When creating resource groups, it is important that you consider factors for your resource group design:
- A resource can be a member of only one resource group.
- A resource group cannot be nested in another resource group.
- You can move a resource from one resource group to another.
- A resource group can be used to scope access control.
- A resource group can be used to scope policy.
- A resource in a resource group can interact with resources in another resource group.
- A resource group is created in a location, also known as an Azure region. The location of a resource group specifies where the metadata for the resource group is stored. If you have compliance or geography constraints, this is an important consideration.
- Microsoft recommends that all resources in a resource group share the same lifecycle.
- It is not mandatory to have all Azure resources belong to a resource group.
- Creating a resource group through the Azure portal can be an easier task. You just need
region or location details along with a valid resource group name (see Figure 1-42).
FIGURE 1-42 Create A Resource Group blade
Move resources across resource groups
Some resources in Azure can be moved between resource groups and even across subscrip- tions, but support for move operations varies based on the service. A reference of services that can be moved can be found at https://learn.microsoft.com/en-us/azure/azure-resource- manager/management/move-support-resources. In Figure 1-43, the VM in Resource Group 2 can be moved into Resource Group 1, and it can also be moved across subscriptions into the resource group in Subscription 2.
FIGURE 1-43 Moving resources diagram
During a move operation, your resources will be locked. Both write and delete operations to the Azure resource will be blocked, but the underlying service will continue to function. For example, if you move a web app in Azure App Service, the app will continue to serve web requests to visitors. It can take up to four hours for a move operation to complete. If the move operation fails within the four-hour window, Resource Manager will reattempt the move operation.
To move resources between subscriptions, both subscriptions must be associated with the same Entra tenant. If the subscriptions do not belong to the same tenant, you can update the target subscription to use the source Entra tenant by transferring ownership of the subscrip- tion to another account. Note that this operation can have unexpected effects because the Entra tenant associated with a subscription is used for RBAC to any currently deployed Azure services.
When moving resources between subscriptions, the resource provider of the source resource must also be registered in the target subscription. A resource provider is the underlying service that allows that service to function and operate in your subscription. To see the list of resource providers, navigate to your subscription. On the subscription, select the Resource Providers blade. This is not a concern when moving resources within the same subscription because the resource provider will already be registered.