Hey everyone! I'm diving into the Azure landing zone and I want to set up multiple subscriptions for each of my environments: dev, qa, and prod. I know that the online and corp management groups can hold multiple subscriptions based on the different environments, but can I create separate subscriptions for each environment to fully isolate them? I'm also a bit confused about when to use the online versus the corp group. For instance, if I have an application running on an AKS cluster that I manage from on-prem through a site-to-site VPN, but it's publicly accessible via an app gateway, where should that setup fall? Any insights would be appreciated!
3 Answers
If your company allows workloads to be public-facing and doesn’t require peering with on-prem, then definitely consider separating online and corp. In my case, we have a policy that prohibits internet-accessible workloads unless absolutely necessary, so we don’t have a clear distinction between corp and online—they're treated the same because Azure policies apply equally. We do have a lab management group where many resources can be internet-facing, though.
It's totally fine to have separate subscriptions for dev, qa, and prod if you want to keep permissions and costs distinct for each environment. Just be careful with your structure because it can get complicated fast. If you're after true isolation, you might consider multiple identity subscriptions as well, especially if you're connecting on-prem. My take is that online management groups should house anything that customers can access over the internet, while corp is where you manage what requires direct connectivity back to the hub. It's really about how you want to set permissions and ensure compliance. It’s not uncommon for different organizations to have varied uses for these groups, so think about what fits your needs best!
For us, we use connectivity subscriptions as hubs where all egress traffic goes through Azure firewalls. Since firewall configurations can change often, we need to test those changes in dev and qa before moving to production, which is why we require segregation. But if you're utilizing an AKS in online subscriptions, management access through jump hosts might be tricky if those aren't directly connected!
I actually manage multiple isolated environments (prod, dev, qa, dr) using a single connectivity subscription. It simplifies code development and maintenance since I have just three networks in each region within that one subscription, differentiated by resource groups. I have a production network, a non-prod network for dev or qa, and a DR network. Each of these has its own NVA and management, which makes everything flow better in Terraform, and honestly, it works like a charm!
I see your point! But what if you need a workload to be both internet-accessible and have access to on-prem for management via connectivity subscriptions? For example, say you have an Azure-hosted VM with public websites, but it also needs to be managed through a VPN—what’s the best practice there?