Azure Subscriptions¶
A subscription is the fundamental unit of management in Azure. It defines boundaries for resource organization, governance, and cost control. Subscriptions should be designed with scalability, clarity, and governance in mind.
Key Principles¶
- Business Alignment: Assign subscriptions to business units, product lines, or major workloads.
- Environment Segregation: Use separate subscriptions to isolate environments across the SDLC (e.g., dev, test, staging, production).
- Self-Service Enablement: Provide a streamlined, automated process for creating subscriptions to reduce administrative overhead and accelerate delivery.
- Governance Integration: Ensure every subscription is part of a well-defined management group hierarchy for consistent policy enforcement and cost visibility.
Design Considerations¶
- Scalability: Subscriptions should scale with organizational growth and workload demand.
- Modularity: Subscriptions must be easy to create, modify, and retire as requirements evolve.
- Repeatability: Use Infrastructure as Code (IaC) to provision subscriptions consistently and enforce standards.
- Cost & Compliance: Apply tagging, budgets, and Azure Policy to track spending and enforce compliance from day one.
Best Practices¶
- Define clear ownership and accountability for each subscription.
- Apply RBAC at the subscription level to enforce least-privilege access.
- Use Azure Policy and Blueprints to standardize security, compliance, and operational baselines.
- Continuously monitor subscription usage and optimize for cost and performance.
Platform Landing Zone Subscriptions¶
Security Subscription¶
A dedicated subscription under the Security Management Group, designed to host centralized security services and policies that apply across the entire Azure environment.
Core Components
| Service | Purpose |
|---|---|
| Microsoft Sentinel | SIEM/SOAR platform for log ingestion, analytics, incident response |
| Defender for Cloud | Posture management, threat detection, vulnerability scanning |
| Log Analytics Workspace | Central workspace for Sentinel and Defender logs |
| Key Vault (Security) | Secrets for security automation, SOC integrations, SIEM connectors |
| Security Automation | Playbooks, alerts, and response workflows (via Logic Apps or Sentinel) |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| Encryption Enforcement | Require encryption at rest and in transit for all supported resources |
| Threat Protection | Enable Defender for Cloud plans across VMs, SQL, Storage, App Services |
| Secure Score Monitoring | Require secure score tracking and alerting |
| Vulnerability Assessment | Enforce vulnerability scans on VMs and databases |
| JIT Access | Require Just-In-Time access for admin VMs |
| Security Contact Info | Require security contact email and phone on all subscriptions |
| Audit Logging | Enforce diagnostic settings to central Log Analytics workspace |
| Policy Compliance Alerts | Alert on non-compliant resources across all landing zones |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Sentinel | Platform logs (Firewall, DNS, vWAN), Identity logs (Entra ID, PIM), App logs (SQL, Web) |
| Defender for Cloud | Microsoft Defender XDR, Compliance dashboards, remediation workflows |
| Security Automation | Logic Apps, ticketing systems, SIEM connectors |
Management Subscription¶
A dedicated subscription under the Management Management Group, designed to host centralized monitoring, automation, and governance services that support platform and application workloads.
