Azure Landing Zones Part 3 - Managing the Core of Your Azure Environment
Special thanks to Marie Frederikke Johannsen for her invaluable assistance with this blog post. Her expertise, insights, and thoughtful contributions have been instrumental in shaping its content. Thank you for your generous support and guidance!
Welcome back to the Azure Landing Zones series! You’ve got your Connectivity Subscription up and running—your cloud superhighway is blazing with activity. But what’s a highway without a traffic control center? That’s where the Management Subscription comes in!
The Management Subscription is your operations control tower, the brain behind the brawn of your Azure environment. It’s where you’ll centralize logging, monitoring, and management tools to keep everything running smoothly, all integrated into your private hub-and-spoke network. By the end of this post, you’ll have a Management Subscription that’s fully connected to your hub network and ready to manage like a pro.
In the Cloud Adoption Framework’s Enterprise-Scale Architecture, the Management Subscription is one of the foundational building blocks. It houses the services that monitor and manage your entire Azure estate. By isolating these functions, it ensures that operational efficiency doesn’t compromise your application workloads or other critical functions.
Ready to take charge? Let’s go!
What Is a Management Subscription?
The Management Subscription is a dedicated Azure subscription that brings all your monitoring, security, and operational resources under one roof. Think of it as the command center for your Azure environment, where you track performance, enforce policies, and monitor costs.
Key Goals:
- Unified Monitoring: Collect and analyze logs from all subscriptions in one place.
- Operational Excellence: Use tools like Azure Monitor and Log Analytics to detect issues before they become problems.
- Security Powerhouse: Strengthen your defenses with Microsoft Defender for Cloud.
- Cost Control: Track spending and optimize resource usage across your environment.
What Are We Building Today?
In this post, we’ll deploy the following resources as part of the Management Subscription:
- A Spoke Virtual Network (VNet): Connected to the hub network via two-way peering.
- Log Analytics Workspace: For centralized logging and telemetry.
- Azure Monitor: For dashboards, alerts, and insights.
- Microsoft Defender for Cloud: For security and compliance monitoring.
- Automation Account: To streamline routine administrative tasks.
- Private Link Endpoints: To ensure all services operate over the private network.
Centralized vs. Distributed Workspaces
Just before moving on and get our hands dirty I wanted to to spend a quick moment to talk about Centralized vs. Distributed Workspaces.
When setting up Log Analytics Workspaces, you have two options: centralized or distributed. Both have their perks, but which is right for you?
Centralized Workspaces
All logs and telemetry flow into a single Log Analytics Workspace, typically located in your Management Subscription.
Why Go Centralized?
- One Dashboard to Rule Them All: Get a unified view of all logs across your subscriptions.
- Simplicity Wins: Managing one workspace is easier than juggling multiple.
- Cross-Subscription Magic: Run advanced queries across your entire environment.
Heads-Up:
- Data Egress Costs: Logs from resources in other regions might incur transfer fees.
- Scaling Challenges: Massive environments might push a single workspace to its limits.
Best For:
- Small to medium-sized organizations.
- Teams focused on centralized governance and simplicity.
Distributed Workspaces
Each subscription or region gets its own Log Analytics Workspace for localized telemetry.
Why Go Distributed?
- Stay Local: Logs stay in the same region as the resources, cutting down on egress costs.
- Infinite Scalability: Each workspace handles only a slice of your environment.
- Team Autonomy: Business units can manage their own workspaces.
Heads-Up:
- Fragmented Insights: Running cross-environment queries gets trickier.
- Admin Overhead: Managing multiple workspaces can get messy.
Pro Tip: Start with a centralized workspace in the Management Subscription for simplicity, then evolve to a hybrid model as your needs grow.
Step 1: Planning Your Management Subscription
Before jumping into deployment, let’s get the plan in place:
- Region: Choose a region that meets your organization’s performance and compliance requirements.
- Retention Policies: Decide how long to retain logs (e.g., 30, 90, or 365 days).
- Automation Goals: Identify repetitive tasks (e.g., VM patching, resource cleanup) that can be automated.
- Policy Scope: Define which subscriptions will report to the Management Subscription.
Step 2: Deploying Your Management Subscription Resources
We’ll use a Bicep template to deploy the foundational components of the Management Subscription, including:
- A Log Analytics Workspace for centralized logging.
- Azure Monitor diagnostic settings to collect metrics and logs.
- Microsoft Defender for Cloud for advanced security monitoring.
- An Automation Account to simplify administrative tasks.
