Azure Subscription Design Best Practices Guide (AZ 305)

5 min readJun 3, 2025

Day 1/60 of AZ 305

Core Principles

Azure subscription design is crucial for governance, security, cost management, and operational efficiency. The subscription acts as a boundary for billing, access control, and resource management.

Key Best Practices with Real-World Examples

1. Subscription per Environment Strategy

Principle: Separate environments using different subscriptions to provide clear boundaries and prevent accidental changes.

Real-World Example: A retail company “ShopCorp” uses:

Production Subscription: ShopCorp-Prod-001

Contains a live e-commerce website, customer databases
Strict access controls (only senior engineers and the operations team)
High-tier SLAs and backup policies

Development Subscription: ShopCorp-Dev-001

Contains development resources, test databases
Broader access for the development team
Lower-cost SKUs and relaxed policies

Staging Subscription: ShopCorp-Staging-001

Mirror of production for final testing
Production-like configuration, but separate billing

Benefits: Cost isolation, security separation, independent scaling, and clear accountability.

2. Business Unit Separation

Principle: Create separate subscriptions for different business units or departments with distinct requirements.

Real-World Example: A multinational corporation “TechGlobal” organizes by business unit:

TechGlobal-Finance-Prod: Financial systems, compliance-heavy workloads
TechGlobal-Marketing-Prod: CRM systems, analytics platforms
TechGlobal-HR-Prod: HRIS, payroll systems with strict privacy requirements
TechGlobal-Engineering-Prod: Development tools, CI/CD pipelines

Benefits: Independent billing, unit-specific governance, tailored compliance policies.

3. Geographic/Regional Strategy

Principle: Separate subscriptions by geographic regions for data sovereignty, latency optimisation, or regulatory compliance.

Real-World Example: A global SaaS company, “DataFlow”, uses regional subscriptions:

DataFlow-US-East-Prod: Serves North American customers
DataFlow-EU-West-Prod: Serves European customers (GDPR compliance)
DataFlow-APAC-Southeast-Prod: Serves Asia-Pacific customers
DataFlow-Shared-Global: Global services like DNS, CDN management

Benefits: Data residency compliance, reduced latency, regional cost optimisation.

4. Workload-Based Separation

Principle: Isolate different types of workloads that have varying requirements, SLAs, or lifecycle patterns.

Real-World Example: A healthcare provider, “MedTech Solutions”:

MedTech-PatientPortal-Prod: Patient-facing applications (high availability)
MedTech-Analytics-Prod: Data analytics and machine learning workloads
MedTech-Archive-Prod: Long-term data storage and compliance systems
MedTech-Integration-Prod: Third-party integrations and APIs

Benefits: Workload-specific optimisation, independent scaling, targeted security policies.

5. Naming Convention Standards

Principle: Implement consistent, descriptive naming conventions across all subscriptions.

Real-World Example: Standard format: {Company}-{BusinessUnit/Purpose}-{Environment}-{Region?}-{Number}

Examples:

Contoso-Finance-Prod-EastUS-001
Contoso-DevOps-Shared-Global-001
Contoso-Marketing-Dev-WestEU-001
Contoso-Compliance-Prod-CentralUS-001

Benefits: Easy identification, automated governance, simplified management.

6. Subscription Quotas and Limits Management

Principle: Understand and plan for Azure subscription limits to avoid hitting resource constraints.

Real-World Example: An ISV, “CloudApp Inc,” hit the 980 VNet limit in their main subscription:

Problem: Single subscription approach led to:

980+ VNets (approaching 1000 limit)
15,000+ VMs (approaching 25,000 limit)
Complex resource management

Solution: Redesigned architecture:

CloudApp-Compute-Prod-001: Primary compute resources
CloudApp-Compute-Prod-002: Additional compute when limits are approached
CloudApp-Network-Prod-001: Dedicated networking resources
CloudApp-Storage-Prod-001: Dedicated storage accounts

7. Hub-and-Spoke Network Architecture

Principle: Use a connectivity subscription for shared networking resources with spoke subscriptions for workloads.

