What Is Subscription boundary in Cloud Computing?
On This Page
Quick Definition
A subscription boundary is like a fence around your cloud resources. Everything inside that fence belongs to one payment account and follows the same rules. It separates your work projects from your personal projects or different departments. Crossing this boundary usually requires special permissions or separate billing.
Commonly Confused With
A resource group is a logical container within a subscription. It helps organize resources like virtual machines and databases. A subscription boundary is a higher-level container that includes multiple resource groups. Resource groups do not have separate billing or independent RBAC administration; they are nested within the subscription.
If you have a subscription for your company, you might create a resource group for 'Web Apps' and another for 'Databases'. Both are inside the same subscription boundary.
A management group is a container for subscriptions. It is used to apply policies and RBAC across multiple subscriptions. A subscription boundary is the individual subscription itself. Management groups sit above subscriptions, while subscriptions sit above resource groups.
You have a management group called 'Corporate' with two subscriptions: 'IT' and 'Marketing'. The management group boundary is for governance across subscriptions, but each subscription maintains its own billing and resource isolation.
A tenant is an instance of Azure Active Directory that provides identity services. A subscription is associated with one tenant, but a tenant can have multiple subscriptions. The tenant boundary is about identity and authentication, while the subscription boundary is about resource management and billing.
One company has one Azure AD tenant with three subscriptions. The tenant allows users to sign in, and each subscription has its own resources and billing.
Must Know for Exams
Subscription boundaries appear frequently in cloud certification exams such as Microsoft Azure Administrator (AZ-104), AWS Solutions Architect Associate (SAA-C03), and Google Cloud Associate Cloud Engineer. In Azure, exam objectives explicitly cover management groups, subscriptions, and resource groups. You need to understand that a subscription is a billing and management boundary, not a security boundary per se, but it is used to enforce security through RBAC.
Exam questions often ask you to recommend the best subscription structure for a given scenario. For example, a question might describe a company with multiple departments that need separate billing and isolated environments. The correct answer will involve creating multiple subscriptions under a management group.
Another common question type is about moving resources between subscriptions. You may be asked what prerequisites are needed, such as ensuring the destination subscription is registered for the resource provider. Policy application at the subscription scope is another exam objective.
Questions might present a scenario where a policy should apply to all resources in a subscription and ask at which scope to assign it. The answer is subscription level. Cost management questions also rely on subscription boundaries.
You might be asked how to generate a report of costs per department; the answer involves organizing subscriptions per department and using cost analysis. Exam questions may test your knowledge of default limits and quotas at the subscription level. For instance, the default number of virtual machines per Azure subscription is a common fact.
Understanding these boundaries helps you answer architecture and troubleshooting questions correctly. They are a core concept, not a niche detail.
Simple Meaning
Imagine you have a big toy box at home, but you share it with your brother and sister. To keep things organized, you each have your own smaller box inside the big one. Your small box is your subscription boundary.
You can put your toys in it, decide who gets to play with them, and you are responsible for keeping it tidy. Your brother cannot take your toys without asking, and you cannot take his. In the cloud, each subscription is like one of those personal boxes.
It has its own billing, its own set of users, and its own rules about who can do what. Resources like virtual machines, databases, and storage accounts live inside a single subscription. They cannot leave it unless you explicitly move them.
The subscription boundary also defines where your costs are tracked. If you have a test subscription and a production subscription, the bills are separate. This helps companies manage budgets and keep different environments isolated.
The boundary also helps with security. If someone gains access to one subscription, they do not automatically have access to another. You need separate permissions for each. So, a subscription boundary is not a physical wall, but a logical one that keeps cloud resources organized, secure, and billed correctly.
Full Technical Definition
In cloud computing, a subscription boundary is a management and billing container that establishes a trust relationship with an Azure Active Directory (Azure AD) tenant (or equivalent identity provider in other clouds). Subscriptions are the primary unit for organizing cloud resources, applying policies, and tracking usage. Each subscription has a unique identifier, such as a subscription ID in Azure or an account ID in AWS.
The boundary defines the scope for Azure Resource Manager (ARM) or AWS CloudFormation deployments, meaning all resources created within the subscription are logically grouped under that ID. Access control is managed through Role-Based Access Control (RBAC), where roles assigned at the subscription level cascade down to all resource groups and resources within that subscription. Policies, such as Azure Policy or AWS Service Control Policies, can be applied at the subscription boundary to enforce compliance rules like allowed regions, resource types, or tagging requirements.
