Azure Governance Design
It is a method to provide mechanism and process, how to control have control over your applications and its resources in Azure. It includes gathering your requirements, Planning, Action taken and Setting Priorities.
In order to apply Azure Governance in your Cloud Environment, A well defined Azure hierarchy is defined, which has four levels.
Refer below figure to understand the Azure Governance hierarchy model.
This level helps Azure Clients to manage Access, Policies, and compliance for Multiple Subscription.
It is a logical container and contains resource Group, resources that needs to be used in that container. Subscriptions works for billing boundaries.
It is a logical container under subscription billing boundaries, in which Azure resources are deployed and managed.
It is the exact Azure resources that is created by Azure customers like Virtual machine, SQL databases, Storages etc.
Let’s now understand each level in more details.
Management Group are a logical container that is used to manage access, Policies, and compliance across Multiple Subscription. A management group is created for below purpose.
- It provides user access to multiple subscription, by creating role assignment, which will be inherited by other subscription, that are part of same management group.
- It Monitors, Audit across multiple subscription, Role, and policy assignment.
- It creates boundary and limit in which regions and across which all subscriptions, Resources can be created.
- Management group tree can support up to Sixth level of depth. This limit does not include tenant root level or subscription level.
- By default, all new Subscription will be placed under root management group.
Design Consideration for Management Group:
Below are some facts that needs to be taken under consideration, while designing Management Group.
- Design Management Groups with proper Governance. A management Group should be designed in a such a way that, Azure policies are applied at management Level should have same security, Compliance, and feature setting etc.
- A Management Group should not have more than 3-4 depth level. So, A management group with proper depth level must be design for flexibility, easy to manage.
- A top-level management group must be designed so that it can support common platform policy and Azure role assignment across whole organization.
- Design management Group with nomenclature matching to your org Structure, this will help Customer to understand, its purpose.
- A Management Group must be designed, by keeping geographical structure in consideration.