This chapter covers how to manage the resources and services available in Azure that support governance objectives, as well as costs. We will cover resource groups, resource locks, subscriptions, costs, and management groups, all of which play a crucial role in maintaining governance within the Azure platform. You will build confidence in this chapter to do just that and understand how to apply what you have learned to your organization.
In this chapter, we are going to cover the following main topics:
- Managing resource groups
- Configuring resource locks
- Managing subscriptions
- Managing costs
- Configuring management groups
Technical requirements
To follow along with the hands-on material, you will need the following:
- Access to an Azure subscription with global administrator and billing administrator privileges. If you do not have access to one, you can enroll for a free account at https://azure.microsoft.com/en-us/free/.
- PowerShell 5.1 or later installed on a PC from which labs can be practiced. Note that many examples can only be followed from a PC.
- Installation of the Az module. This can be performed by running the following command in an administrative PowerShell session:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
Now, let’s understand how to manage resource groups.
Managing resource groups
Resource groups are logical containers for grouping multiple resources together. Resources can be virtual machines (VMs), databases, virtual networks, web apps, and so forth. A resource group should group all resources that share a similar or same life cycle—for instance, all items that are deployed, updated, or deleted with some form of commonality such as belonging to the same application, service, type, department, or location; in other words, they behave or are viewed as a single entity. Resource groups create a mechanism for logical grouping that enables the order and organization of resources created in Azure.
Some important points to note when defining resource groups are outlined here:
- A resource can only belong in a single resource group at any time.
- Resources can be added and removed from a resource group at any time.
- Resource group metadata (the data describing the resource group and resources) is stored in the region where the resource group is created.
- Resources in a resource group are not bound by the location defined for the resource group and can be deployed into different regions.
- If the resource group’s region is temporarily unavailable, then resources in the group cannot be updated since the metadata is unavailable. However, resources deployed in other regions will continue to function as expected, with the caveat that they cannot be updated or managed.
- Access control actions can be associated with resource groups through role-based access control (RBAC) roles, Azure Policy, or resource locks.
- Consider a resource group organization strategy when creating resource groups, to identify ownership, billing, location, resource type, department, applications, and access.
Resources can also be moved to a different resource group and subscription; however, there are limitations to this. The following Uniform Resource Locator (URL) will assist in considering items before moving: https://docs.microsoft.com/en-us/ azure/azure-resource-manager/management/move-resource-group-and-subscription#checklist-before-moving-resources. Not all resources support migrations, and the following up-to-date link will provide supported operations
by resource type: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources.
Leave a Reply