The subscription boundary also determines billing aggregation. Each subscription generates a separate invoice, or can be grouped under a billing account or management group for consolidated reporting. Resource quotas and limits, such as the maximum number of virtual machines per subscription, are enforced at this boundary.
Moving resources across subscription boundaries requires careful orchestration, often involving Azure Resource Move or AWS Resource Access Manager, and can impact networking, dependencies, and RBAC assignments. Understanding subscription boundaries is critical for designing a multi-subscription architecture, implementing resource isolation, and managing cost centers. In exam scenarios, you will need to know how to assign RBAC roles at the subscription scope, apply policies, and recognize the implications of moving resources between subscriptions.
Real-Life Example
Think of a large apartment building with separate apartments. Each apartment is a subscription boundary. The building itself is the cloud provider. Each apartment has its own door, its own lock, and its own rent (billing).
The tenant (the subscription owner) can arrange their furniture, install appliances, and decide who gets a key. They pay for their own electricity and water. If a neighbor wants to borrow a tool, they have to knock on the door and ask.
They cannot just walk in. Similarly, if someone has access to one apartment (subscription), they do not automatically have access to another. The building manager (cloud provider) does not meddle with what is inside each apartment, but they enforce building rules like no loud noise after 10 PM (policies).
If a tenant wants to move to a bigger apartment, that is like moving resources to another subscription. It involves paperwork, possibly a new lease, and the move has to be coordinated so nothing breaks. The subscription boundary keeps each tenant's environment separate, secure, and independently billed.
It is the same idea in the cloud: each subscription is a self-contained unit that isolates resources, permissions, and costs from other subscriptions.
Why This Term Matters
Subscription boundaries matter because they are the foundation of cloud resource organization, security, and cost management. In a real IT environment, you will rarely have a single subscription for everything. Enterprises use multiple subscriptions to separate development, testing, and production environments.
This prevents accidental changes or security breaches from spreading. For example, if a developer accidentally deletes a resource in the test subscription, it does not affect the live application. The boundary also enables different billing.
Each department can have its own subscription, so the finance team can track exactly how much each department spends. This is crucial for chargeback models. Without subscription boundaries, all resources would be in one big pool, making it impossible to isolate failures, control access granularly, or manage costs per team.
Compliance requirements often dictate that sensitive data must be stored in a separate subscription with stricter policies. The subscription boundary makes that possible. As an IT professional, you need to understand how to design a subscription strategy, assign appropriate roles at the correct scope, and avoid accidentally granting permissions across boundaries.
In audits, you will be asked to prove that resources are properly isolated, and subscription boundaries are the primary mechanism to achieve that. They are not just abstract concepts but practical tools that every cloud administrator works with daily.
How It Appears in Exam Questions
Subscription boundary questions appear in scenario-based, configuration, and troubleshooting formats. Scenario questions often describe a company structure and ask you to design a subscription architecture. For example, a company has five business units, each needing separate billing and independent admin control.
You would recommend five subscriptions under a management group. Configuration questions might ask where to assign an RBAC role so a user can manage all resources in a subscription. The answer is at the subscription scope.
They might also ask which Azure Policy assignment scope ensures a policy applies to all resources in a subscription but not to resources in other subscriptions. The correct scope is the subscription. Troubleshooting questions often involve permission issues.
For instance, a user cannot see resources in another subscription, and you need to explain that permissions are scoped to each subscription boundary. Another common pattern is about moving resources. A question might state that a storage account cannot be moved to another subscription, and you must identify the reason, such as the destination subscription not having the required resource provider registered.
There are also questions about billing boundaries. A question might ask how to separate costs for development and production environments. The answer is to use separate subscriptions.
Exam questions can also test understanding of management groups as containers for subscriptions. You might be asked what is the difference between a management group and a subscription. The key point is that management groups are for organizing subscriptions and applying governance at scale, while subscriptions are the boundary for billing and resource management.
Some questions present a multi-tenant scenario where an organization has two subscriptions in different Azure AD tenants. They ask about cross-tenant access and you need to explain that subscription boundaries also imply tenant boundaries. In AWS, similar questions appear about accounts and Organizations.
The pattern is consistent: recognize that a subscription (or account) separates resources, permissions, billing, and policies.
Practise Subscription boundary Questions
Test your understanding with exam-style practice questions.
Example Scenario
Your company has a small IT team and a marketing team. Both need cloud resources. You create two subscriptions: Subscription-IT and Subscription-Marketing. Subscribe to the Azure free account?
In this scenario, you want to keep their resources separate. You give the IT team Contributor access at the Subscription-IT scope. They can create any resource inside that subscription.