Core Components
| Service | Purpose |
|---|---|
| Log Analytics Workspace | Central workspace for diagnostics, monitoring, and policy compliance logs |
| Azure Monitor | Unified metrics, alerts, dashboards, and insights across all subscriptions |
| Automation Account | Update management, change tracking, inventory, and runbooks |
| Resource Graph Explorer | Query and visualize resource compliance and inventory |
| Cost Management + Budgets | Centralized budget alerts, cost tracking, and chargeback tagging |
| Change Tracking + Inventory | Track VM changes, installed software, and configuration drift |
| Update Management | Patch compliance and scheduling for VMs |
| Azure Backup Center | Centralized backup orchestration, policy enforcement, and reporting |
| Recovery Services Vaults | Store backups for VMs, SQL, SAP, and file shares across all landing zones |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| Tag Enforcement | Require tags: Owner, Environment, CostCenter, AppName |
| Diagnostic Settings | Enforce diagnostic settings to send logs to central Log Analytics |
| Allowed Locations/SKUs | Restrict resource creation to approved regions and VM SKUs |
| Resource Type Restrictions | Deny unsupported or risky resource types (e.g., public IPs, unmanaged disks) |
| Budget Alerts | Require budget configuration and cost alerts per subscription |
| Automation Coverage | Enforce update management and change tracking on all VMs |
| Policy Compliance Alerts | Alert on non-compliant resources across platform and app landing zones |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Log Analytics Workspace | Sentinel, Defender for Cloud, App diagnostics, NSG flow logs, Firewall logs |
| Azure Monitor | Metrics and alerts from platform and app subscriptions |
| Automation Account | Update management, inventory, change tracking across VMs |
| Cost Management | Budget alerts, chargeback tagging, FinOps dashboards |
Identity Subscription¶
Core Components
| Service | Purpose |
|---|---|
| AD DS (IaaS) | Domain Controllers for hybrid identity or legacy workloads |
| Key Vault (Identity) | Secrets for sync credentials, federation certs, and identity automation |
| Jump Hosts / Bastion | Secure access to identity VMs |
| Diagnostic Settings | Logs from identity services to central Log Analytics |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| Public IP Control | Deny public IPs on identity VMs and Bastion hosts |
| Private Endpoint Enforcement | Require private endpoints for Key Vault and Azure AD DS |
| Backup Policy | Enforce backup on AD DS VMs and Azure AD DS |
| Tagging Requirements | Require tags: Owner, Environment, IdentityRole |
| JIT Access | Require Just-In-Time access for PAW and jump hosts |
| Diagnostic Settings | Enforce logging to central Log Analytics workspace |
| Key Vault Protection | Require purge protection and soft delete on identity-related Key Vaults |
| RBAC & PIM | Require PIM for all identity-related roles |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Microsoft Entra ID | Sync via Entra Connect; governs access across all subscriptions |
| Security Subscription | Logs from identity services feed into Sentinel and Defender for Cloud |
| Management Subscription | Diagnostic settings and automation for identity VMs and services |
| Connectivity Subscription | Private DNS zones for AD DS, Azure AD DS, and Key Vault resolution |
Network Subscription¶
Core Components
| Service | Purpose |
|---|---|
| Virtual WAN (vWAN) | Central hub for spoke connectivity, routing, and inspection |
| ExpressRoute Gateway | Private connectivity to on-premises via MPLS or dedicated circuit |
| VPN Gateway | Site-to-site and point-to-site VPN connectivity |
| Azure Firewall | Centralized traffic inspection and egress control |
| Route Server | Dynamic routing between NVA and BGP peers |
| Private DNS Zones | Centralized DNS resolution for private endpoints |
| DNS Resolver | Enables cross-zone DNS resolution across spokes |
| DDoS Protection Plan | Tenant-wide protection against volumetric attacks |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| NSG Enforcement | Require NSGs on all subnets |
| Route Table Enforcement | Require route tables with default route to vWAN hub |
| Firewall Usage | Enforce traffic inspection via Azure Firewall or NVA |
| Private DNS Enforcement | Require DNS resolution via Private DNS Zones and DNS Resolver |
| Public IP Control | Deny public IPs on shared infra unless explicitly justified |
| Diagnostic Settings | Enforce logging to central Log Analytics workspace |
| Tagging Requirements | Require tags: Owner, Environment, NetworkZone |
| DDoS Protection | Enforce DDoS plan attachment to hub VNets |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Platform Subscriptions | Identity, Management, Security — all route through vWAN hub |
| Application Subscriptions | Spoke VNets connect to hub for routing, inspection, and DNS resolution |
| On-Premises | ExpressRoute and VPN Gateways connect to AD DS, apps, and users |
| Security Subscription | Firewall logs and NSG flow logs feed into Sentinel and Defender for Cloud |
| Management Subscription | Diagnostic settings and monitoring for all network components |
Application Landing Zone Subscriptions¶
Corp Workload¶
A dedicated subscription under the Corp Workloads Management Group, designed to host internal-facing application resources for a specific business unit (e.g., BU-A), with secure connectivity to platform services and centralized governance.
