Skip to content

Azure Subscriptions

A subscription is the fundamental unit of management in Azure. It defines boundaries for resource organization, governance, and cost control. Subscriptions should be designed with scalability, clarity, and governance in mind.


image

Key Principles

  • Business Alignment: Assign subscriptions to business units, product lines, or major workloads.
  • Environment Segregation: Use separate subscriptions to isolate environments across the SDLC (e.g., dev, test, staging, production).
  • Self-Service Enablement: Provide a streamlined, automated process for creating subscriptions to reduce administrative overhead and accelerate delivery.
  • Governance Integration: Ensure every subscription is part of a well-defined management group hierarchy for consistent policy enforcement and cost visibility.

Design Considerations

  • Scalability: Subscriptions should scale with organizational growth and workload demand.
  • Modularity: Subscriptions must be easy to create, modify, and retire as requirements evolve.
  • Repeatability: Use Infrastructure as Code (IaC) to provision subscriptions consistently and enforce standards.
  • Cost & Compliance: Apply tagging, budgets, and Azure Policy to track spending and enforce compliance from day one.

Best Practices

  • Define clear ownership and accountability for each subscription.
  • Apply RBAC at the subscription level to enforce least-privilege access.
  • Use Azure Policy and Blueprints to standardize security, compliance, and operational baselines.
  • Continuously monitor subscription usage and optimize for cost and performance.

Platform Landing Zone Subscriptions

Security Subscription

A dedicated subscription under the Security Management Group, designed to host centralized security services and policies that apply across the entire Azure environment.

Core Components

Service Purpose
Microsoft Sentinel SIEM/SOAR platform for log ingestion, analytics, incident response
Defender for Cloud Posture management, threat detection, vulnerability scanning
Log Analytics Workspace Central workspace for Sentinel and Defender logs
Key Vault (Security) Secrets for security automation, SOC integrations, SIEM connectors
Security Automation Playbooks, alerts, and response workflows (via Logic Apps or Sentinel)

Example Azure Policies Applied

Policy Area Policy Example
Encryption Enforcement Require encryption at rest and in transit for all supported resources
Threat Protection Enable Defender for Cloud plans across VMs, SQL, Storage, App Services
Secure Score Monitoring Require secure score tracking and alerting
Vulnerability Assessment Enforce vulnerability scans on VMs and databases
JIT Access Require Just-In-Time access for admin VMs
Security Contact Info Require security contact email and phone on all subscriptions
Audit Logging Enforce diagnostic settings to central Log Analytics workspace
Policy Compliance Alerts Alert on non-compliant resources across all landing zones

Integrates with

Integration Target Connected Services
Sentinel Platform logs (Firewall, DNS, vWAN), Identity logs (Entra ID, PIM), App logs (SQL, Web)
Defender for Cloud Microsoft Defender XDR, Compliance dashboards, remediation workflows
Security Automation Logic Apps, ticketing systems, SIEM connectors

Management Subscription

A dedicated subscription under the Management Management Group, designed to host centralized monitoring, automation, and governance services that support platform and application workloads.

Core Components

Service Purpose
Log Analytics Workspace Central workspace for diagnostics, monitoring, and policy compliance logs
Azure Monitor Unified metrics, alerts, dashboards, and insights across all subscriptions
Automation Account Update management, change tracking, inventory, and runbooks
Resource Graph Explorer Query and visualize resource compliance and inventory
Cost Management + Budgets Centralized budget alerts, cost tracking, and chargeback tagging
Change Tracking + Inventory Track VM changes, installed software, and configuration drift
Update Management Patch compliance and scheduling for VMs
Azure Backup Center Centralized backup orchestration, policy enforcement, and reporting
Recovery Services Vaults Store backups for VMs, SQL, SAP, and file shares across all landing zones

