Before we start creating resources I want you should know a few of the key concepts in Microsoft Azure.this post will give you a fair idea of how Azure works in behind the scenes.
if you are new and want to create a free account please refer to this page. you will come across a lot of new keywords in this learning but I am calling out a few which helps to start your learning with high speed. here we are not talking in beep, want to give a small description.
- Tenant
- Management Groups
- Subscriptions
- Resource Groups
- Resources
In Azure, the access controls work in a hierarchy model like from top to bottom(parent to child). look at the below image will give fair an idea what I am talking.
pc1- google
Tenant:
Tenant refers to a single instance of Azure AD. it is key peace of Azure cloud which provides and manages users, groups, and permissions. All the authentication flows go through Azure AD tenant no matter which way you tried to access or manage Azure resources like the azure portal, CLI, PowerShell. Azure Ad tenant can be associated with multiple subscriptions but the subscription can be associated with a single azure ad tenant.
Management Groups:
Azure Management groups provide a way for a company to control and manage access, compliance, and policies for all the subscriptions within the tenant. This sits on top of the subscriptions. we can create multiple subscriptions in one management group but not vice versa. And the management groups should be 6 levels deep. It starts with the root. management group. As I mentioned above policies work in the hierarchy model so when you apply any new policy on Root Management Group that will propagate all the way to subscription. Even you have any other policies on subscription level the root policy always wins. take an example, you have a policy on Dev/Test subscription which allows you to create resources in EaseUS region but the admin decides to apply new policy on root management which block access to create new resources on EastUS then you also lose access even though on the subscription level you have access because as I said root management policy have high priority.
pc2-google
Subscriptions:
The subscription is next level logical container after Management groups. subscriptions help us to organize all the resources(VMs, storage accounts, databases, web apps, etc) in a single billing. the subscription always associated with one tenant but we can change the tenant as per our need. we can give access to outside of the tenant user on the subscription.we can take advantage of RBAC(Role-Based Access Control) which restricts access based on the person’s role in Azure on subscription level. that means we can grant specific access to a specific person on subscription then he can access all the resources within the subscription.
Resource Groups:
An Azure resource group is the next level in the hierarchy and it is a container that has metadata of a logical group of resources stored. that means it has all the information about the resources(like VM, HDD, nic, virtual network, etc ) which are present inside the resource group. It also helps to apply RBAC. even we can take advantage of administration and cost management. For example, if we have a new project and we stored all the resources for that specific project in one resource group then it will be easy for us to administrative(access and deny roles) and cost management(budget, quota, and usage). Even if we want to remove all the resources related to that project, we can simply delete the Resource Group.
Resources:
Now we are at the last level in the hierarchy which is resources. The resources means everything which we provisioned from Azure like VMs, storage accounts, IP addresses, network interfaces, and etc. if you deploy anything in azure that we can consider as a resource either it is a serverless application, containers, dockers or VMs. In Azure everything works as a individual entity(thanks to resource manager will discuss this in different blog). For example you create new VM, and you think it is one resource. then that’s the mistake. For creat a VM we need HDD, Network interface, IP address, and etc based on our requirement. Azure thinks each one is one resource and we have to pay for everything.
That’s all for now. Thanks for reading.
Keep learning
