Resources, Resource Groups, and Subscriptions
Every Azure service you create is a resource. Resources live in resource groups. Resource groups live in subscriptions. Understanding this hierarchy is essential for organising and managing your Azure environment.
Azureβs organisational hierarchy
Think of it like a filing cabinet.
Resources = individual documents (a VM, a database, a storage account).
Resource groups = folders that hold related documents. You might have a βWebsiteβ folder and a βDatabaseβ folder.
Subscriptions = drawers in the cabinet. Each drawer has its own billing β so the βProductionβ drawer bills separately from the βDevelopmentβ drawer.
Management groups = the entire cabinet itself. If you have multiple cabinets (subscriptions), management groups let you apply rules to all of them at once.
The hierarchy visualised
Management Groups
βββ Subscriptions
βββ Resource Groups
βββ ResourcesSummit Constructionβs hierarchy:
Root Management Group
βββ IT Management Group
β βββ Production Subscription ($2,000/month)
β β βββ RG: project-portal-prod
β β β βββ VM: portal-vm-01
β β β βββ SQL Database: portal-db
β β β βββ Storage: portal-files
β β βββ RG: monitoring-prod
β β βββ Log Analytics Workspace
β βββ Development Subscription ($400/month)
β βββ RG: project-portal-dev
β βββ VM: portal-vm-dev
β βββ SQL Database: portal-db-dev
βββ Finance Management Group
βββ Finance Subscription ($300/month)
βββ RG: accounting-app
βββ App Service: accounting-web
βββ SQL Database: accounting-dbResources β the building blocks
A resource is any Azure service you create:
- A virtual machine
- A storage account
- A SQL database
- A virtual network
- An App Service web app
Key rules:
- Every resource belongs to exactly one resource group
- Resources can be in different regions from their resource group
- Resources can communicate across resource groups and subscriptions
Resource groups β logical containers
A resource group is a container that holds related Azure resources. Think of it as a project folder.
Key rules about resource groups:
| Rule | Detail |
|---|---|
| Every resource needs one | A resource cannot exist outside a resource group |
| One group only | A resource can only be in one resource group at a time |
| Groups canβt be nested | You canβt put a resource group inside another resource group |
| Deleting a group deletes everything | Delete the resource group β all resources inside are deleted |
| Permissions inherit | Apply permissions to the group β all resources inside inherit them |
| Resources can be in different regions | A resource group in βAustralia Eastβ can contain resources in βUS Eastβ |
Peak Roastersβ resource groups
Peak Roasters organises their Azure resources by application:
| Resource Group | Resources Inside | Purpose |
|---|---|---|
rg-website | App Service, SQL Database, Storage | Online ordering website |
rg-email | (managed by Microsoft 365) | Business email |
rg-backups | Storage account, Recovery vault | Data backups |
Exam tip: Resource group location
A resource group has a location (region), but this is only where the groupβs metadata is stored. The resources inside can be in any region.
Example: Resource group in βAustralia Eastβ can contain a VM in βUS Westβ and a database in βUK South.β
Why does the group location matter? For compliance β some organisations need metadata stored in specific geographies.
Subscriptions β billing boundaries
A subscription provides:
- Billing boundary β each subscription gets its own invoice
- Access control boundary β you can set different permissions per subscription
- Resource limits β each subscription has quotas (e.g., max VMs per region)
Why multiple subscriptions?
| Reason | Example |
|---|---|
| Separate billing | Production vs development have different budgets |
| Access control | Developers can access dev subscription but not production |
| Compliance | Regulated workloads in a separate subscription with stricter policies |
| Resource limits | Approaching quota limits in one subscription |
Harbour Health uses three subscriptions:
- Production β patient-facing apps, strict access controls
- Development β dev/test environments, more relaxed permissions
- Sandbox β experimentation, auto-delete after 30 days
Management groups β governance at scale
When an organisation has many subscriptions, management groups help manage them:
- Apply Azure Policy to a management group β it applies to ALL subscriptions underneath
- Assign RBAC roles at the management group level β inherited by all subscriptions
- Nest management groups up to 6 levels deep (not counting the root)
Key facts:
- Every Microsoft Entra ID tenant has a single root management group
- All subscriptions belong to the root management group by default
- You can create sub-groups to organise subscriptions by department, environment, or region
Management group hierarchy limits
- 10,000 management groups per directory
- 6 levels of depth (excluding root)
- Each management group or subscription can have only one parent
- Each management group can have many children
This tree structure means policies and access controls flow DOWN from parent to child β a powerful governance mechanism for large organisations.
π¬ Video walkthrough
Flashcards
Knowledge Check
Peak Roasters wants to ensure that when they're done with their test environment, all test resources are cleaned up with a single action. What should they use?
Harbour Health wants production and development environments to have separate billing. What is the BEST way to achieve this?
What is the correct hierarchy from TOP to BOTTOM in Azure's organisational structure?
Next up: Azure Virtual Machines β the most common IaaS service, including Scale Sets, availability sets, and Azure Virtual Desktop.