Organizing your resources in the cloud is critical for securing, managing, and accurately tracking costs related to your workloads. For organizations operating in Azure, you can organize and manage your cloud resources with Azure's resource hierarchy.
At the top of the hierarchy is the root management account. Then depending on the size of your organization, there may be multiple management groups, such as one for IT, one for HR, one for Finance, etc. Within each management group, there are subscriptions to separate the administration and cost of group functions—for example, to separate the administration and costs of production and non-production environments.
You can reference the diagram below to help visualize the hierarchy of Azure management groups, which will look different depending on the size and needs of your organization.
A resource group in Azure is the next level down the hierarchy. At this level, administrators can create logical groups of resources—such as VMs, storage volumes, IP addresses, network interfaces, etc.—by assigning them to an Azure resource group. Resource groups make it easier to apply access controls, monitor activity, and track the costs related to specific workloads. You decide how you want to allocate resources to Azure resource groups based on what makes the most sense for your organization, but as a best practice, we suggest assigning resources with a similar lifecycle to the same Azure resource group, so you can easily deploy, update, and delete them as a group.
The resource group collects metadata from each individual resource to facilitate more granular management than at the subscription level. This not only has advantages for administration and cost management, but also for applying role-based access controls.
How Azure resource groups benefit administration and cost management
Using Azure resource groups enables users to deploy resources using declarative templates (using Azure Resource Manager templates), rather than scripts. This eliminates the complexities of orchestrating deployments because the template lets you state what you intend to deploy without having to write the sequence of programming commands to create it, and then Azure Resource Manager orchestrates the deployment of interdependent resources so they are created in the correct order.
With regards to cost management, it's possible to assign a cost allocation tag to the resource group, and the costs of running the resources within the whole group will be accounted for together for cost management purposes. One further benefit of Azure resource groups for cost management is that when resources are no longer required, you simply delete the group as one. This eliminates any possibility of orphaned “zombie” resources left running and driving up cloud costs.
Applying role-based access controls to a resource group in Azure
Applying role-based access controls (RBACs) to a resource group in Azure enables organizations to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. In regards to cloud security and governance, RBACs help businesses adhere to the principle of least privilege. Users, processes, applications, and devices can be given the minimum permissions required at the resource group level, rather than at the management group or subscription levels. This cloud security best practice limits what resources that users, processes, applications, and devices can access, so they only have access to the resources they need to perform authorized tasks.
Administrator RBACs can still be applied further up the hierarchy, giving administrators access to all resource groups and the resources within each group. Similarly, governance policies relating to cost, performance, or security can be applied at any level of the hierarchal structure depending on the scope of the policy. For example, a policy relating to encryption key management might be applied at the management group level, whereas a start/stop scheduling policy would be applied at the resource group level.
Microsoft provides built-in roles, or you can create your own custom roles depending on your organization's needs. Some of the most common roles include:
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC
- Reader: View all resources, but doesn't allow you to make any changes
- User Access Administrator: Lets you manage user access to Azure resources
If you'd like further information about the Azure cloud management hierarchy and creating resource groups in Azure, don't hesitate to get in touch. Our team of cloud experts will be happy to discuss the benefits of Azure resource groups and how best to use them to simplify cloud management, security, and governance.
To learn more about managing your Azure environment, we recommend downloading our in-depth eBook: How to Gain Control of Your Azure Environment