Landing
Zone with Multiple Subscriptions
Pros
- Clear Separation of Concerns
- Shared Services, Prod, Non-Prod,
Sandbox subscriptions → clean boundaries.
- Blast radius is reduced → one
bad deployment won’t affect everything.
- Governance at Scale
- Apply policies by subscription
(strict for Prod, relaxed for Dev).
- Easier to enforce compliance
consistently.
- Scalability & Future Proofing
- Subscription limits are spread
across environments.
- Ready for global growth and
multi-region setups.
- Cost Transparency
- Budgets & alerts per
subscription.
- Easier chargeback/showback for
business units/apps.
- Security Posture
- Centralized Hub in Shared
Services.
- Prod traffic never mixes with
Dev; fewer lateral movement risks.
- Operational Simplicity in Long
Run
- Centralized LA workspace + DCRs
in Shared Services.
- Single Bastion, Firewall,
Private DNS hub → easier operations.
- Audit & Compliance
- Industry best practice.
- Easier to pass regulatory audits
with Prod isolat
Landing Zone with Multiple Subscriptions
Cons
- Higher Initial Effort
- Some resources (RSVs, Managed
Disks, Arc) cannot be “moved” → must redeploy or re-onboard.
- Requires re-addressing VNets if
overlaps exist.
- Cultural Change for Teams
· App owners used to one subscription
need training on new structure.
· RBAC roles will need redefined at
subscription level
Single
Subscription Restructure
Pros
- Lower Initial Effort
- No need to move non-movable
services (e.g., RSV, ASR, Managed Disks).
- Easier to keep existing resource
IDs → avoids re-pointing dependencies.
- Minimal Disruption
- Less chance of downtime during
transition.
- App teams continue working with
familiar subscription boundaries.
- Faster Implementation
- Can re-organize into Resource
Groups, consolidate NSGs, workspaces, and Bastions without subscription
moves.
Single
Subscription Restructure
Cons
- Scalability Limits
- Risk of hitting subscription
quotas (VNets, vCores, Public IPs).
- Harder to scale globally or
across regions later.
- Governance Pain
- Policies (e.g., “Prod must use
ZRS storage”) cannot be applied selectively.
- More exceptions and overrides →
governance drift.
- Poor Blast Radius Control
- Security incident, policy
misstep, or noisy workload can impact all environments.
- Cost Management Limitations
- Cost alerts, budgets, and RBAC
only work at subscription scope.
- Difficult to do
chargeback/showback by environment or business unit.
- Networking Complexity Remains
- With many VNets and multiple
peerings, you still face mesh chaos.
- Central Hub exists, but within
same subscription → less flexibility to isolate Prod/Non-Prod.
- Compliance Risk
- Auditors may flag mixed Prod/Dev
workloads.
- Some regulatory frameworks require
Prod separation.
- Future Migration Debt
- If you need subscriptions later,
moving resources again is harder (e.g., RSV, Backup Vaults, Managed
Disks, Arc servers must be re-onboarded).
|
Dimension |
Single Subscription (Restructure Only) |
Multi-Subscription Landing Zone (Recommended) |
|
Initial Effort |
Low – easier to keep resources in place; no moves for RSV,
disks, Arc |
Higher – some resources must be redeployed; requires
migration planning |
|
Disruption Risk |
Minimal – most resources stay as-is |
Moderate – dependencies may need reconfiguration (API
Conn, RSV, App→Storage) |
|
Scalability |
Limited – at risk of hitting subscription quotas (VNets,
vCores, IPs) |
High – scale across multiple subscriptions; avoids hitting
limits |
|
Blast Radius / Isolation |
None – Prod, Non-Prod, Dev mixed together |
Strong – Prod, Non-Prod, Shared Services isolated by
subscription |
|
Governance & Policies |
Hard – same policies apply to all, exceptions increase
drift |
Granular – strict policies for Prod, relaxed for Dev/Test |
|
Cost Management |
Weak – budgets/alerts only at subscription scope; hard to
do chargeback |
Strong – budgets per subscription; easy
chargeback/showback |
|
Networking |
Complex |
Simplified – Hub in Shared Services; clear Spokes per
env/app |
|
Security Posture |
Higher risk |
Strong |
|
Monitoring & Operations |
Fragmented |
Unified – consolidate |
|
Reliability & DR |
Inconsistent |
Consistent – standard backup/DR patterns per subscription |
|
Compliance & Audit |
Risky – auditors may flag mixed Prod/Dev workloads |
Audit-friendly – Prod isolated; aligns with CAF/WAF best
practices |
|
Future Flexibility |
Low – will eventually require painful split later |
High – future-proof; easier to add new
apps/regions/workloads |
|
Business Impact |
Short-term cost saving, but technical debt grows; harder
to scale securely |
Long-term resilience, compliance, and operational
excellence; industry best practice |
