Search code examples
azuresubscription

Is it recommended to have one subscription for every application in your organisation?

For a large corporate, we have designed an Azure subscription hierarchy: Subscriptions for Prod and Non-Prod, each with: - 1 VNET per subscription. - Resource groups (RG) for Tiers (Web, App, DB) - RG's have their own Subnets and NSG's.

The problem is, there are many applications. That means for example, all Production Database servers (for different applications) reside in the same Subnet in the same RG (and by default can talk to each other).

To prevent unrelated apps from talking, it has been suggested to create 1 subscription per application. That would result in increased complexity and duplication of resources, due to having 1000's of subscriptions, and VNETs and IP ranges. Is this recommended? Are there better ways to manage that?

Thanks in advance!

Solution

  • The way you should think of design your Azure scaffold is as below:

    1. Number of subscriptions should always be a function of the number of independent solutions and environments (read as standard dev, test, and prod) expected in the application lifecycle
    2. All related data and hence their respective applications should ideally reside in one subscription and hence you should think in terms of multiple resource groups
    3. Hosting solutions in a VNET is a choice to implement the design by security and always compliments when you end up solutions which may lead to joining colo DC's with Azure either using VPN (S2S or P2S) or even Azure ExpressRoute
    4. In your case where you mention more than 1000 applications, given the above ideas in mind, you should start rationalizing how you want to allocate subscriptions and hence respective resource groups. Note that here's where Azure Management Groups proves very useful to oversee and administer such complex solutions.
    5. Building logic for NSG and WAF's to control ingress/egress should be enforced to control traffic and application exploitation

    Great if you can now improve your question (or add follow-ups) and ask specific details to proceed to next stage.