Single Subscription Deployment Overview
DOCUMENT CATEGORY: Runbook SCOPE: Single subscription landing zone deployment PURPOSE: Deploy single management group, subscription, and resource group MASTER REFERENCE: Azure Landing Zones — Start Small and Expand
Status: Active
The Single Subscription Deployment model streamlines Azure governance by using a single management group, a single subscription, and a single resource group for all cluster resources. This is the fastest path to a working Azure Local deployment and aligns with the Azure Landing Zone "start small and expand" approach.
Choose Single Subscription Deployment when:
- Deploying a single Azure Local cluster
- Setting up a proof of concept (PoC) or lab environment
- Your environment has limited scale requirements
- You want the fastest path to deployment and can expand governance later
Architecture Overview
The example below uses Infinite azurelocal Corp (IIC). Replace names with values from your variables.yml.
Tenant Root Group
└── cmp-iic-root # azure.management_groups.tenant_root.name
└── cmp-landing-zones-iic # azure.management_groups.landing_zone.name
└── iic-lz-azurelocal-001 # azure.subscriptions.<env>.name
└── rg-c01-azl-eus-01 # azure_resources.resource_group_name
All cluster resources — Arc registration, Key Vault, storage accounts, cloud witness, and the cluster itself — reside in that single resource group. No multi-RG split is needed for this deployment model.
Key Characteristics
| Aspect | Implementation |
|---|---|
| Management Groups | Organization Root MG + Landing Zone MG (from variables.yml) |
| Subscriptions | Single subscription for all resources |
| Resource Groups | Single RG for all cluster resources |
| Policy Scope | Subscription-level policies |
| RBAC Scope | Resource group-level access control |
| Cost Tracking | Tag-based cost allocation |
Prerequisites
Before starting this deployment path:
- Entra ID tenant established and accessible
- Billing access — EA enrollment account owner, MCA billing profile owner, or Azure Portal access to create subscriptions
-
variables.ymlconfigured with tenant, subscription, and resource group values - Authenticated Azure session — see Authentication
- Permissions — Owner or User Access Administrator at tenant root scope (see Elevate Access)
Deployment Steps
| Task | Description | Estimated Time |
|---|---|---|
| Task 01 | Configure Management Group | 15 minutes |
| Task 02 | Create Subscription | 30 minutes |
| Task 03 | Create Resource Groups | 15 minutes |
Total Estimated Time: ~1 hour
Comparison with Full CAF/WAF Deployment
| Feature | Single Subscription | Full CAF/WAF |
|---|---|---|
| Management Groups | 2 (root + landing zone) | 10+ |
| Subscriptions | 1 | 6+ |
| Resource Groups | 1 per cluster | Multiple per function |
| Setup Complexity | Low | High |
| Governance Flexibility | Limited | Maximum |
| Cost Tracking | Tag-based | Subscription-based |
| Best For | Single cluster, PoC | Multi-cluster, production at scale |
Considerations
- No subscription-level isolation — all resources share billing and quota limits
- Limited policy granularity — policies apply to the entire subscription
- Shared resource quotas — all workloads compete for subscription limits
- Migration path — you can expand to the Full CAF/WAF model later by adding management groups, creating additional subscriptions, and moving resources. See Start small and expand.
Deliverables
At the end of this phase, you will have:
- Organization root management group created (
azure.management_groups.tenant_root.name) - Landing zone management group created (
azure.management_groups.landing_zone.name) - Subscription created and associated with the landing zone management group
- Single resource group created (
azure_resources.resource_group_name)
Next Steps
Start with Task 01: Configure Management Group
Navigation
| Previous | Up | Next |
|---|---|---|
| — | Phase 01 — Landing Zones | Task 01 — Management Group |
Version Control
- Created: 2026-01-15 by Hybrid Cloud Solutions
- Last Updated: 2026-03-19 by Hybrid Cloud Solutions
- Version: 3.0.0