At this point I want to introduce the graphic here called Matryoshka doll, also known as Russian nesting doll or Russian doll, refers to a set of wooden dolls of decreasing size placed one inside the other.
For an enterprise customer with Microsoft Azure EA, the model is pretty much like ‘Matryoshka’ doll wherein at the top most level you have ‘Microsoft Azure Enrollment’ which can have one or more ‘Accounts’. Each account can have one or more ‘subscriptions’ and each subscription can have one or more ‘resource groups’. A resource group becomes an interesting isolation layer considering RBAC. RBAC is ‘Role Based Access Control’. When you apply RBAC at the resource group level, you are essentially saying that there can be an owner, reader, network contributor- only people in this role can perform network level activities, VM contributor- only people in this role can deal with VMs and so on. There are around 20 roles for various components of Azure like storage, Azure SQL DB etc. So, the question that arises now is in which case should I use multiple subscriptions and in which case should I just have one subscription and have 1-n resource groups (top limit for number of resource groups in a subscription is 1000). What really is the guidance? The answer to this question is this- If network or other shared services like ‘Active Directory’ or DNS are not applicable then you can have as many subscriptions and work off of that. If sharing those services across projects is an important.
This considered, it’s best to have one subscription on a relatively bigger network address space and carve out subnets for various projects based on that and have relevant ‘network security groups’ (NSGs). You can share the network, AD, DNS, Databases across all the projects by configuring relevant NSG rules.
In this case you still can achieve isolation for various projects within a subscription by using ‘resource groups’ and still share common shared services, which could be in a dedicated subnet and resource group of its own. If you really require a chargeback model for customers, and you use PaaS services like HDInsight, Azure Machine Learning or any of the other PaaS services where the tagging or ‘resource group’ feature is not yet available, you will still have to use multiple subscriptions, at least for now till tagging is enabled for those PaaS services.
If the scope of your project is IaaS (network and VMs), then planning one subscription and multiple resource groups should be easiest way to achieve isolation and chargeback. With RBAC roles you get an excellent mechanism to control fine grained access within a project (project mapped to resource group) to multiple actors. It’s important to understand these aspects before taking the plunge to randomly just create multiple subscriptions or having everything in one subscription.