π³ Designing Subscription Strategy
Where Ownership, Cost, and Control Actually Live
If Management Groups define governanceβ¦
Subscriptions define accountability
π₯ Why Subscription Design is Critical
Most real problems in cloud donβt come from:
- networking
- compute
- storage
They come from:
- unclear ownership
- cost visibility issues
- access chaos
- deployment conflicts
π All of this ties back to subscription design
β Common Mistakes
1. One Subscription for Everything
Subscription-1
βββ All apps
βββ All environments
βββ All teams
π Result:
- no cost clarity
- no isolation
- access conflicts
- blast radius is huge
2. One Subscription per App (blindly)
App1-Sub
App2-Sub
App3-Sub
π Sounds cleanβ¦ but:
- too many subscriptions
- operational overhead
- difficult governance
- duplicated configs
3. Environment-based only
Prod-Sub
Dev-Sub
QA-Sub
π Problem:
- multiple apps mixed
- ownership unclear
- cost allocation messy
β What Subscriptions Should Represent
A subscription is a boundary for:
- Ownership
- Cost (billing unit)
- Access control
- Lifecycle management
- Quotas and limits
π§ Key Design Dimensions
You must balance these:
1. Ownership
- Who owns the workload?
- Which team is accountable?
2. Cost Visibility
- Can you track cost per:
- app?
- business unit?
- environment?
3. Isolation
- Blast radius
- Security boundaries
- Compliance needs
4. Scale
- 10 apps vs 1000 apps
- future growth
5. Operations
- CI/CD pipelines
- access management
- monitoring
π¦ Recommended Enterprise Pattern
Platform Subscriptions
- Platform-Identity
- Platform-Connectivity
- Platform-Management
π Owned by central cloud/platform team
Landing Zone Subscriptions (Workloads)
Instead of 1 rigid rule, use pattern-based approach
Pattern 1 β App + Environment (most common)
App1-Prod
App1-NonProd
App2-Prod
App2-NonProd
π Good for:
- clear ownership
- cost tracking
- isolation
Pattern 2 β Shared Non-Prod
App1-Prod
Shared-NonProd
π Useful when:
- many small apps
- cost sensitivity
- early stage
Pattern 3 β Regulated Workloads
PCI-App1-Prod
PCI-App1-NonProd
π Required when:
- strict compliance
- audit isolation
- policy enforcement
Sandbox Subscription
Sandbox-Sub
π Purpose:
- experimentation
- controlled freedom
- strict budgets
βοΈ Key Trade-offs
| Approach | Pros | Cons |
|---|---|---|
| Few subscriptions | Easy management | Poor isolation |
| Many subscriptions | Strong isolation | Operational overhead |
π‘ Golden Rule
Design subscriptions around ownership and cost β not just structure
π Relationship with Management Groups
| Level | Purpose |
|---|---|
| MG | Governance / Policy |
| Subscription | Ownership / Cost / Access |
π§ Architect Thinking
You donβt ask:
βHow many subscriptions should I create?β
You ask:
βWhere do I need separate ownership, cost visibility, and isolation?β
π¨ Subtle but Important Insight
Most failures happen when:
- MG design is good β
- Subscription design is weak β
π Result:
- governance exists
- but accountability is broken
What Comes Next
Now we have:
- MG structure β
- Subscription strategy β
Next comes the most complex part:
π Network Architecture (Hub-Spoke, vWAN, Segmentation, Connectivity)
| β¬ Back to Series Home | β¬ Back to: Management Group Design β‘ | Next: Network Design β‘ |