AZ-900-EN

【AZ-900】Azure Management Infrastructure: Understanding Subscription, Resource Group, Resource and Management Group

 
【AZ-900】Azure Management Infrastructure_ Understanding Subscription, Resource Group, Resource and Management Group

Hi, I’m Makoto, a freelance engineer.

In this article, I’ll explain the terminology used to describe the hierarchical structure of Azure resources.

  • Management Groups
  • Subscriptions
  • Resource Groups

We will also explain the key points and things to look out for in the AZ-900 exam, along with the meanings of the terms. Please read to the end.

Let’s get started!

Table of Contents
  1. What is Azure Resource?
  2. What is Resource Group?
  3. What is Azure Subscription?
  4. What is Management Group?
  5. The management conditions of the upper layer are inherited
  6. Summary

What is Azure Resource?

First, we will explain the term “Resource” in Azure.

A resource is an element (entity) of any service that creates things like Virtual Machines, Storage, and SQL Databases. It can also be referred to as a server or an instance.

For example, to create a resource in Azure Portal, you can create a new resource from the + button at the top of the screen. You can also see the icons for different services lined up.

Create a resource button.

Resources are organized in a four-tier structure like the one below, which allows you to manage multiple resources together. This level is called the “Scope,” and the term is used when assigning operation permissions, etc.

Hierarchical structure of Azure resources

The bottom layer is Resources, and the layers above are Bosses, which we will now explain. Of these, only Management Groups are not mandatory for use with any service. Therefore, the “Subscriptions” and “Resource Groups” below them are particularly important.

We will explain them from the bottom up.

What is Resource Group?

Resource groups are a “container” that groups and manages multiple resources created in Azure, such as Virtual Machines and Storage.

All resources must belong to a resource group. The benefits of keeping resources together include:

  • Gives you a better overview when viewing resources.
  • You can delete them all together when you no longer need them.
  • You can assign permissions and policies together.
  • You can classify billing statements.

If you think of it in terms of managing files on a computer, it’s like putting data like text files and Excel files into folders to organize them, deleting folders in their entirety, and assigning permissions to folders.

It’s easier to understand if you think of it as a file operation on a computer

How to divide resource groups

In general, you would divide them by system, by environment (development, staging, production, etc.), or by resources with different life cycles (networking, web server related, etc.)

Resource Groups

If you want to use an environment temporarily for testing or verification, and then delete it all at once later, it is convenient to put it all into a resource group.

Notes for Resource Groups

The following are items and considerations that are likely to be asked on the AZ-900 exam.

  • Resource groups cannot be nested.
  • The regions of resources that belong to a resource group can be different.
  • A resource cannot belong to multiple resource groups (it can only belong to one resource group).
  • It is also possible to move a resource to another resource group later (with some restrictions).

What is Azure Subscription?

The term “subscription” has two aspects.

  • Unit of the contract
  • Container of resources

The first is the contract unit aspect of Azure. To use Azure, you must first sign up for a subscription.

The contract unit is also the billing unit, and an invoice is issued for each subscription. In addition, information about payment methods and support plans is also associated with that subscription.

What is Azure Subscription1

The second is resource management. Subscriptions also serve as “containers” for resources that are positioned at a higher level than resource groups.

What is Azure Subscription2
You can apply permissions and policies that can be applied to resources to the entire subscription, or you can separate the scope of access by subdividing the subscription.

The ability to apply permissions and policies collectively is the same as for resource groups, but the difference is that the scope is either the entire subscription or a specific resource group.

For example, it is possible to use subscription permissions for administrators who need to operate all resources and use resource group permissions when developers need to operate specific environments or groups of resources.

Notes for Subscriptions

The following are points and notes that are likely to be asked on the AZ-900 exam.

  • When you start using Azure, you need to create it first.
  • Subscription includes resource groups.
  • You can also move resources to another subscription later (with some restrictions).

What is Management Group?

Management Groups are positioned at a higher level than subscriptions and serve as a container for grouping and managing multiple subscriptions. Management Groups can also be nested.

What is Management Group
Management groups allow you to collectively grant permissions and policies that can be applied to the subscriptions under them.

Because it has a broader scope than subscriptions and resource groups, it is useful in situations where you want to apply organizational policies en masse.

For example, if your organization has a requirement that data can only be stored in Japan, you can use the Azure Policy service to restrict the regions in which servers can be created to the Japan region. Applying these common policies to each subscription would be complicated to manage, so it is more efficient to apply the policies to the management group. 

If you are not managing multiple subscriptions, there is no particular benefit, so creating a management group is optional.

The management conditions of the upper layer are inherited

Have you noticed that the statement “Permissions and policies can be granted collectively” has appeared many times?

Permissions refer to the ability to create, read, modify, delete, etc. resources, while Policy refers to rules such as “prohibit the creation of resources outside the Japan region” or “limit the creation of virtual machines to a certain size”.

Permissions and policies can be set for each of the four scopes, and if they are set for a parent scope, they are inherited by the child scopes.

  • If set to a management group, it is inherited by its child subscriptions.
  • If set to a subscription, it is inherited by its child resource groups.
  • If set to a resource group, it is inherited by its child resources.

This property is also important and is likely to be asked about on the AZ-900 exam, so remember it.

Permissions are explained in detail in the Role-based Access Control (RBAC) article, and policies are explained in detail in the Azure Policy article.

Summary

In this article, we have explained the terminology used to describe the hierarchical structure of Azure resources. The meaning of the terms can be summarized as shown in the following table:

TermMeaning/Usage
Management GroupGroup multiple subscriptions
SubscriptionContract unit (billing) and resource container
Resource GroupGroup multiple resources
ResourceIndividual elements (entities) of Azure services

While you may not have many opportunities to create multiple subscriptions or manage separate resource groups when you are learning, you will often need to manage multiple things together when you are in the enterprise.

Remember that you can manage these areas more efficiently by organizing them in a hierarchical structure.

View Azure Courses

関連記事