Subscription Strategy Design

Watch the video to deepen your understanding.
SubscribeComplete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Subscription Strategy Design
Introduction: What is a Subscription Strategy?
In cloud environments like Microsoft Azure, the Subscription is the fundamental container used for billing, access control, and resource management. A robust Subscription Strategy is the blueprint for how an organization structures its cloud environment to balance autonomy, security, cost management, and compliance.
Without a deliberate strategy, organizations often fall into "subscription sprawl," where resources are scattered across unmanaged silos, leading to security vulnerabilities, fragmented billing, and operational overhead. Designing a thoughtful strategy ensures that your cloud footprint scales predictably as your organization grows.
The Pillars of Subscription Design
A well-architected subscription strategy is driven by four primary considerations:
- Billing and Cost Tracking: How do you want to break down your cloud spend? (e.g., by department, project, or environment).
- Access Control (RBAC): Who needs to manage which resources? Subscriptions act as a security boundary.
- Governance and Policy (Azure Policy): What guardrails must be enforced? You can apply policies at the subscription level to ensure compliance.
- Service Limits and Quotas: Each subscription has hard limits (e.g., number of vCPUs). A strategy helps you distribute workloads to avoid hitting these ceilings.
Practical Example: The "Environment-Based" Strategy
A common approach for mid-to-large enterprises is to separate environments into distinct subscriptions to provide strict isolation.
- Management Subscription: Hosts shared services like Log Analytics workspaces, Azure Firewall, and ExpressRoute gateways.
- Production Subscription: Highly restricted, production-grade resources.
- Non-Production Subscription: Dev/Test environments with broader permissions.
- Sandbox Subscription: A "playground" for developers to experiment with restricted access and automated cleanup.
Implementing Governance with Policy
Governance isn't just about documentation; it’s about enforcement. By using Azure Policy at the subscription level, you can programmatically prevent non-compliant resources from being created.
Code Snippet: Restricting Resource Locations
The following JSON snippet defines an Azure Policy that restricts resource creation to specific regions, ensuring data sovereignty and cost control.
{
"properties": {
"displayName": "Allowed locations",
"policyType": "BuiltIn",
"mode": "Indexed",
"parameters": {
"allowedLocations": {
"type": "Array",
"metadata": {
"description": "The list of allowed locations for resources.",
"displayName": "Allowed locations"
}
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": {
"effect": "deny"
}
}
}
}
Pro Tip: Apply policies at the Management Group level rather than individual subscriptions. This ensures that every subscription inherited from that group automatically inherits the governance rules.
Best Practices for Subscription Design
1. Adopt a Management Group Hierarchy
Don't manage subscriptions in isolation. Use Management Groups to organize subscriptions into a logical hierarchy (e.g., Root -> Production -> Corporate -> Subscriptions). This allows you to apply RBAC and Policies to hundreds of subscriptions at once.
2. Implement "Least Privilege" Access
Assign RBAC roles at the lowest level necessary. Avoid assigning "Owner" or "Contributor" roles at the subscription level if a user only needs to manage a specific Resource Group.
3. Use Tagging for Cost Attribution
Since billing is aggregated at the subscription level, use Tags to provide granular visibility. Require tags like CostCenter, Environment, and Owner for all resources.
4. Automate Subscription Provisioning
Use Infrastructure as Code (IaC) tools like Terraform or Bicep to provision subscriptions. This ensures that every new subscription is born with the correct tagging, policies, and diagnostic settings enabled.
Common Pitfalls to Avoid
- The "One Subscription" Trap: While it seems easier to manage one subscription, it makes it impossible to enforce strict security boundaries or separate billing for different business units.
- Ignoring Service Limits: If you put your entire global infrastructure in one subscription, you will eventually hit API throttling and resource quotas, leading to service outages.
- Manual Governance: Manually checking if resources are compliant is prone to human error. If it isn't enforced by policy, it isn't governed.
- Mixing Production and Dev: Never host production and development resources in the same subscription. A developer experimenting with infrastructure could accidentally delete a production database.
Key Takeaways
- Subscriptions are Boundaries: They are your primary mechanism for billing, security, and quota management.
- Use Hierarchy: Always use Management Groups to manage your subscriptions at scale.
- Policy is Law: Use Azure Policy to enforce guardrails automatically. Never rely on "process" to enforce compliance when you can use "code."
- Plan for Scale: Design your hierarchy early. Reorganizing subscriptions after you have thousands of resources is a complex and risky administrative task.
- Think Lifecycle: Consider how subscriptions are created and how they are decommissioned. Automate the cleanup of sandbox environments to save costs.
This lesson provides the foundation for designing cloud governance. In the next module, we will dive deeper into Azure Policy and how to write custom policy definitions to meet specific regulatory requirements.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons