Best practice for Hub and Spoke with multiple subscriptions

Jörg Lang 120 Reputation points
2023-09-26T23:25:48.86+00:00

Hi there,

we want to use Hub and Spoke with ExpressRoute and multiple subscriptions and we are observing an issue that, for example, the Route Table association to a subnet isn’t working if both are not within the same subscription.

Therefore we are looking for some best practice informations to have a better understanding about the efficient distribution of the resources to the different subscriptions without loosing a clear separation of costs between each spoke and the hub.

So main goals are

  • separation of each spoke and the hub per subscription for better cost separation and additional permission level
  • sperataion of duty (permissions) as
    • IT should be responsible for Hub and all Network related topics
      • DevOps Team should responsible for any other Spoke infrastructure

Many thanks for your thoughts on that,

regards

joerg

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,409 questions
0 comments No comments
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 44,561 Reputation points Microsoft Employee
    2023-09-27T05:05:43.2866667+00:00

    @Jörg Lang

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you have a multi-subscription model and would like to know the best practice for fine-grained access management to Azure resources.

    You must consider using Azure RBAC

    Refer : How Azure RBAC works

    Some resources in Azure does not support cross-subscription association.

    Route table/NSGs are such resources.

    • You must create individual resources in each subscription if you would like to use the resource.
    • You can use a ARM template to create resources with same properties across subscriptions.
    • What are ARM templates?

    Wrt permissions,

    • You can assign permissions to individual users or groups.
    • Azure includes several built-in roles that you can use, or you can also create your own Azure custom roles.
    • For e.g.,
      • "IT" team can be given "Network Contributor" Role at the subscription or Resource Group level or the VNET Level
        • "DevOps" can be given "Owner" or "Contributor" Role at the Resource Group level or the VNET Level

    Hope this helps.

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil


    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.