Moving Azure Resources between Subscriptions
I recently had to move my Azure resources from one subscription to another within the same Azure Active Directory tenant because the offer linked to my source subscription had expired.
In this article I will share a few quick notes on moving your Azure resources between subscriptions within the same Azure Active Directory tenant. I will shed light on some of the common reasons for having multiple Azure subscriptions and for moving resources between them. I will also highlight some of the caveats I personally faced in my case.
Multiple Azure Subscriptions
First, let’s look into the reasons why we could have multiple Azure subscriptions in the first place.
In personal accounts, you might have more than one subscription where each one is tied to a specific offer. For instance, you could provision less expensive workloads using the typical pay-as-you-go subscription. Meanwhile, you might also have another Azure subscription that is linked to a Visual Studio subscription which comes with free monthly credits to provision more expensive workloads.
On the organization level, there could be several reasons for having multiple Azure subscriptions. Some organizations allocate dedicated subscriptions for each of its departments, this segregation is usually aligned with their organizational structure.
This structure is materialized in Azure as Management Groups. This is important because it provides fine-grained control and governance over each department resources.
Another common reason for having multiple subscriptions in organizations would be to overcome the Azure subscription hard limits which will be imposed on some Azure resource types that are expected to be provisioned.
Why move Azure Resources?
Generally, you might need to move your Azure resources from one subscription to another for cost savings, that is, in order to benefit from a specific offer in the target subscription.
In organizations, resources might need to be moved to other subscriptions to consolidate resources into fewer or additional subscriptions. The main reason for this could be due an unfit subscriptions’ structure, where resources will need to be merged in fewer subscriptions, be shared among different departments, or even be split into new subscriptions to accommodate for the organic changes in the IT landscape of an organization.
Moving Azure Resources to a new Subscription
There are different ways to move resources between subscriptions. Here, I am showing how to do it from Azure portal. You can go the source Resource Group and select the resources that you want to move and click [move to another subscription].
In the first step, you will select the target subscription and Resource Group. In the next step, a validation process will start to check for any obstacles that might prevent moving any of the selected resources. In case there is any impediment in moving a resource, you will get a detailed error message regarding this resource along with the possible fix for it, in case there is any. At this stage, if you wish to exclude a resource, you can exclude it from the list and proceed to the final review step.
Moving Azure Resources Caveats
Before the Move
- Not all resource types can be moved to another subscription. You will get a clear message during the validation process step indicating which of the Azure resources do not support the move. In my case, it was Azure Front Door. I had to exclude it from the list in Step 2 to proceed with moving the other resources. Consequently, I had to re-deploy it myself to the target subscription and delete it from the source subscription.
- Managed Service Identity must be disabled. Resources that are assigned a managed identity cannot be moved. You will need to disable the managed identity for these resources before the move and enable it after being moved. You will also need to re-configure any resource that rely on the resource’s managed identity.
- The Source and Target Subscriptions must be active. You will not be able to move resources between disabled subscriptions. In my case, my source subscription was disabled because of an expired offer. I had to open a support ticket to temporarily enable it in order to be able to move my resources to the new subscription.
- The source and target Resource Groups will be locked during the move. Keep in mind that you will not be able to add, remove, or update resources in the resources groups involved in the move. However, the resources themselves will remain active.
After the Move
- The resource IDs change after moving a resource. It is important to remember to update your ARM templates, or any other scripts that rely on these resource IDs and replace them with the new resource IDs that are assigned to them after the move. You will also need to re-create any role assignment.
- The public IP address change after moving a resource. Public IP addresses could change for some resources. For instance, the API Management Gateway IP address will change after being moved to another subscription. This means that you need to take care of changing the endpoint IP in all the APIM client applications. Further, if you are using custom domains, you will need to change the A-Record in your DNS server to point to the new Gateway IP address. Using a CNAME-record would have been better option as it points to the domain name instead of the IP.
- Test the solution after moving the resources. There are numerous resource types in Azure and if your solution is complex enough, it will be hard to anticipate all the needed actions after the movement. As a result, it is extremely important to test such solutions after moving all its resources. This will allow you to find and fix any unexpected issues related to the movement.
Final Thoughts
It is crucial to carefully plan the Azure subscriptions structure in your organization taking into consideration the organization structure, expected resources use, and the subscription hard limits.