Cloud Account structure: Part-1 Account overview – AWS Account | Azure Subscription | Google Cloud project

Code: C02-P1 | Author: Saransundar N | Applies To: AWS | Azure | Google Cloud

Understanding the cloud account uses and its structure or hierarchy is very important for any Cloud professional. This knowledge helps to handle the cloud spending, and resources provisioned, and track the access effectively. In this series, we will discuss this in multiple parts and in sequence. Here we go!

Part-1: Cloud Account overview – AWS Account | Azure Subscription | Google Cloud project
Part-2: Single Vs Multiple Cloud Accounts; Top 10 needs for multiple cloud accounts
Part-3: Cloud Account structure and Hierarchy – AWS | Azure | Google Cloud
Part-4: Importance of the AWS root user | Azure account admin | Google Billing account owner

Note: This post covers key points considering only the single Cloud account and it is written to mainly cover the basics. There are certain new terms get added when we enter Part 3 to understand the actual structure.

What is a cloud account:

Cloud Account is the top-level boundary for hosting your services in Cloud.

A Cloud account is a container for your cloud resources.
You can create and manage your cloud resources in a cloud account
It provides administrative capabilities for access and billing
To create a cloud account all you need is an Email id, Mobile number, and a Credit card.
You need to subscribe and agree to the terms and conditions provided by the cloud provider.
Access to resources is controlled using the Identity and Access Management users and roles.

What should you do before planning to create Cloud account?
Decide the owner of the account who is solely responsible for maintaining the account that includes Billing management, payment method decisions, support plan etc.,

Purpose of cloud account:

Billing relationship: All the costs spent will be bounded to a cloud account. It is always needed to track the cost consumed by each resource. In this way, you will pay for the used services (pay-as-you-go) to the cloud providers like AWS or Google Cloud.

Service Quotas and Limits: You can create any services offered by cloud providers like virtual machines, database services, or storage services. But there is always a limit set for each cloud account. One is the default limit and the other is the hard limit. To understand more click here.

*Fig. Service Quota limits in AWS – Sample*

Access control and Boundary:
At the cloud account level, there are two major things to be considered. One is the account owner or account admin solely responsible for billing management. The second is for the resource owner to provide access to specific resources by creating/modifying/full permissions.

With this high level of understanding, let’s understand the cloud account across the top cloud providers. All resources can be grouped under one umbrella and is named….

Fig. Cloud Accounts in AWS, Azure and Google Cloud

AWS Account:

In AWS, we call a cloud account an AWS account.
The account owner is the root user for the account
AWS Account ID is a 12-digit random and unique number assigned by AWS; Ex: 123456789012
To sign up, you need an e-mail address and an AWS account name
One root user can only be mapped to one single AWS account and not more than one.
Quotas and usage limits are bounded to the AWS account

AWS Account Name: It is the alias name or the friendly identifier instead of the AWS account ID. It will be helpful for users to sign in with the URL without remembering the account ID. For example:
https://Your_Account_ID.signin.aws.amazon.com/console/
https://Your_Account_Alias.signin.aws.amazon.com/console/

Note: When you create the AWS account, it also creates the root user. The ‘root user’ is the most powerful account and should not be used for day-to-day transactions. ‘Root user’ can only do changes in account level settings, modify support plan, and close AWS account. To know more, click here.

There are two different types of users who can access resources in AWS Cloud. One is the root user and the other is the IAM user.

IAM stands for Identity and Access Management. To use the cloud resources, Root user should create the first IAM user and provide administrator permissions. Either root user or IAM administrator can create multiple IAM users. All AWS users must have security credentials.

Azure Subscription:

In Azure, we call a cloud account an Azure Subscription.
The account owner or creator is the account admin for the subscription
Subscription ID is a GUID random number assigned; Ex: b42775c8-99a0-40ac-b237-cebf45aa4b3e
To sign up, you need an e-mail address, mobile number, and payment information
Unlike AWS, one account admin can manage billing for multiple Azure subscriptions
Multiple owners can exist at the subscription level and they have full access to manage all services
Classic administrator roles still exist and refer to the table below for detailed differences
All user accounts are associated with either Microsoft Account or Organizational Account (Azure AD)
Quotas and usage limits are bounded to the Azure Subscription

“An Azure account (cost management & billing) represents a billing relationship & Azure subscriptions help you organize access to Azure resources.”

All the subscriptions need to be linked with the Azure Active Directory tenant; You can look at the below figure, where the subscription is linked with the Directory called bairavcloud.com; From the other part of the figure you can note this:

Any subscription needs to be linked to one Azure AD tenant
Multiple subscriptions can be linked to the same Azure AD tenant
Multiple Azure AD directories cannot be mapped to a single subscription

*Fig.Azure Subscription and its mapping with Azure AD*

Note: Azure subscription has multiple offers and each offer can be chosen based on business needs. This is unlike AWS or Google cloud. Few offers are pay-as-you-go, Azure pass, etc… The list of offers and the offer ID are given in the below table. To understand how to choose the right offer, click here.