Bicep Template
targetScope = 'resourceGroup'
param location string = 'Sweden Central'
param managementVNetName string = 'ManagementVNet'
param managementVNetAddressSpace string = '10.1.0.0/16'
param hubVNetName string = 'HubVNet'
param hubResourceGroupName string = 'ConnectivityRG'
param logAnalyticsWorkspaceName string = 'ManagementLogs'
param automationAccountName string = 'AutomationAccount'
param defenderPlanEnabled bool = true
// Create Management VNet
resource managementVNet 'Microsoft.Network/virtualNetworks@2023-02-01' = {
name: managementVNetName
location: location
properties: {
addressSpace: {
addressPrefixes: [
managementVNetAddressSpace
]
}
}
}
// Hub-to-Management Peering
resource hubToManagementPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-02-01' = {
name: 'HubToManagement'
parent: resourceId('Microsoft.Network/virtualNetworks', hubVNetName)
properties: {
remoteVirtualNetwork: {
id: managementVNet.id
}
allowVirtualNetworkAccess: true
allowForwardedTraffic: true
allowGatewayTransit: true
}
}
// Management-to-Hub Peering
resource managementToHubPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-02-01' = {
name: 'ManagementToHub'
parent: managementVNet
properties: {
remoteVirtualNetwork: {
id: resourceId('Microsoft.Network/virtualNetworks', hubVNetName, hubResourceGroupName)
}
allowVirtualNetworkAccess: true
allowForwardedTraffic: true
useRemoteGateways: true
}
}
// Log Analytics Workspace
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-03-15' = {
name: logAnalyticsWorkspaceName
location: location
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 90
}
}
// Automation Account
resource automationAccount 'Microsoft.Automation/automationAccounts@2022-02-22' = {
name: automationAccountName
location: location
properties: {
sku: {
name: 'Free'
}
}
}
// Defender for Cloud
resource defenderForCloud 'Microsoft.Security/pricings@2021-01-01-preview' = if (defenderPlanEnabled) {
name: 'Default'
properties: {
pricingTier: 'Standard'
}
}
// Diagnostic Settings for Log Analytics
resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2023-03-15' = {
name: 'ManagementSubscriptionDiagnostics'
properties: {
logs: [
{
category: 'Administrative'
enabled: true
}
{
category: 'Security'
enabled: true
}
{
category: 'ResourceHealth'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
workspaceId: logAnalyticsWorkspace.id
}
}
// Private Link Endpoints for Services
resource privateEndpointLogAnalytics 'Microsoft.Network/privateEndpoints@2023-02-01' = {
name: 'LogAnalyticsPrivateEndpoint'
location: location
properties: {
privateLinkServiceConnections: [
{
name: 'LogAnalyticsConnection'
properties: {
privateLinkServiceId: logAnalyticsWorkspace.id
}
}
]
subnet: {
id: managementVNet.properties.subnets[0].id
}
}
}
resource privateEndpointAutomation 'Microsoft.Network/privateEndpoints@2023-02-01' = {
name: 'AutomationPrivateEndpoint'
location: location
properties: {
privateLinkServiceConnections: [
{
name: 'AutomationConnection'
properties: {
privateLinkServiceId: automationAccount.id
}
}
]
subnet: {
id: managementVNet.properties.subnets[0].id
}
}
}
Step 3: Deploy the Template
-
Create a Resource Group:
az group create --name ManagementRG --location "Sweden Central" -
Deploy the Template:
az deployment group create --resource-group ManagementRG --template-file ./management-spoke-subscription.bicep --parameters location="Sweden Central" managementVNetName="ManagementVNet" managementVNetAddressSpace="10.1.0.0/16" hubVNetName="HubVNet" hubResourceGroupName="ConnectivityRG" logAnalyticsWorkspaceName="ManagementLogs" automationAccountName="AutomationAccount" defenderPlanEnabled=true
Step 4: Verifying Your Deployment
-
Check Virtual Networks and Peering:
- Navigate to the Virtual Networks section in the Azure Portal.
- Verify the two-way peering between
HubVNetandManagementVNet.
-
Test Connectivity:
- Deploy a test VM in the Management VNet and confirm access to hub resources.
-
Verify Private Links:
- Check the private endpoints in the Private Link Center of the Azure Portal.
What’s Next?
Your Management Subscription is now live—your operations control tower is ready for action! Use it to monitor performance, secure resources, and optimize costs. Next up in the series: Governance in Azure Landing Zones, where we’ll tackle policies, compliance, and management group hierarchies.