Subscription Strategy

How to organize workloads into subscriptions for governance, isolation, and scale.

What is a Subscription?

A subscription is Azure's fundamental unit of:

Billing - Costs are aggregated per subscription
Access Control - RBAC boundary
Resource Quotas - Limits apply per subscription
Blast Radius - Isolation boundary for failures

Subscription Design Patterns

Pattern 1: Application-Centric (Recommended)

One subscription per application per environment:

Landing Zones
├── Corp
│   ├── SAP-Prod-Sub
│   ├── SAP-Dev-Sub
│   ├── HR-Prod-Sub
│   ├── HR-Dev-Sub
│   ├── Finance-Prod-Sub
│   └── Finance-Dev-Sub
└── Online
    ├── Ecommerce-Prod-Sub
    ├── Ecommerce-Dev-Sub
    ├── Marketing-Prod-Sub
    └── Marketing-Dev-Sub

Benefits:

Clear blast radius per application
Simple cost allocation
Team autonomy
Independent scaling

Pattern 2: Environment-Centric

Subscriptions grouped by environment:

Landing Zones
├── Production
│   ├── Prod-Apps-Sub
│   └── Prod-Data-Sub
├── Non-Production
│   ├── Dev-Sub
│   ├── Test-Sub
│   └── UAT-Sub
└── Sandbox
    └── Sandbox-Sub

Benefits:

Fewer subscriptions to manage
Centralized environment policies

Drawbacks:

Shared blast radius
Complex RBAC
Cost allocation harder

Pattern 3: Workload-Based

Subscriptions by workload type:

Landing Zones
├── Compute
│   ├── VMs-Prod-Sub
│   └── AKS-Prod-Sub
├── Data
│   ├── SQL-Prod-Sub
│   └── Analytics-Sub
└── Integration
    ├── API-Prod-Sub
    └── Messaging-Sub

Best for: Shared services or infrastructure teams

Comparison Matrix

Pattern	Blast Radius	Cost Visibility	RBAC Complexity	Subscription Count
Application-Centric	✅ Isolated	✅ Clear	✅ Simple	⚠️ High
Environment-Centric	❌ Shared	⚠️ Mixed	⚠️ Complex	✅ Low
Workload-Based	⚠️ Medium	⚠️ Medium	⚠️ Medium	⚠️ Medium

Subscription Vending Model

What is Subscription Vending?

Automated provisioning of subscriptions with:

Pre-configured networking (spoke VNet)
Assigned to correct management group
Baseline policies applied
Default RBAC configured
Connected to hub network

Vending Input Parameters

{
  "subscriptionName": "sub-finance-prod-001",
  "managementGroup": "alz-landingzones-corp-prod",
  "billingScope": "/providers/Microsoft.Billing/billingAccounts/xxx/enrollmentAccounts/yyy",
  "workloadType": "corp",
  "environment": "prod",
  "owner": {
    "objectId": "aaa-bbb-ccc",
    "email": "finance-team@contoso.com"
  },
  "networking": {
    "addressSpace": "10.1.0.0/16",
    "connectToHub": true
  },
  "tags": {
    "CostCenter": "CC-12345",
    "Application": "Finance",
    "Owner": "finance-team@contoso.com"
  }
}

Sample: Subscription Vending with Bicep

targetScope = 'managementGroup'

@description('Subscription display name')
param subscriptionName string

@description('Management group to place subscription')
param managementGroupId string

@description('Billing scope for subscription creation')
param billingScope string

@description('Tags to apply')
param tags object

// Create subscription
resource subscription 'Microsoft.Subscription/aliases@2021-10-01' = {
  name: subscriptionName
  properties: {
    displayName: subscriptionName
    billingScope: billingScope
    workload: 'Production'
    additionalProperties: {
      managementGroupId: managementGroupId
      tags: tags
    }
  }
}

// Output for subsequent modules
output subscriptionId string = subscription.properties.subscriptionId

Subscription Limits to Consider

Resource	Limit per Subscription
Resource Groups	980
Deployments (per RG)	800
Role Assignments	4,000
Policy Assignments	500
Tags per Resource	50
VNets	1,000
ExpressRoute Circuits	10
Public IP Addresses	1,000 (default)
Storage Accounts	250 (default)