OFFER NAME	OFFER NUMBER
Azure Plan	0017G
Microsoft Azure EA Sponsorship	0136P
Pay-As-You-Go	0003P
Free Trial	0044P
Visual Studio Professional subscribers	0059P
Visual Studio Test Professional subscribers	0060P
MSDN Platforms subscribers	0062P
Visual Studio Enterprise subscribers	0063P
Visual Studio Enterprise (BizSpark) subscribers	0064P
Visual Studio Enterprise (MPN) subscribers	0029P
Pay-As-You-Go Dev/Test	0023P
Enterprise Dev/Test	0148P
Action Pack	0025P
Microsoft Azure Sponsored Offer	0036P
Azure Pass	0243P
Azure in Open Licensing	0111p
Azure for Students	0170p
Microsoft Azure for Students Starter	0144P
Azure in CSP	0145P
Microsoft Azure Dev Tools for Teaching

Tab. Azure Subscription offer list and offer ID

Azure additionally has an entity called “resource groups” that organize resources such as VMs, storage, and virtual networking devices. An Azure resource is always associated with one resource group and you need to map any resource to a resource group. This is unlike in AWS, resource groups are optional in AWS. There are other key aspects to be known in Azure for resource hierarchy which will be covered later.

There are four key roles available at the Azure subscription level. One is the Account admin, the second is the Owner who has full control over azure services and the other two are classic roles – one is the Service Administrator and the last is the Co-administrator. Key differences are given below.

Account Admin	Owner role	Service Administrator	Co-administrator
Access to azure account center & manage all subscriptions billing in an Azure account; Acts as Billing owner	Full access to manage all azure services and create RBAC (Role-based access control)	Classic administrators are only needed if you are still using Azure classic deployments.	Classic administrators are only needed if you are still using Azure classic deployments.
Act as default service admin for newly added subscriptions; Can change the service admin if needed;	The owner role can be added to get full access to the azure services	Equivalent access of a user who is assigned the Owner role at the subscription scope	Equivalent access of a user who is assigned the Owner role at the subscription scope.
Only one account admin per azure account	Multiple owners can exist per subscription	Only one service admin per subscription	Can be multiple co-admins (200 per subscription)
Create new subscriptions; Cancel the subscriptions^	Can cancel the subscription	Can cancel the subscription & assign users with a co-admin role	No actions at the subscription billing level or cancel the subscription
Should be existing always	A minimum of one owner to be added	Can be removed (by default it exists)	Optional and can be added/removed

Tab. Comparison of key roles in Azure Subscriptions

^ Possibility to cancel the subscription with service administrator or subscription level owner role

Hope you understood the Azure subscription ID, offers, roles, and the link with the Azure AD. Let’s get into Google cloud now.

Google Cloud Project overview:

In Google Cloud, we call a cloud account a Google Cloud Project.
A billing account is needed to create one or more Google cloud projects
The account owner or creator is the billing account administrator for google services
To sign up, you need an e-mail address and payment information
Multiple owners can exist at the Cloud project level and they have full access to manage all services
Quotas and usage limits are bounded to the Google Cloud project

Structure of Billing Account:
Google cloud project should be linked to a Billing account. Hence, the project acts as the resource boundary and it’s a logical unit in that cloud resources are deployed. One Billing account can have multiple projects. There is a default limit of 30 projects to be linked to a billing account and the limit can be increased by contacting Google support with justifications. Refer to the below figure, which has 2 projects linked to a Billing account ID xxx3432.

Google Cloud works with the resource hierarchy using “Organization”. The resource represents an organization (for example, a company) and is the root node in the overall hierarchy when present. The organization resource is the hierarchical ancestor of folder and project resources. We will discuss this in detail in next post.

Each Google Cloud project has the following:

Project name: which you provide is human-readable and can be changed at any time (Not unique)
Project ID: which you can provide or Google Cloud can provide for you (Globally Unique ID); You can only modify the project ID when you’re creating the project.
Project number: which Google Cloud provides. An automatically generated unique identifier for your project which is highlighted in below figure.
The project ID is used in the name of many other Google Cloud resources, and any reference to the project or related resources exposes the project ID and resource name.

***Fig. Sample Google Cloud project ID and name***

As we have seen so far, any cloud provider needs boundaries for billing and containing resources. The owner or user should be linked to the cloud accounts to make payments or access resources. The below table provides a comparison among cloud providers.

Features	AWS	Azure	Google Cloud
Cloud Account Name	AWS Account	Azure Subscription	Google Cloud Project
Billing relationship (Can be billed at)	AWS Account level	Subscription level	Billing Account level (not at project level)
Resource container & boundary	AWS Account	Resource groups under subscription	Google Cloud Project
Account Owner Name (Billing owner & account creator)	Root user (only one owner)	Account admin (only one owner for billing)	Billing account admin
Account Owner (Resources)	The Root user* to create the first IAM user as an admin	Multiple owners can be added + Service administrator (classic)	The same creator becomes the Owner + Multiple owners can be added
User accounts	IAM users	Azure AD/Guest users	IAM users
Account ID format	12-digit ID all numeric (auto-generated)	GUID based on offers** (auto-generated)	Project ID (You can provide but unique); Project number unique (auto-generated)
Sample Account ID	123456789012	f2007bbf-f902-4b47-9336-cf7c6b89b378	Project ID: bairavcloud-2022 Number: 1434353535334
Account Alias Name (can be modified at any time)	AWS Account Name	Subscription name	Project Name
Account Closure	Only root user can do it	Owner of the subscription (or) account admin with service admin permissions can do	Billing account admin can do it

Tab. Cloud Account Overview-AWS | Azure | Google Cloud

Hope this simplifies the details we have seen so far. In the next part of this series, we will see the need for Single or multiple cloud accounts and also understand the top 10 needs for multiple cloud accounts.