While preparing for the AZ-104: Microsoft Azure Administrator exam, many candidates wrestle with understanding how Azure resources can be moved between subscriptions. In the enterprise world, this decision often hinges on resource dependencies, service constraints, and compliance requirements. Let’s drill into a simulated migration scenario focused on subscription boundary resource migration and governance implications.
The Scenario #
Tyrion Manufacturing operates a mature Azure environment. They currently have a subscription called TYRION-PROD-01 containing a mix of infrastructure-as-a-service (IaaS) VMs, managed disks, virtual networks, storage accounts, and a key Recovery Services vault.
The organization has decided to segment workloads by business units and created a new subscription called TYRION-PROD-02. Their Cloud Operations team needs to determine which resources can be seamlessly migrated between these subscriptions to align with enterprise governance and maintain compliance.
Key Requirements #
Identify which resources from the TYRION-PROD-01 subscription can be moved to the new TYRION-PROD-02 subscription without violating platform constraints, ensuring minimal downtime and preserving resource integrity.
The Options #
- A) VM1, StorageAccount1, VNet1, and VM1ManagedDisk only
- B) VM1 and VM1ManagedDisk only
- C) VM1, StorageAccount1, VNet1, VM1ManagedDisk, and RecoveryVault1
- D) RecoveryVault1 only
Correct Answer #
B) VM1 and VM1ManagedDisk only
The Architect’s Analysis #
Correct Answer #
Option B: VM1 and VM1ManagedDisk only.
Step-by-Step Winning Logic #
Azure resource move operations between subscriptions support IaaS VMs and managed disks seamlessly when dependencies are maintained. However:
- Virtual Networks (VNets) cannot be moved because they represent a foundational, regional networking resource tightly coupled with underlying physical infrastructure and IP addressing spaces. Moving them risks breaking connectivity dependencies.
- Storage Accounts can be moved only under certain conditions, predominantly if they contain no dependent active resources like VMs, or if data residency policies allow. Often, storage accounts with attached managed disks complicate the move.
- Recovery Services Vaults (RVAULTs) cannot be moved across subscriptions; they must remain in their original subscription because they maintain metadata of backup data tied to the tenant’s compliance and recovery policies.
This understanding aligns tightly with the Microsoft Cloud Adoption Framework (CAF) governance discipline enforcing compliance and operational excellence.
From a Well-Architected Framework (WAF) perspective:
- Reliability: Ensures backup services (Recovery Vault) remain consistent and unaffected.
- Operational Excellence: Minimizes risk by restricting moves of complex network resources.
- Security & Compliance: Ensures resources with compliance-bound configurations (Vaults) stay put.
- Cost Optimization: Avoids costly downtime by allowing VM and disk moves, supporting cost-efficient subscription reorganization without full redeployment.
The Traps (Distractor Analysis) #
- Why not Option A? Including VNet1 is impractical since VNets are not movable due to platform restrictions.
- Why not Option C? Recovery Vaults are subscription-scoped and cannot be moved; also moving VNets is disallowed.
- Why not Option D? Recovery Vaults alone cannot be moved and have complex dependency structures.
The Architect Blueprint #
Diagram: Resource Migration Flow from TYRION-PROD-01 to TYRION-PROD-02
Diagram Note: Only VMs and their managed disks can be moved to the new subscription, preserving dependencies while network and backup vault resources remain in place to uphold governance.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A | High | Medium | Includes critical network components | VNets cannot be moved, breaks connectivity |
| B | Low | Low | Seamless move of VMs and disks, minimal disruption | Does not separate network resources |
| C | Very High | Medium-High | Complete move including backups and network | Vaults and VNets not movable, complex failures |
| D | Medium | Low | Isolates data protection component | Vaults can’t be relocated - no workload move benefit |
Real-World Practitioner Insight #
Exam Rule #
Always remember: Virtual Networks and Recovery Services Vaults are subscription-scoped and cannot be migrated between subscriptions. Azure VM and disk moves are supported if dependencies are maintained.
Real World #
In enterprise migrations, network segmentation is better handled by redeploying VNets in the target subscription with peering rather than moving VNets. Backup infrastructure remains tightly controlled and is often shared or manually re-registered in separate subscriptions following governance reviews.