AZ-104 Governance - Azure Resource Hierarchy

Managing cloud resources effectively is the goal of every organization and individual using the cloud. However, without a structured approach, managing access control, governance, and resource organization can become challenging. Azure addresses this with a hierarchical resource model for users to be able to manage, secure, and organize resources efficiently.

Before we learn about Azure resource hierarchy, let us start with a simple definition of hierarchy. Simply put, a hierarchy is a structured arrangement where elements are ranked or organized in levels, with higher levels influencing those below them. This concept is fundamental to how Azure structures its resources, ensuring efficient management and governance across different scopes.

How Azure Organizes and Manages Resources

There are four levels in the hierarchy, which are resources, resource groups, subscriptions, and management groups from lowest to highest.

• Management Groups: Management groups help you manage access, policies, and compliance across multiple subscriptions. Any conditions applied to a management group automatically get inherited by all subscriptions within it, ensuring consistent governance.

• Subscriptions: Subscriptions act as a logical boundary that links user accounts to the resources they create. Each subscription comes with limits or quotas on resource usage. Organizations use subscriptions to manage costs, resources, and workloads for different teams, projects, or environments (e.g., Dev, Test, Prod).

• Resource Groups: A resource group is a logical container where you deploy and manage Azure resources like virtual machines, web apps, databases, and storage accounts. It helps in organizing related resources and applying access control and policies at a group level.

• Resources: Resources are the individual services deployed in Azure, such as virtual machines, storage accounts, and SQL databases. Every resource must belong to a resource group, inheriting its policies and access settings.

Scopes in Governance

Azure’s resource hierarchy serves as the basis for applying governance tools such as policies, role assignments, tags, and other compliance controls. Each level in the hierarchy (Management Groups, Subscriptions, Resource Groups, and Resources) acts as a scope where governance settings can be enforced. A key principle in Azure governance is inheritance: when a policy or role is assigned at a higher scope, it automatically cascades down to lower levels in the hierarchy.

For example, if you apply a policy or role assignment at the subscription level, all resource groups and resources within that subscription will inherit those settings automatically.

Design Considerations

When configuring your environment and setting up resource hierarchies, it's essential to consider:

• Organizational Structure: Your hierarchy should mirror your organization's structure. For instance, if you have different departments or teams, you might want separate resource groups or subscriptions for each.

• Security and Compliance: Use the hierarchy to implement security policies and compliance standards. Higher-level configurations (like those at the management group or subscription level) will be inherited down the hierarchy.

• Resource Limits: Azure imposes certain limits at the subscription level, like the maximum number of virtual machines or storage accounts. Organize your resources considering these limits.

• Lifecycle Management: Group resources that share the same lifecycle in a single resource group. This makes it easier to manage, update, or delete them collectively

Conclusion

Understanding the Azure resource hierarchy goes beyond just knowing how resources are structured; it is about optimizing management, enforcing security, and ensuring governance at scale. A well-structured hierarchy simplifies the application of RBAC roles, policies, budgets, and locks, as these controls can be assigned at the right scope and automatically cascade down. By mastering this hierarchy, you can easily maintain compliance and govern your cloud infrastructure properly.