Azure Resource Groups and Subscriptions
Every resource created in Azure — whether a virtual machine, a database, or a storage account — must be organized and billed under a structured hierarchy. Azure uses a four-level management hierarchy to handle this: Management Groups, Subscriptions, Resource Groups, and Resources. This topic focuses on subscriptions and resource groups, which are the two most commonly used levels in day-to-day Azure work.
The Azure Management Hierarchy
Azure Management Hierarchy │ ├── Root Management Group │ ├── Management Group (e.g., "Finance Department") │ │ ├── Subscription A (e.g., "Finance Production") │ │ │ ├── Resource Group: FinanceApp-RG │ │ │ │ ├── Virtual Machine │ │ │ │ ├── SQL Database │ │ │ │ └── Storage Account │ │ │ └── Resource Group: FinanceNetwork-RG │ │ │ └── Virtual Network │ │ └── Subscription B (e.g., "Finance Development") │ └── Management Group (e.g., "HR Department")
What is an Azure Subscription?
An Azure subscription is a logical container that links Azure usage to a billing account. Every resource created in Azure belongs to exactly one subscription. The subscription controls who gets billed, how much can be spent, and which policies apply.
Subscription Uses
- Billing boundary: Each subscription generates its own invoice. Different teams or departments can have separate subscriptions so their costs are tracked independently.
- Access boundary: Permissions granted at the subscription level apply to all resources within it. A developer given access to a subscription can see and manage everything inside it.
- Policy boundary: Rules (like "no resources outside India region") can be applied at the subscription level.
Types of Azure Subscriptions
| Subscription Type | Best For |
|---|---|
| Free Trial | Learning and testing — $200 credit for 30 days |
| Pay-As-You-Go | Individuals and small businesses — pay monthly for what is used |
| Enterprise Agreement (EA) | Large organizations — commit to spending and get discounted rates |
| Cloud Solution Provider (CSP) | Businesses purchasing Azure through a Microsoft partner |
| Visual Studio / Dev/Test | Developers with Visual Studio subscriptions — discounted pricing |
Subscription Limits
Each subscription has default limits (also called quotas) on how many resources can be created. For example, a default subscription allows up to 980 resource groups, 250 storage accounts per region, and a certain number of virtual machine cores. These limits can be increased by requesting a quota increase through the Azure portal.
What is a Resource Group?
A resource group is a logical container inside a subscription that holds related Azure resources. Think of it as a folder for organizing resources that belong to the same project, application, or environment.
Key Facts About Resource Groups
- Every Azure resource must belong to exactly one resource group.
- A resource group can contain resources from different Azure regions.
- The resource group itself has a location, but that location is only for storing its metadata — resources inside can be anywhere.
- Deleting a resource group deletes all resources inside it. This is a quick way to clean up an entire project.
- Resources can be moved from one resource group to another.
Why Use Resource Groups?
| Benefit | Description |
|---|---|
| Organized Management | All resources for one application live together, making them easy to find and manage |
| Lifecycle Control | Deploy, update, and delete all resources of an application in one action |
| Cost Tracking | View cost reports filtered by resource group to see what each application or project costs |
| Access Control | Grant team members access to a specific resource group without exposing the entire subscription |
| Tagging | Add tags (key-value labels) to a resource group for billing, compliance, and reporting |
Resource Group Naming Best Practice
A clear naming convention for resource groups saves time and avoids confusion in large environments. A commonly used pattern is:
[ApplicationName]-[Environment]-[Region]-rg Examples: ecommerce-prod-eastus-rg (Production resources for an e-commerce app in East US) hrportal-dev-centralindia-rg (Development resources for HR portal in Central India) analytics-staging-westeurope-rg
What is a Management Group?
Management groups sit above subscriptions in the hierarchy. They allow applying governance policies and access controls across multiple subscriptions at once.
Example: A company has 10 subscriptions — one per business unit. A management group called "Company-Root" sits above all of them. A policy applied to the management group (such as "all virtual machines must use approved OS images") automatically applies to all 10 subscriptions.
Practical Example – Organizing a Three-Tier Web Application
An e-commerce company runs a web application with three layers: frontend (web servers), backend (API servers), and database. Here is a clean way to organize the Azure resources:
Subscription: EcommerceApp-Production
│
├── Resource Group: ecom-frontend-rg
│ ├── Virtual Machine Scale Set (Web Servers)
│ ├── Load Balancer
│ └── Public IP Address
│
├── Resource Group: ecom-backend-rg
│ ├── App Service (API)
│ └── Azure Cache for Redis
│
├── Resource Group: ecom-database-rg
│ ├── Azure SQL Database
│ └── Azure Cosmos DB
│
└── Resource Group: ecom-network-rg
├── Virtual Network
├── Network Security Groups
└── Azure DNS Zone
Tags – Adding Metadata to Resources
Tags are key-value pairs that can be attached to resources and resource groups. They serve as labels for organizing, searching, and reporting on resources.
Common Tags and Their Uses
| Tag Key | Example Value | Purpose |
|---|---|---|
| Environment | Production, Development, Staging | Filter resources by environment |
| Owner | team-infra, john.doe@company.com | Track who is responsible |
| CostCenter | CC-1042, Marketing | Internal billing and chargeback |
| Project | EcommerceRelaunch, HRPortal | Group costs by project |
| ExpiryDate | 2024-12-31 | Automatically clean up test resources |
Key Takeaways
- Azure uses a four-level hierarchy: Management Groups → Subscriptions → Resource Groups → Resources.
- A subscription is a billing and access boundary. Each subscription produces its own invoice.
- A resource group is a logical folder for organizing related resources within a subscription.
- Deleting a resource group removes all resources inside it — useful for cleanup after testing.
- Management groups allow governance policies to apply across multiple subscriptions simultaneously.
- Tags are key-value labels that help with cost tracking, access management, and resource organization.