I'm in the process of planning a migration of many of our on-premises servers to Azure. A key part of this transition is figuring out the best way to organize our virtual machines (VMs). With an on-premise Active Directory (AD) setup, it's straightforward to group VMs using Organizational Units (OUs) for applying Group Policy Objects (GPOs). However, I'm unsure how to approach grouping VMs in Azure. Each VM typically comes with several resources, like virtual NICs, OS disks, and Network Security Groups. From a high-level perspective, it makes sense to have separate subscriptions for different environments (Test, Staging, Production), but I'm torn on whether to create one Resource Group (RG) per VM, especially since we currently have over 250 servers, with an estimate of at least 100 that we plan to migrate. I'm eager for advice or ideas from anyone who has worked on similar implementations, especially regarding organization strategies and any insights from their transition experiences.
5 Answers
We also use tags and Resource Groups with descriptions for better clarity. For instance, we might have something like 'rg-customer-sap-location-prod' for a group handling SAP applications. This way, it’s easier to identify what each resource group is for based on its name.
Organizing resources in Azure is a bit different from AD OUs, but it doesn’t mean you need a whole new strategy. Think critically about how you'll manage costs and user access as you design your hierarchy. Ultimately, tags can solve many organizational issues by helping you categorize resources beyond just RGs.
Using tags can really help in organizing your resources. For instance, we apply tags like cost code, infrastructure as code (IaC), the base VM name, owner's email, and service name. We consider the VM name as the parent name, which is then used across all associated resources like NICs and storage accounts. Grouping all related VMs, NICs, etc., under one Resource Group based on their service is a solid approach. This keeps everything organized and easier to manage!
Honestly, putting one VM in a separate Resource Group each can lead to chaos. It's better to think about how VMs are shared based on workloads or management teams. For instance, infrastructure teams usually manage the VMs, but it's beneficial to let app teams take ownership, streamlining management. There’s no definitive way to organize—it often requires a bit of trial and error and may involve some spreadsheet work to visualize group overlaps. Tags are definitely essential in this scenario!
Do you have any examples of a tagging structure that works for you? I'm thinking of proposing a standard at my workplace because we don't currently have one.
Just a heads-up: organizing Azure VMs isn’t solely connected to how you manage your on-premise AD. You can manage your Azure resources based on your RBAC needs, cost management, and lifecycle requirements. Keep in mind, resources can't be shared across different subscriptions, which can complicate network design if not planned!
That's a neat method! We have a similar setup with DOPE: Department, Owner, Project, and Environment as our common tags.