Core Components
| Service | Purpose |
|---|---|
| Virtual Network (Spoke) | Isolated VNet peered to vWAN hub for secure routing |
| Application Resources | VMs, App Services, AKS, SQL, Storage — internal-facing workloads |
| Network Security Groups (NSGs) | Subnet-level traffic control and segmentation |
| Private Endpoints | Secure access to PaaS services (Storage, SQL, Key Vault, etc.) |
| Key Vault (App) | Secrets and certificates for application workloads |
| Managed Identities | Secure identity for apps and automation |
| Diagnostic Settings | Logs sent to central Log Analytics workspace |
| Backup Configuration | Backup policies for VMs, SQL, and critical stateful resources |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| Public IP Control | Deny public IPs on all resources |
| Private Endpoint Enforcement | Require private endpoints for all supported PaaS services |
| NSG Enforcement | Require NSGs on all subnets |
| Route Table Enforcement | Require route tables with default route to vWAN hub |
| Tagging Requirements | Require tags: Owner, Environment, CostCenter, AppName |
| Backup Policy | Enforce backup on VMs, SQL, and critical resources |
| Diagnostic Settings | Enforce logging to central Log Analytics workspace |
| RBAC & PIM | Require PIM for Owner/Contributor roles |
| Resource Locks | Require locks on critical resources |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Connectivity Subscription | VNet peered to vWAN hub; routes through Azure Firewall and DNS Resolver |
| Management Subscription | Diagnostic settings, update management, change tracking |
| Security Subscription | Defender for Cloud plans, vulnerability scans, Sentinel alerts |
| Identity Subscription | Managed identities, Key Vault access, Entra ID integration |
Internet-Facing¶
A dedicated subscription under the Internet-Facing Workloads Management Group, designed to host public-facing application components (e.g., web front ends, APIs, reverse proxies) with secure ingress, inspection, and routing to internal services.
Core Components
| Service | Purpose |
|---|---|
| Virtual Network (Spoke) | Isolated VNet peered to vWAN hub for secure routing |
| Public-Facing App Components | Web Apps, App Gateway, Front Door, CDN, AKS Ingress |
| Network Security Groups (NSGs) | Subnet-level traffic control and segmentation |
| Public IPs (Scoped) | Assigned to ingress points only (App Gateway, Front Door) |
| Azure Firewall / WAF | Traffic inspection and protection before reaching internal services |
| Private Endpoints (Optional) | Backend services (e.g., SQL, Storage) accessed securely from front ends |
| Key Vault (App) | Secrets and certificates for public-facing workloads |
| Managed Identities | Secure identity for apps and automation |
| Diagnostic Settings | Logs sent to central Log Analytics workspace |
| Backup Configuration | Backup policies for stateful components (e.g., SQL, VMs) |
Example Azure Policies Applied
| Policy Area | Policy Example |
|---|---|
| Public IP Control | Allow scoped public IPs only for approved SKUs (App Gateway, Front Door) |
| WAF/Firewall Enforcement | Require Azure Firewall or WAF for all public ingress |
| NSG Enforcement | Require NSGs on all subnets |
| Route Table Enforcement | Require route tables with default route to vWAN hub |
| Tagging Requirements | Require tags: Owner, Environment, CostCenter, ExposureType |
| Backup Policy | Enforce backup on stateful public-facing resources |
| Diagnostic Settings | Enforce logging to central Log Analytics workspace |
| RBAC & PIM | Require PIM for Owner/Contributor roles |
| Resource Locks | Require locks on critical resources |
Integrates with
| Integration Target | Connected Services |
|---|---|
| Connectivity Subscription | VNet peered to vWAN hub; ingress traffic inspected via Firewall/WAF |
| Corp Workload Subscriptions | Backend services accessed via private endpoints or internal routing |
| Management Subscription | Diagnostic settings, update management, change tracking |
| Security Subscription | Defender for Cloud plans, Sentinel alerts, vulnerability scans |
| Identity Subscription | Managed identities, Key Vault access, Entra ID integration |