Real-World Example: “Global Manufacturing Corp” network design:

Hub Subscription: GMC-Connectivity-Prod-001

Central hub VNet with Azure Firewall
VPN Gateway for on-premises connectivity
Shared services like DNS, monitoring

Spoke Subscriptions:

GMC-ERP-Prod-001: ERP system with spoke VNet
GMC-CRM-Prod-001CRM system with spoke VNet
GMC-Analytics-Prod-001Analytics platform with spoke VNet

All spokes peer to the hub for centralised security and connectivity.

8. Cost Management Strategy

Principle: Structure subscriptions to enable granular cost tracking and optimisation.

Real-World Example: “StartupTech” cost optimisation approach:

Before: Single subscription — difficult to track costs per product. After: Multiple subscriptions:

StartupTech-ProductA-Prod-001$15,000/month - profitable
StartupTech-ProductB-Prod-001$8,000/month - break-even
StartupTech-ProductC-Prod-001$12,000/month - needs optimisation
StartupTech-Shared-Prod-001$3,000/month - shared services

This enabled product-level P&L analysis and targeted cost optimisation.

9. Security and Compliance Boundaries

Principle: Use subscriptions to create security boundaries for different compliance requirements.

Real-World Example: “SecureBank” compliance-driven design:

SecureBank-PCI-Prod-001: Payment processing (PCI DSS compliance)

Isolated network, enhanced monitoring
Limited access, additional encryption

SecureBank-General-Prod-001: General banking applications

Standard compliance requirements
Regular security controls

SecureBank-Analytics-Prod-001: Customer analytics (anonymised data)

Relaxed controls for development agility
No sensitive customer data

10. Subscription Lifecycle Management

Principle: Plan for subscription creation, management, and eventual decommissioning.

Real-World Example: “AgileDevCorp” project-based subscription lifecycle:

Creation Process:

Project “Phoenix” gets a subscription AgileDevCorp-Phoenix-Dev-001
Automated governance policies applied
Budget limits and alerts are configured
The development team granted access

Lifecycle Management:

Active Development: Full resource allocation
Maintenance Mode: Reduced resource allocation
End-of-Life: Data backup, resource cleanup, subscription cancellation

Decommissioning Process:

Data retention policy execution
Resource inventory and cleanup
Cost analysis and lessons learned
Subscription marked for deletion

Implementation Roadmap

Phase 1: Assessment (Weeks 1–2)

Audit current subscription usage
Identify business requirements and constraints
Map existing resources and dependencies

Phase 2: Design (Weeks 3–4)

Create subscription taxonomy
Define naming conventions
Plan network architecture
Design governance framework

Phase 3: Implementation (Weeks 5–12)

Create new subscriptions following best practices
Implement Azure Policy and RBAC
Set up cost management and monitoring
Migrate resources as needed

Phase 4: Optimisation (Ongoing)

Monitor usage patterns and costs
Adjust subscription boundaries as needed
Implement automation and governance improvements
Regular reviews and updates

Common Anti-Patterns to Avoid

Single Subscription for Everything: Creates management complexity and security risks
Too Many Subscriptions: Increases administrative overhead unnecessarily
Inconsistent Naming: Makes management and automation difficult
Ignoring Limits: Leads to unexpected constraints and downtime
Poor Network Planning: Results in complex connectivity and security challenges

Monitoring and Governance

Key Metrics to Track

Cost per subscription: Monthly spend analysis
Resource utilisation: Identify optimisation opportunities
Security compliance: Policy adherence monitoring
Performance metrics: SLA achievement tracking

Automation Opportunities

Subscription provisioning workflows
Policy enforcement automation
Cost anomaly detection
Resource lifecycle management

This subscription design strategy provides a foundation for scalable, secure, and cost-effective Azure operations while maintaining flexibility for future growth and changes.