When you create a virtual machine in Microsoft Azure, you are required to assign it to an Azure Resource Group. This grouping structure may seem like just another bit of administrivia, but savvy users will utilize this structure for better governance and cost management for their infrastructure.
What are Azure Resources Groups?
Azure Resources Groups are logical collections of virtual machines, storage accounts, virtual networks, web apps, databases, and/or database servers. Typically, users will group related resources for an application, divided into groups for production and non-production — but you can subdivide further as needed.
They are part of the Azure resource group management model, which provides four levels, or “scopes” of management to help you organize your resources.
- Management groups: These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group. These are often used for grouping subscriptions by internal department or geographical region.
- Subscriptions: A subscription associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects. A subscription is essentially a billing unit.
- Resource groups: A resource group is a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed.
- Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
One important factor to keep in mind when managing these scopes is that there is a difference between azure subscription vs management group. A management group cannot include an Azure Resource. It can only include other management groups or subscriptions. Azure Management Groups provide a level of organization above Azure Subscriptions. Also, there is no structure for a “nested” resource group in Azure – to “nest” groups for permissions, you will need to use a combination of permissions at the different levels listed above.
Be sure also to differentiate the concept of an Azure resource group from an “Azure availability set”. An availability set in Azure is a logical grouping of VMs to inform Azure how your application is built in order to protect the availability of your application.
Group structures like Azure’s exist at the other big public clouds — AWS, for example, offers optional Resource Groups, and Google Cloud “projects” define a level of grouping that falls someplace between Azure subscriptions and Azure Resource Groups.
The Azure Resource Manager
You will manage resource groups through the “Azure Resource Manager”, which is the management layer for your resources. Benefits of the Azure Resource Manager include the ability to manage your infrastructure through declarative templates rather than through scripts; tagging management; deployment templates; dependency mapping; simplified role-based access control; and clarified cost management.
You can organize your resource groups for securing, managing, and tracking the costs related to your workflows.
Ways to Create an Azure Resource Group
There are several ways to create an Azure Resource Group, or in other words, several ways to actually manage using the Azure Resource Manager. They are:
- The Azure Portal
- Azure PowerShell scripts
- The Azure CLI
- An ARM template
Azure Resource Group Best Practices
When organizing your resource groups, it is essential to understand that all the resources in a group should have the same life-cycle when including them. For instance, if an application requires different resources that need to be updated together, such as having a SQL database, a web app or a mobile app, then it makes sense to group these resources in the same resource group. However, for dev/test, staging, or production, it is important to use different resource groups as the resources in these groups have different lifecycles.
Other things to consider when building your Azure list of resource groups:
- Resources can be added to or deleted from an Azure Resource Group. However, each of your resources should belong to an Azure Resource Group, so if you remove the resources from one Resource Group, you should add it to another one.
- Keep in mind, not all resources can be moved to different resource groups.
- Azure resource group regions: the resources you include in a resource group can be located in different Azure regions, and may be in different regions than the group itself. The group needs a location to specify where the metadata will be stored, which is necessary for some compliance policies. (Read more on pricing in different Azure regions.)
- Grant access with resource groups: you should use resource groups to control access to your resources – more on this below.
- When a resource group is deleted, all resources in the group are deleted
- Group limits: you can deploy up to 800 instances of a resource type in each resource group – with some exceptions.
How to Use Azure Resource Groups Effectively for Governance
Azure resource groups are a handy tool for role-based access control (RBAC). Typically, you will want to grant user access at the resource group level – groups make this simpler to manage and provide greater visibility.
Azure resource group permissions help you follow the principle of least privilege. Users, processes, applications, and devices can be provided with the minimum permissions needed at the resource group level, rather than at the management group or subscription levels. For example, a policy relating to encryption key management can be applied at the management group level, while a start/stop scheduling policy might be applied at the resource group level.
Effective use of tagging allows you to identify resources for technical, automation, billing, and security purposes. Tags can extend beyond resource groups, which allows you to use tags to associate groups and resources that belong to the same project, application, or service. Be sure to apply tagging best practices, such as requiring a standard set of tags to be applied before a resource is deployed, to ensure you’re optimizing your resources.
Azure Resources Groups Simplify Cost Management
Azure Resource Groups also provide a ready-made structure for cost allocation — resource groups make it simpler to identify costs at a project level than just relying on Azure subscriptions. You can use cost allocation tags to manage the costs of the resources within the group together. Additionally, you can use groups to manage resource scheduling and, when they’re no longer needed, termination. Make sure you don’t skip that step – keep waste in check.
You can do this manually, or through your cost optimization platform such as ParkMyCloud. Continuous cost control comes from actual action – which is what ParkMyCloud provides you through a simple UI (with full RBAC), smart recommendations with one-click remediation, and an automatic policy engine that can schedule your resources by default based on your tagging or naming conventions. For almost all Azure users, this means automatic assignment to teams, so you can provide governed user access to ParkMyCloud. It also means you can set on/off schedules at the group level, to turn your non-production groups off when they’re not needed to help you reduce cloud waste and maximize the value of your cloud. Start a trial today to see the automation in action.
A version of this article was published in April 2020. It has been updated and expanded for 2021.