Example Azure Policies Applied

Policy Area Policy Example
Tag Enforcement Require tags: Owner, Environment, CostCenter, AppName
Diagnostic Settings Enforce diagnostic settings to send logs to central Log Analytics
Allowed Locations/SKUs Restrict resource creation to approved regions and VM SKUs
Resource Type Restrictions Deny unsupported or risky resource types (e.g., public IPs, unmanaged disks)
Budget Alerts Require budget configuration and cost alerts per subscription
Automation Coverage Enforce update management and change tracking on all VMs
Policy Compliance Alerts Alert on non-compliant resources across platform and app landing zones

Integrates with

Integration Target Connected Services
Log Analytics Workspace Sentinel, Defender for Cloud, App diagnostics, NSG flow logs, Firewall logs
Azure Monitor Metrics and alerts from platform and app subscriptions
Automation Account Update management, inventory, change tracking across VMs
Cost Management Budget alerts, chargeback tagging, FinOps dashboards

Identity Subscription

Core Components

Service Purpose
AD DS (IaaS) Domain Controllers for hybrid identity or legacy workloads
Key Vault (Identity) Secrets for sync credentials, federation certs, and identity automation
Jump Hosts / Bastion Secure access to identity VMs
Diagnostic Settings Logs from identity services to central Log Analytics

Example Azure Policies Applied

Policy Area Policy Example
Public IP Control Deny public IPs on identity VMs and Bastion hosts
Private Endpoint Enforcement Require private endpoints for Key Vault and Azure AD DS
Backup Policy Enforce backup on AD DS VMs and Azure AD DS
Tagging Requirements Require tags: Owner, Environment, IdentityRole
JIT Access Require Just-In-Time access for PAW and jump hosts
Diagnostic Settings Enforce logging to central Log Analytics workspace
Key Vault Protection Require purge protection and soft delete on identity-related Key Vaults
RBAC & PIM Require PIM for all identity-related roles

Integrates with

Integration Target Connected Services
Microsoft Entra ID Sync via Entra Connect; governs access across all subscriptions
Security Subscription Logs from identity services feed into Sentinel and Defender for Cloud
Management Subscription Diagnostic settings and automation for identity VMs and services
Connectivity Subscription Private DNS zones for AD DS, Azure AD DS, and Key Vault resolution

Network Subscription

Core Components

Service Purpose
Virtual WAN (vWAN) Central hub for spoke connectivity, routing, and inspection
ExpressRoute Gateway Private connectivity to on-premises via MPLS or dedicated circuit
VPN Gateway Site-to-site and point-to-site VPN connectivity
Azure Firewall Centralized traffic inspection and egress control
Route Server Dynamic routing between NVA and BGP peers
Private DNS Zones Centralized DNS resolution for private endpoints
DNS Resolver Enables cross-zone DNS resolution across spokes
DDoS Protection Plan Tenant-wide protection against volumetric attacks

Example Azure Policies Applied

Policy Area Policy Example
NSG Enforcement Require NSGs on all subnets
Route Table Enforcement Require route tables with default route to vWAN hub
Firewall Usage Enforce traffic inspection via Azure Firewall or NVA
Private DNS Enforcement Require DNS resolution via Private DNS Zones and DNS Resolver
Public IP Control Deny public IPs on shared infra unless explicitly justified
Diagnostic Settings Enforce logging to central Log Analytics workspace
Tagging Requirements Require tags: Owner, Environment, NetworkZone
DDoS Protection Enforce DDoS plan attachment to hub VNets

Integrates with

Integration Target Connected Services
Platform Subscriptions Identity, Management, Security — all route through vWAN hub
Application Subscriptions Spoke VNets connect to hub for routing, inspection, and DNS resolution
On-Premises ExpressRoute and VPN Gateways connect to AD DS, apps, and users
Security Subscription Firewall logs and NSG flow logs feed into Sentinel and Defender for Cloud
Management Subscription Diagnostic settings and monitoring for all network components

Application Landing Zone Subscriptions

Corp Workload

A dedicated subscription under the Corp Workloads Management Group, designed to host internal-facing application resources for a specific business unit (e.g., BU-A), with secure connectivity to platform services and centralized governance.

