Reputation: 7025
Best practice setup to organize environments (servers) in Azure?
I am about to setup a new project that will be hosted in Azure (first time I use it). I am going to have three type of environments:
- Prelive environment (CI server, Dev Server, Systest Server, Performance testing server)
- Live environment (Live server)
- Productivity environment (Perforce server, TeamCity server, Jira Server)
From a network level I would like that:
Productivity server (TeamCity) have access to Prelive & Live servers (to deploy)
Live servers are partially accessible to devs (no rdp but access to http). I want to isolate access to Live environment management (Only devops/admin).
What is the best way to achieve this?
Option 1 - Using different subscriptions in Azure? One for PRELIVE, one for Productivity and one for LIVE. Would servers be able to access each other? Would be possible to have a trust between different subscriptions and Azure AD to avoid duplication of users?
Option 2 - Each environment (Dev, Systest, performance, live) in its own subscription?
Option 3 - Using same subscription and Role-based Access Control? Is there any way to isolate LIVE from Prelive at network level?
Option 4 - Any other option?
Upvotes: 1
Views: 2200
Answers (1)
Reputation: 12228
There is certainly nothing that that couldn't all be done from a single subscription but having multiple subscriptions can help from an organisational / billing / administration point of view.
If you deploy two VMs in two separate virtual networks, then they have network separation by default. You can then create Security Group rules to allow access using standard TCP/IP network restrictions (subnets, ports etc)
If you deploy two VMs into the same virtual network by default they have open network access to each other, but if you deploy them into separate subnets, you can configure subnet level Security Groups to control access.
If you have a team working on your deployments, and you only want Dev team to access Dev boxes, you can configure RBAC on your servers and resource groups to allow that.
A resource group being a collection of resources (VMs, VNets, Web Apps etc) that are logically connected - though the above still applies. Servers in the same resource group don't have network access by virtue of that fact.
If it is your first time using Azure, the best advice is to set aside a couple of weeks to build stuff, and learn the best way it can work for you and what you require.
At that point, tear it all down and build it properly using what you have learnt.
Upvotes: 2
Related Questions
- How to separate development and production environments in Azure?
- Add additional recipients to the automated "action required" emails
- Where is the Environment (Development, Production, etc) set in Azure?
- Azure Synapse Environment setup considerations
- Azure SQL Server Cannot Be Accessed With Active Directory Authentication
- Azure DevOps Pipelines setup for onsite servers
- Adding Firewall rules with ip addresses for PAAS servers using Powershell
- Azure separation of environments
- Azure subscription access between multiple subscription
- Connect Azure VMs from Different Subscriptions