Can we merge multiple azure subscriptions into a single one?
Also is it a good idea to have a Standard subscription for the practice purpose?
Related
As an MSP, we manage multiple customer subscriptions through Azure Lighthouse.
Historically we've used a single Automation Account per subscription to contain solutions such as runbooks related to the Start/Stop v1 solution, Automation-based Update Management, Inventory, and Change Tracking. This Automation Account is also linked to a single Log Analytics workspace per subscription.
We've since deployed Start/Stop v2, which uses LogicApps and Azure Functions. We now have a requirement to, as part of stopping and starting some VMs, stop and start some services on the machines itself. I plan on doing this through (PowerShell) Azure Automation Runbooks, which would only stop a VM if the runbook has successfully stopped a service on it.
My question relates to whether a single monolithic Automation Account is the way to go, or whether there are any considerations to be taken if we were to implement multiple Automation Accounts.
(I've noticed Best practice to deploy Azure Automation Account Runbooks, but that's over a year ago. Things might have changed in the mean time)
The best practice related question which you have mentioned still holds good i.e., 2 major attributes to consider are pricing and logical resource allocation. One other attribute to keep in mind while deciding whether to go with single or multiple automation accounts is the limits i.e., if you go with single automation account then does the traffic in your environment or the activities that your automation account does reach the limits mentioned here? If yes, then go for multiple automation accounts approach.
If one has multiple environments(dev/qa/prod) in different subscriptions, there might be some restrictions with Azure DevOPs pipelines. I think currently Azure DevOps cannot span multiple subscription.
Considering this, will it be a good design to say have multiple synapse workspaces(one for each environment - dev/qa/prod) for each project in the same subscription but different resource groups?
There is always more than one way to do things but I do not think one subscription is always the right answer. It brings a bit of risk that someone could accidentally 'deploy to prod', and although this could happen in any situation, having only one subscription makes this more likely. The environments should of course be properly ring-fenced with permissions, resource groups, resource locks, clearly defined release pipelines with gateways etc which will help reduce that risk.
Multiple subscriptions, or at least a dedicated prod subscription housing a single prod environment and a non-prod subscription housing dev, test, QA (and other environments) is another option. This should reduce the risk of a single subscription but introduces additional complexity.
One way to think about it then, and what is best for your organisation is to think about a grid or matrix, with axes for Risk, DevOps maturity and Complexity versus number of Azure subscriptions you have. Ask a series of questions to help decide your position on this chart. A simple example and some sample questions:
Regarding "easy life", DevOps engineers and architects do not think like this and you shouldn't either.
You should have a single Subscription and within that subscription you can have multiple resource groups like Dev/Prod/QA. Deploy and manage your resources for different environment under a corresponding resource group for easy and hustle free experience.
Check the below diagram for your reference.
For better understanding, refer Microsoft official document.
I see that in Azure Devops the billing account is set per organization. So, I can do a cost analysis per organization. Is it possible to do the same thing on a project level with labels and etc? I have checked but I couldn't find any labeling for the projects.
I want to see what is the exact cost of each project based on users, pipelines, parallel jobs costs.
I could not find any billing per project as your question states.
As an alternative or workaround ( I'm not saying this is an ideal solution) you could separate your projects in organizations in order to be able to bill them separately.
Just in case here is the link about billing per organization and here is the link for Billing overview for Azure DevOps in case it may give you some more insights.
Is it possible to do the same thing on a project level with labels and etc?
For this issue , I am afraid this is currently not possible in azure devops . Until now, billing only exists in organization level.
You could add your request for this feature on our UserVoice site , which is our main forum for product suggestions.After suggest raised, you can vote and add your comments for this feedback. The product team would provide the updates if they view it. Thank you for helping us build a better Azure DevOps.
In addition, for detailed information about billing, you can refer to this document.
I'm looking into transitioning all our company systems to MS Azure from our current on-premises setup. We have multiple affiliates operating using their versions of the same system (i.e. a custom built application that is fundamentally the same but is tailor fit to specific business cases/industries.
Is it possible for our mother company to register for MS Azure, and the affiliates exist as separate organizations on that plan? or is each organization required to have its own Azure subscription?
Many Thanks,
Jevb
I saw many different implementations of Azure for companies. Mostly based on per-separate-subscription model, sometimes I saw working with 1 subscription and then splitting teams to Resource Groups, I think it is all up to the company, budgets and goals.
I would recommend to read first these, maybe this will give you some hints how to start and migrate :)
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/reference/azure-scaffold
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/subscriptions/
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
You can have one tenant for your whole company, and individual subscriptions for each business case. The way that Azure does billing it is nice to split your industries into separate subscriptions until you have a solid tagging strategy in place.
I would highly suggest looking into management groups within Azure as you start to implement policy and RBAC for your individual subscriptions so that you can adhere to security best practices and avoid repeating yourself.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
We have Azure environment with 3 different subscription and around 5 project resources are deployed in this environment.
Each project team has rights to create resources under specific Resource Group (RG) within Azure.
Now from Azure Admin perspective, i would like to know Who, When
This is basic requirements for any organization to track their cost, resource information. When i looked in Azure, this information is not available directly at resource level.
Few posts are mentioning to use Tagging for this or use logs (2 years back, really?)? Is it? I am surprised.
Can i use Application Insight for this? or only available for App Service kind of services?
Please help me to get this information in efficient way
Your only option is to implement some sort of logging (like poll Azure Subscription events) and save it somewhere. You can use Azure Monitor to achieve that rather easily. But by itself Azure doesnt offer anything like that out of the box.
you can use tagging, but with obvious challenges. logs only go 3 months back.