They accidentally delete a virtual machine? That is fine, it only affects their subscription. The marketing team has their own Contributor access to Subscription-Marketing. They cannot see or change anything in Subscription-IT.
Now, the finance team asks for separate billing. Each subscription generates its own invoice. The IT manager sees exactly what IT spends, and the marketing manager sees their own costs.
Later, a new intern joins the IT team. You assign them the Reader role at the Subscription-IT scope. They can see all resources but cannot make changes. This works because the role assignment is scoped to the subscription boundary.
If you had assigned Reader at the management group level instead, the intern would see both subscriptions, which you do not want. The scenario shows how subscription boundaries enforce isolation and granular control. If the marketing team needs to share a storage account with IT, you cannot just give them access across boundaries without explicit permission.
You would need to set up cross-subscription RBAC or use a shared resource group. In an exam, a similar scenario would ask you to propose a subscription structure for two teams with separate billing and full administrative isolation. The correct answer is two separate subscriptions, each with its own RBAC assignments.
Common Mistakes
Thinking a subscription is a security boundary like a firewall
A subscription boundary does not block network traffic. Resources in different subscriptions can communicate over the network if configured correctly. The boundary only controls management access and billing.
Understand that subscription boundaries are for administration and cost, not network security. Use network security groups or virtual network peering for traffic control.
Assigning a role at the resource group level and assuming it applies to all subscriptions
A role assigned at a resource group scope only applies to that resource group, not to other resource groups in the same subscription, and certainly not to other subscriptions.
To grant permissions across an entire subscription, assign the role at the subscription scope, not at a resource group scope.
Believing you can move resources between subscriptions without any preparation
Moving resources between subscriptions requires that both subscriptions exist, the destination subscription is registered for the resource provider, and the resource does not have dependencies that prevent the move.
Always check resource provider registration and plan the move carefully. Use Azure Resource Move or AWS Resource Access Manager, and test in a non-production environment.
Assuming all subscriptions within an organization are in the same Azure AD tenant
Subscriptions can exist in different tenants, but each subscription must be associated with exactly one tenant. Cross-tenant access requires guest accounts or special configurations.
Verify the tenant of each subscription. If you need cross-tenant access, use Azure AD B2B collaboration or manage tenants properly.
Confusing subscription boundaries with resource group boundaries
Resource groups are containers within a subscription, not a boundary. They are for organizing resources, not for billing or separate administration. RBAC at resource group scope does not cross subscription boundaries.
Remember that a subscription is the highest-level billing and management container. Resource groups are nested inside a subscription.
Exam Trap — Don't Get Fooled
{"trap":"In an exam question, you are asked to grant a user permission to manage all resources in a subscription. The options include assigning the Owner role at the resource group level, at the subscription level, or at the management group level. Many learners choose the management group level because it covers multiple subscriptions, but the question specifically asks for one subscription."
,"why_learners_choose_it":"They think that a broader scope (management group) will automatically grant permissions to all subscriptions under it, and they want to be safe. But the question says 'all resources in a subscription', not multiple subscriptions.","how_to_avoid_it":"Read the scope carefully.
If the requirement is for a single subscription, assign the role at the subscription scope. A management group scope covers all subscriptions within that group, which is more than needed and may cause unintended access."
Step-by-Step Breakdown
Identify the need for a boundary
Determine why you need a separate subscription. Common reasons include separate billing, isolation of environments (dev/test/prod), compliance requirements, or different administrative teams. This step sets the purpose.
Create the subscription
In the cloud portal, navigate to Subscriptions and create a new subscription. You will need to associate it with a billing account and an Azure AD tenant. Each subscription gets a unique ID and name.
Set up RBAC at the subscription scope
Assign roles like Owner, Contributor, or Reader at the subscription scope. These permissions will cascade down to all resource groups and resources within that subscription. This is how you control who can manage everything inside the boundary.
Apply policies at the subscription scope
Use Azure Policy (or equivalent) to enforce rules like allowed regions, mandatory tags, or resource types. Assign the policy at the subscription scope so it applies to every resource within that boundary.
Configure billing and cost management
Set up budget alerts and cost analysis per subscription. Each subscription generates its own invoice, so you can track spending separately. Optionally, group subscriptions under management groups for aggregated reporting.
Monitor and move resources when needed
If a resource needs to be moved to another subscription, plan the move carefully. Ensure the destination subscription is registered for the required resource provider. Use the Move feature in the portal, and verify dependencies like virtual networks.