When to create new subscription:

Approaching quota limits
Different billing/cost center
Different compliance requirements
Team autonomy needed
Blast radius isolation

Subscription Naming Convention

Format

sub-{workload}-{environment}-{instance}

Examples:
sub-sap-prod-001
sub-ecommerce-dev-001
sub-platform-connectivity-001
sub-platform-management-001

Naming Components

Component	Description	Examples
`sub`	Resource type prefix	sub
`{workload}`	Application/service name	sap, ecommerce, hr
`{environment}`	Lifecycle stage	prod, dev, test, sandbox
`{instance}`	Instance number	001, 002

Cost Management Strategy

Cost Allocation Tags

Every subscription should have:

{
  "CostCenter": "CC-12345",
  "Department": "Finance",
  "Environment": "Production",
  "Application": "SAP",
  "Owner": "finance-lead@contoso.com",
  "Project": "SAP-Migration-2024"
}

Budget Alerts

resource budget 'Microsoft.Consumption/budgets@2023-05-01' = {
  name: 'monthly-budget'
  properties: {
    category: 'Cost'
    amount: 10000
    timeGrain: 'Monthly'
    timePeriod: {
      startDate: '2024-01-01'
    }
    notifications: {
      '80-percent': {
        enabled: true
        threshold: 80
        operator: 'GreaterThanOrEqualTo'
        contactEmails: ['finance-team@contoso.com']
        thresholdType: 'Actual'
      }
      '100-percent': {
        enabled: true
        threshold: 100
        operator: 'GreaterThanOrEqualTo'
        contactEmails: ['finance-team@contoso.com', 'cfo@contoso.com']
        thresholdType: 'Actual'
      }
    }
  }
}

Cost Views by Tag

Subscription Lifecycle

States

Decommissioning Process

Move to Decommissioned MG - Apply deny-all policy
Notify owners - 30-day warning
Resource inventory - Document what exists
Delete resources - Remove all resource groups
Cancel subscription - After 30-day grace period

// Policy: Deny all resource creation in Decommissioned MG
resource denyAllPolicy 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {
  name: 'deny-all-resources'
  properties: {
    displayName: 'Deny all resource creation'
    policyType: 'Custom'
    mode: 'All'
    policyRule: {
      if: {
        field: 'type'
        exists: true
      }
      then: {
        effect: 'Deny'
      }
    }
  }
}

Multi-Subscription Architectures

Pattern: Microservices Platform

Pattern: Data Platform

Decision Framework

When to Create a New Subscription

Quick Reference Card

Concept	Description
Subscription	Billing, RBAC, quota boundary
Application-Centric	One sub per app per env (recommended)
Subscription Vending	Automated provisioning with guardrails
Blast Radius	Failure isolation boundary
Cost Tags	CostCenter, Owner, Environment
Decommissioned MG	Holding area before deletion

What Interviewers Look For

✅ Good answers:

Explain subscription as blast radius boundary
Describe application-centric pattern
Mention quota limits as scaling factor
Discuss automated vending

❌ Red flags:

One subscription for everything
Manual subscription provisioning
No cost allocation strategy
Ignoring quota limits

Next Steps

Continue to Resource Organization to learn about naming conventions, tagging, and resource group strategies.

What is a Subscription?​

Subscription Design Patterns​

Pattern 1: Application-Centric (Recommended)​

Pattern 2: Environment-Centric​

Pattern 3: Workload-Based​

Comparison Matrix​

Subscription Vending Model​

What is Subscription Vending?​

Vending Input Parameters​

Sample: Subscription Vending with Bicep​

Subscription Limits to Consider​

Subscription Naming Convention​

Format​

Naming Components​

Cost Management Strategy​

Cost Allocation Tags​

Budget Alerts​

Cost Views by Tag​

Subscription Lifecycle​

States​

Decommissioning Process​

Multi-Subscription Architectures​

Pattern: Microservices Platform​

Pattern: Data Platform​

Decision Framework​

When to Create a New Subscription​

Quick Reference Card​

What Interviewers Look For​

Next Steps​