
Previous
Next