We are a software company so we setup solutions for the other companies. I guess we are not unique in this regards :) so I would like to know if we should create a new subscription each time or just a resource group.
Requirements:
We should be able to bill each customer/project separably
They should be able to take control of their resources easily and move to another company
Managing them should not be a headache
What we have tried
We've tried adding a subscription for each customer. This way, we could just change the admin profile and they could completely move away from us.
The billing is also OK, since we receive a different email for each subscription, but managing them is becoming a real headache.
What I guess could work
From what I read, I guess we could work with resource groups instead of subscriptions and handle the billing part with tags (haven't tried it yet. can we?) but then I'm afraid of not being able to move it to another subscription when they've asked us.
Is it even possible? How easy is that? Does it envolve contacting support?
Has anyone tried it?
I would advise against billing using resource groups and tags. The reports are a real mess and 100% unusable. Also, its a lot of extra work for nothing (seriously, do you care if you have 1 subscription or 10?) and adds no real benefit.
Also, you can move resources across subscriptions of different tenants. Best way of handling this is doing a subscription move. That way you dont have to do anything else. They just link your subscription to another tenant and you are good.
I'm talking from a perspective of administering dozens of subscriptions, and believe me, if you move away from subscriptions to resource groups (as a billing\security boundary) you will get completely devastated by the increased complexity of what you are doing.
In my experience working with organisations that provide similar hosting services to customers, I'd say resource groups is the way to go to avoid too much segregation. It's easier for you to keep control of the resources as well as keeping the cost low if you decide to use shared compute resources such as Application Gateway, DDOS protection, etc.
Bear in mind that depending on what level of permission you're giving to your clients, they might have access to information from other clients, so it's important to come up with a good security and governance plan for the Azure environment and strictly limit what they can access.
Moving things from one subscription to another is easy as long as you're using resources within the supported move list. Check the list below:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
You don't have to open a ticket with Microsoft to move these resources and the move can be easily done through the portal interface as long as you select all the resources and it's dependencies and you have access to both subscriptions. If your client decides to move their stuff to their own Azure subscription, they will have to give you permission on that. If the resource you're trying to move is not in the supported list, not even Microsoft can move that.
From a billing perspective, I'd say separating by RG and using tags is the way to go as that can be easily filtered in your exported Azure consumption usage report.
Related
If one has multiple environments(dev/qa/prod) in different subscriptions, there might be some restrictions with Azure DevOPs pipelines. I think currently Azure DevOps cannot span multiple subscription.
Considering this, will it be a good design to say have multiple synapse workspaces(one for each environment - dev/qa/prod) for each project in the same subscription but different resource groups?
There is always more than one way to do things but I do not think one subscription is always the right answer. It brings a bit of risk that someone could accidentally 'deploy to prod', and although this could happen in any situation, having only one subscription makes this more likely. The environments should of course be properly ring-fenced with permissions, resource groups, resource locks, clearly defined release pipelines with gateways etc which will help reduce that risk.
Multiple subscriptions, or at least a dedicated prod subscription housing a single prod environment and a non-prod subscription housing dev, test, QA (and other environments) is another option. This should reduce the risk of a single subscription but introduces additional complexity.
One way to think about it then, and what is best for your organisation is to think about a grid or matrix, with axes for Risk, DevOps maturity and Complexity versus number of Azure subscriptions you have. Ask a series of questions to help decide your position on this chart. A simple example and some sample questions:
Regarding "easy life", DevOps engineers and architects do not think like this and you shouldn't either.
You should have a single Subscription and within that subscription you can have multiple resource groups like Dev/Prod/QA. Deploy and manage your resources for different environment under a corresponding resource group for easy and hustle free experience.
Check the below diagram for your reference.
For better understanding, refer Microsoft official document.
I have one AD associated with one subscription and I need to create two users and need to isolate the resources created by them. Is this really possible? since I am new to Azure I am not much aware of this. It would be great if someone render their hand.
I need to create two users and need to isolate the resources created by them. Is this really possible?
Yes. To isolate them from a management and administration point-of-view, create two resource groups, and add each user to the appropriate role on one resource group.
I've got all my stuff under a subscription that got disabled (changed the employer). I registered a new one (pay-as-you-go on my own credit card). Attempting to move the deactivated sites to the new one failed and the portal says:
Resources cannot be moved from disabled subscriptions.
I've followed the link provided and googled around finding that "...source and destination subscriptions must be active...". That's not very helpful in my case as I have no means to make the admins managing the old subscription reactivate it, not even for a short while.
Do I have to scratch everything and re-publish the application? It won't let me do that on the same URL (and re-configurating the SQL server/DB might cause addition issues). Google gave me nada and I wonder if there's a way to simply move the stuff somehow in the portal.
I can't wait for the reply from MS support because the site manages a register for people with some mental disabilities and not being able to access the material is a huge blow on their daily peace.
Oh, I'm running the site pro-bono (out of my own pocket for the unfortunate souls) so a solution that's pricey might be a show-stopper.
This happened to me. Go to the subscription and reactive it by converting it to a pay-as-you-go subscription. Then you can download and move resources. If you don't need the subscription after that, you can delete it.
We have a CSP subscription through a partner, and the whole experience is rubbish. Costing / billing APIs not available, can't use our Office 365 Azure AD, can't use SendGrid, can't see the cost of resources in the portal, loads of features missing. It's rubbish.
We're moving away and want to transfer a substantial number of SQL Azure servers (with many pools and databases) and Storage Accounts (with lots of items) to another, new PAYG subscription, which uses our O365 Azure AD.
#AzureSupport on Twitter pointed me to - https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
But this says, "The source and destination subscriptions must exist within the same Azure Active Directory tenant."
It suggests two ways forward:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
But... The "Change Directory" option is not present for CSP accounts (lo and behold! another missing feature)
https://learn.microsoft.com/en-us/azure/billing/billing-subscription-transfer
But.. Heading to https://account.windowsazure.com/Subscriptions as instructed gives me a 500 error, with "We are sorry, but we could not complete that operation.".
Also.. Of course, the CSP (Ingram) do not offer any of these kinds of options on their sub management portal.
#AzureSupport then recommended I post here.
Can anyone advise / help please? Would be very much appreciated, thank you.
You are currently blocked, as there is not a good workflow to migrate from CSP to Pay-as-you-go, as the below User Voice entry suggests others are looking for the same. Please up vote and comment on this.
Change subscription from CSP to pay-as-you-go
As for getting switched back to PAYG, I suggest exporting your data and importing in to new services that have been set-up under your desired account set-up. If you need the instance names, these will need to be deleted before the data can be imported into the newly created service with the existing instance names, in cases where instances names can be reused after deletion of the particular service.
There is currently no supported means to migrate a subscription away from CSP once migrated, from my investigation.
Use Azure Data Migration Service to migrate from source to target. This though, will not allow you to keep the same instance names, as both the source and target will need to exist at the same time.
We have three developers in my startup and we are members of Microsoft Bizpark.
I am the only back-end developer so i create and control all the resources in our azure portal.
Even though i made the other members as owners of our resources (settings->users) i am still the only one losing credits. I always reach the limit and they always have 150$ left.
Is it possible to transfer the cost of a resource to another member or do i have to create it again from theirs accounts?
Thank you in advance for any response!
I've been using bizspark also, and there is no way to transfer elements between accounts. Depending on the objects you are planning to move, some of them, you will have to create a backup and restore them in the new account.
Basically, you have to create them again. It's a pain, but if you order your components you can get the most out of the 5 accounts wiht 150 usd.