Core Components

Service Purpose
Virtual Network (Spoke) Isolated VNet peered to vWAN hub for secure routing
Application Resources VMs, App Services, AKS, SQL, Storage — internal-facing workloads
Network Security Groups (NSGs) Subnet-level traffic control and segmentation
Private Endpoints Secure access to PaaS services (Storage, SQL, Key Vault, etc.)
Key Vault (App) Secrets and certificates for application workloads
Managed Identities Secure identity for apps and automation
Diagnostic Settings Logs sent to central Log Analytics workspace
Backup Configuration Backup policies for VMs, SQL, and critical stateful resources

Example Azure Policies Applied

Policy Area Policy Example
Public IP Control Deny public IPs on all resources
Private Endpoint Enforcement Require private endpoints for all supported PaaS services
NSG Enforcement Require NSGs on all subnets
Route Table Enforcement Require route tables with default route to vWAN hub
Tagging Requirements Require tags: Owner, Environment, CostCenter, AppName
Backup Policy Enforce backup on VMs, SQL, and critical resources
Diagnostic Settings Enforce logging to central Log Analytics workspace
RBAC & PIM Require PIM for Owner/Contributor roles
Resource Locks Require locks on critical resources

Integrates with

Integration Target Connected Services
Connectivity Subscription VNet peered to vWAN hub; routes through Azure Firewall and DNS Resolver
Management Subscription Diagnostic settings, update management, change tracking
Security Subscription Defender for Cloud plans, vulnerability scans, Sentinel alerts
Identity Subscription Managed identities, Key Vault access, Entra ID integration

Internet-Facing

A dedicated subscription under the Internet-Facing Workloads Management Group, designed to host public-facing application components (e.g., web front ends, APIs, reverse proxies) with secure ingress, inspection, and routing to internal services.

Core Components

Service Purpose
Virtual Network (Spoke) Isolated VNet peered to vWAN hub for secure routing
Public-Facing App Components Web Apps, App Gateway, Front Door, CDN, AKS Ingress
Network Security Groups (NSGs) Subnet-level traffic control and segmentation
Public IPs (Scoped) Assigned to ingress points only (App Gateway, Front Door)
Azure Firewall / WAF Traffic inspection and protection before reaching internal services
Private Endpoints (Optional) Backend services (e.g., SQL, Storage) accessed securely from front ends
Key Vault (App) Secrets and certificates for public-facing workloads
Managed Identities Secure identity for apps and automation
Diagnostic Settings Logs sent to central Log Analytics workspace
Backup Configuration Backup policies for stateful components (e.g., SQL, VMs)

Example Azure Policies Applied

Policy Area Policy Example
Public IP Control Allow scoped public IPs only for approved SKUs (App Gateway, Front Door)
WAF/Firewall Enforcement Require Azure Firewall or WAF for all public ingress
NSG Enforcement Require NSGs on all subnets
Route Table Enforcement Require route tables with default route to vWAN hub
Tagging Requirements Require tags: Owner, Environment, CostCenter, ExposureType
Backup Policy Enforce backup on stateful public-facing resources
Diagnostic Settings Enforce logging to central Log Analytics workspace
RBAC & PIM Require PIM for Owner/Contributor roles
Resource Locks Require locks on critical resources

Integrates with

Integration Target Connected Services
Connectivity Subscription VNet peered to vWAN hub; ingress traffic inspected via Firewall/WAF
Corp Workload Subscriptions Backend services accessed via private endpoints or internal routing
Management Subscription Diagnostic settings, update management, change tracking
Security Subscription Defender for Cloud plans, Sentinel alerts, vulnerability scans
Identity Subscription Managed identities, Key Vault access, Entra ID integration