Within Azure, there are two primary ways to organize deployed resources. Subscriptions
are the top-level organizational boundary and provide complete isolation between resources. Resource Groups
are the next tier of separation and only provide a logical organization of resources. Azure resources in separate subscriptions cannot natively communicate with each other. However, resources within a single subscription, but in different groups, can communicate by default. Resource Groups only provide separation at the management plane not the data plane. Generally speaking, most organizations should use a single Azure subscription and then use Resource Groups to organize and segment all of their resources. In addition, Tags can be applied to resources in Azure to provide additional metadata and for cost control.
There are two main methodologies for using Resource Groups:
Example diagram showing the difference in methodologies
- Segmentation by Function
- With this approach, resources that provide a specific function are placed into their own resource group. For example, the database servers for an application would be in one group, and the web servers for that application would be in another. This results in more Resource Groups and a more granular representation of your resources.
- Segmentation by Application
- With application-level segmentation, all resources that make up all parts of an application are in a single resource group. For example, the database, web, and worker instances are all in one group. This results in fewer groups but a less granular breakdown of the resources.
Which of these approaches is best for your organization is dependent on the management and lifecycle approach of the applications. Since management permissions are best applied at the Resource Group level, Resource Groups should contain items that are managed by the same team. Additionally, with Azure’s ARM scripting capabilities, resources that “live and die” together, or that share the same lifecycle, should be in the same resource group.
With either approach, there will be one or more shared resource groups that contain the underlying, shared infrastructure. This includes the Azure virtual network, the VPN or ExpressRoute connection(s) to the on-premises environment, and other shared resources like Active Directory domain controllers or management servers. This Resource Group would be managed by the central IT team.
Regardless of the organizational method chosen, tagging can be utilized to track billing and organizational metadata of your resources. For example, a “BillingUnit” tag can be applied to resources to indicate which business unit will be charged back for the related costs. As another example, an “ApplicationOwner” tag can be applied to indicate which IT or business team is considered the owner of the application. This could be a core IT team or a separate development or business team. This type of tagging is useful for tracking ownership and management responsibility of resources.
For more information about Azure Resource Groups, see the official documentation