- Anythings you create in an Azure subscription
- E.g. virtual machines, Application Gateways, and CosmosDB instances
- 💡 Good to have consistent naming convention e.g.:
cloudarchitecture-prod-infrastructure-rg
- what it's used for (
cloudarchitecture
) - environment (
prod
) - the types of resources contained within (
infrastructure
) - type of resource it is itself (
rg
= resource group)
- what it's used for (
- Provides fine-grained access management through role-based access control (RBAC)
- 📝 You can move some resources that supports move to a new resource group or subscription if they support move operation.
- Helps you better search, filter, and organize these resources
- Name/value pairs of text data that you can apply to resources and resource groups
- E.g.
- department (like finance, marketing, and more)
- environment (prod, test, dev)
- cost center
- life cycle and automation (like shutdown and startup of virtual machines)
- 💡📝 Good way to group your billing data
- E.g. VMs on production that belongs to a cost center A.
- 💡 Help with monitoring
- You can set-up alerts based on tags e.g. if a resource fails notification goes to the finance department.
- 💡 Help with automation
- E.g.
shutdown:6PM
andstartup:7AM
tag TO automate the shutdown and startup of virtual machines in development environments during off-hours to save costs.
- E.g.
- 💡 Help with automation Governance through Policies
- E.g. ensure that all resources have the Department tag associated with them and block creation if it doesn't exist.
- ❗ Limitations:
- A resource can have up to 50 tags.
- 📝 Tags aren't inherited from parent resources.
- 📝 Not all resource types support tags
- 📝 Blocks modification (Read-only) or deletion (Delete) of the resource.
- For more granular control of what can be deployed e.g. see Azure policies
- Read-only allows only HTTP GET requests.
- ❗Can lead to unexpected results e.g. listing all objects in a storage account requires POST request is denied.
- 📝 You must remove the lock in order to perform forbidden activity.
- Apply regardless of RBAC permissions.
- 📝 Protects against accidental deletion.
- 💡Use to protect key resources that could have a large impact if they were removed or modified.
- E.g. ExpressRoute circuits, and virtual networks, critical databases, and domain controllers. Evaluate
- Also an Azure resource so it can have locks, tags, RBAC permissions etc.
- It's free!
- Logical container for resources deployed on Azure.
- Tied to a region & subscription itself.
- 📝 But can contain resources from different regions
- ❗If region the RG goes down, the management of the RG would not work.
- 📝 But can contain resources from different regions
- Helps you organize resources
- You can place resources of e.g. similar usage, type, or location in same group.
- 📝 If you delete a resource group, all resources contained within are also deleted.
- Authorization
- Scope for applying role-based access control (RBAC) permissions.
- Permissions are inherited in all resources that the group has.
- ❗ All resources must be in a resource group and a resource can only be a member of a single resource group.
- Before any resource can be provisioned, you need a resource group
- ❗ Some services has specific limitations or requirements to move from one resource group to another
- ❗ Can't be nested.
- Can see history of the deployments to a resource group
- By type (virtual networks, virtual machines, cosmos dbs)
- By environment (prod, qa, dev)
- By department (marketing, finance, human resources)
- Combining strategies e.g. environment and department:
- By authorization
- By who needs to administer them.
- See RBAC
- E.g. databases in database administration group to give access to database administrators.
- By life cycle
- Allows you to e.g. delete after experimentation.
- By billing
- A way to filter and sort the data to better understand where costs are allocated.