Audit and review access regularly
Periodically review who has access at the subscription scope. Remove unused accounts and ensure permissions follow the principle of least privilege. Use Azure AD Privileged Identity Management for just-in-time access.
Practical Mini-Lesson
Subscription boundaries are not just theoretical concepts; they are the backbone of cloud governance. As a cloud administrator, you will spend a significant amount of time designing and managing subscription structures. The first practical decision is how many subscriptions to create.
A common best practice is to use a separate subscription for each environment: one for development, one for testing, and one for production. This isolates failures and prevents accidental changes from affecting production. Each subscription has its own billing, so you can track costs per environment.
Another practical aspect is applying Azure Policy at the subscription scope. For example, you can create a policy that restricts virtual machine sizes to only cost-effective options. This policy applies to all resource groups in that subscription automatically.
If a developer creates a resource group and tries to deploy a large VM, the policy will block it. This is much more efficient than applying the same policy to each resource group individually. RBAC at the subscription scope is equally practical.
Instead of giving a team Contributor access on each resource group, assign it once at the subscription level. This saves time and reduces the risk of missing a resource group. However, be careful: if you assign Owner at the subscription scope, that user can create new resource groups and assign roles to others.
Always follow the principle of least privilege. Another practical scenario is moving resources between subscriptions. This is not uncommon when a team reorganizes. You need to know that not all resources can be moved.
For instance, Azure App Service plans can be moved, but some classic resources cannot. Always check the documentation. The move operation also requires that the destination subscription be registered for the resource provider.
If it is not, the move will fail. Professionals often script these checks using Azure PowerShell or CLI. Understand that subscription boundaries are not network boundaries. If you need to isolate network traffic, use virtual networks and subnets.
Subscription boundaries only separate management and billing. A common mistake is assuming that two subscriptions are completely isolated by default. They are not. You can peer virtual networks across subscriptions, allowing traffic to flow.
Security groups within each subscription control what traffic is allowed. In practice, you will design a hub-and-spoke network topology where a central firewall controls traffic between subscriptions. So, while subscription boundaries are essential, they are only one piece of the overall security and governance strategy.
Memory Tip
Think of a subscription as a locked apartment: it has its own door (RBAC), its own rent (billing), and its own rules (policies). You need a key to enter, and you cannot take furniture to another apartment without moving permission.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →AZ-900AZ-900 →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Can I move a virtual machine from one subscription to another without downtime?
Generally, moving a running virtual machine between subscriptions causes downtime because the VM must be stopped and moved. Use Azure Resource Move or deallocate the VM first. Plan accordingly.
How many subscriptions can I have in a single Azure AD tenant?
There is no hard limit, but by default you can create up to 50 subscriptions per tenant. You can request an increase from Azure support if needed.
Do subscription boundaries apply to AWS?
Yes, in AWS the equivalent is an AWS account. Each account has its own billing, resources, and IAM policies. AWS Organizations can group multiple accounts for consolidated billing and policy management.
Can I share a storage account across two subscriptions?
Yes, you can share a storage account by setting appropriate access permissions. The storage account resides in one subscription, but you can grant users from another subscription access via RBAC, provided they have the correct permissions.
What happens if I delete a subscription?
All resources within the subscription are deleted and cannot be recovered. Billing stops after the subscription is cancelled. Always ensure you have backups before deleting.
What is the difference between a subscription and a resource group?
A subscription is a billing and management boundary that contains many resource groups. A resource group is a logical container within a subscription used to organize related resources. You cannot directly bill per resource group.
Summary
Subscription boundaries are a fundamental concept in cloud computing that define the scope of resource management, access control, billing, and policy enforcement. They act as logical containers that separate environments, departments, or projects, ensuring that resources, permissions, and costs are isolated and manageable. In practical IT work, understanding how to create, configure, and work with subscription boundaries is essential for designing secure and cost-effective cloud architectures.
You need to know how to assign RBAC roles at the subscription scope, apply policies, and move resources between subscriptions. Common mistakes include confusing subscription boundaries with network security, assigning roles at the wrong scope, or assuming all subscriptions are in the same tenant. Exam traps often involve choosing the wrong scope for role assignments or misunderstanding the purpose of management groups versus subscriptions.
For your certifications, focus on scenarios where separate subscriptions are required for billing isolation, environment separation, or compliance. Remember that subscription boundaries are not a substitute for network security groups. They are a management and administrative tool that complements other security measures.
Mastering this concept will help you answer architecture, troubleshooting, and design questions across Azure, AWS, and Google Cloud exams. Keep in mind the apartment analogy: each subscription is a locked unit with its own rent, rules, and key holders.