A resource group in Azure is a container in which the metadata for a logical group of resources is stored. It provides a useful midway point between the subscription level and the resources themselves for administration and cost management, and for applying role-based access controls.
When organizations operate in the Azure Cloud, a hierarchy exists for managing resources. At the top of the hierarchy is the root management account. Then - depending on the size of the organization - there may be multiple management groups (i.e. one for IT, one for HR, one for Finance, etc.) and, within each management group, “subscriptions” to separate the administration and costs of group functions or - for example - to separate the administration and costs of production and non-production environments.
A resource group in Azure is the next level down the hierarchy. At this level, administrators create logical groups of resources (i.e. VMs, storage volumes, IP addresses, network interfaces, etc.) by assigning them to an Azure resource group. The resource group collects metadata from each individual resource to facilitate more granular management than at the subscription level. This not only has advantages for administration and cost management, but also for applying role-based access controls.
How Azure Resource Groups Benefit Administration and Cost Management
Using Azure resource groups has the benefit of enabling users to deploy resources using infrastructure as a code via Resource Manager templates. This eliminates the complexities of orchestrating deployments because the template lets you state what you intend to deploy without having to write the sequence of programming commands to create it, and then Resource Manager orchestrates the deployment of interdependent resources so they are created in the correct order.
With regards to cost management, it is possible to assign a cost allocation tag to the resource group, and the costs of running the resources within the whole group will be accounted for together for cost management purposes. One further benefit of Azure resource groups for cost management is that when resources are no longer required, you simply delete the group as one. This eliminates any possibility of orphaned “zombie” resources left running - and running up costs.
Applying Role-Based Access Controls to a Resource Group in Azure
Applying role-based access controls (RBACs) to a resource group in Azure helps organizations adhere to the principle of least privilege. Users, processes, applications, and devices can be given the minimum permissions required at the resource group level, rather than at the management group or subscription levels. This cloud security best practice limits what resources users, processes, applications, and devices can access, so they only have access to the resources they need to perform authorized tasks.
Administrator RBACs can still be applied further up the hierarchy, giving administrators access to all resource groups and the resources within each group. Similarly, governance policies relating to cost, performance, or security can be applied at any level of the hierarchal structure depending on the scope of the policy. For example, a policy relating to encryption key management might be applied at the management group level, whereas a start/stop scheduling policy would be applied at resource group level.