Thought experiment
In this thought experiment, apply what you have learned. You can find answers to these
questions in the next section.
You are responsible for creating and tracking resources in Azure for two business units within your organization: HR and Marketing. Your organization has an Enterprise Agreement (EA). Each business unit needs to deploy its own resources. Your Finance department needs to be able to understand the consumption of resources for each business unit for chargeback
purposes. Finance would also like to be able to receive a notification when a defined monetary
threshold is reached for each business unit.
The resources that each business unit will deploy are from a known set of resources and users should be prevented from creating unapproved resources. There will be resources within a subscription that are not billed back directly to the business units, but will be billed to IT. These resources must be differentiated for Finance.
- How will you ensure that users can only create approved resources in Azure?
- How will you grant access to create resources and restrict each business unit’s users from impacting the other business units?
- How will Finance access billing data for Azure and how will they be able to tell where each cost is coming from?
- How will Finance be notified when each business unit is nearing their spending
threshold?
Thought experiment answers
This section contains the solution to the thought experiment for the chapter.
For each business unit, HR and Marketing, a separate subscription can be created. This will allow for the separation of resources by business unit and allow for segregated and aggregated cost reporting and monitoring for Finance through the EA portal.
- To ensure users can only create approved resources, policies should be defined that can be assigned to each subscription. The policies will deny the creation of any unapproved resources and compliance can be monitored through Azure Policy as well.
- Each business unit will be placed into its own subscription. Within a subscription, resource groups will be created, and users will be granted appropriate rights at the resource group level. As RBAC is inherited by child resources, with the appropriate rights granted, users will be able to create and manage resources as needed without affecting others in the subscription. This will be layered with Azure Policy to ensure that only allowed resources can be created. This can be extended further by creating Azure Resource Manager templates, which can be used by business unit users to deploy their resources with well-known configurations.
Alternatively, you can also use management groups to segregate the business units. You can still use RBAC to inherit the access subscription and child resources from a manage- ment group.
- Users in the Finance department can be granted access to the EA portal and/or Azure Cost Management by configuring access through the required scopes. To make sure that they can tell where each resource cost is coming from, tags should be applied to all resources using a taxonomy defined by Finance. For example, “BusinessUnit” can be a tag with the allowed values “HR,” “Marketing,” and “IT.” That taxonomy should be governed through Azure Policy to ensure that all resources are tagged with required and valid tags.
- To manage thresholds, Department quotas can be configured in the EA portal. In addition, Budgets can be created in Cost Management. Budgets in Cost Management can provide more flexibility as multiple notification thresholds can be set and each noti- fication can have a different receiver. This would allow a single budget to send notifications to both business unit owners and Finance.
