What is the recommended approach for multi-region platform landing zone subscriptions?

Question

When deploying to multiple regions, there is conflicting information on whether to use new platform landing zone subscriptions (identity, management, connectivity) or the existing subscription. What is the recommended approach? Should I use the existing subscription or create a new subscription for each region?

One article recommends using the existing subscription: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/regions#traditional-hub-and-spoke-architecture

Another article recommends using a different subscription for each region: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/cloud-scale-analytics/eslz-network-considerations-cross-region

Answer 1

Definitely - Depends! There's no right or wrong answer here, I have done both for customers, and both work well.

I personally prefer to keep the same Management Group structure - i.e., Identity, etc., but separate by Subscription (i.e., Stamps) - for the different regions; my reasoning is mainly to:

• Keep permissions separate
• Avoid any accidental changes to resources in another region that may be a passive/DR region,
• Allow more granular policy control at the Subscription level if need be
• Avoid ANY potential risk of running into subscription quotas
• And filter out resources in the Azure Portal easily by just unselecting a subscription from being viewed.
• Refer: Mission-critical baseline architecture in an Azure landing zone