An Azure subscription is a container for your resources. Using multiple subscriptions gives you built-in security boundaries and separation of charges. Each Azure subscription is associated with a single Driver Worktag, and all charges incurred by that subscription will be posted (via DIT One Bill) to that Driver Worktag.
Some common reasons departments or researchers would want to utilize multiple Azure subscriptions include separation of production workloads from dev/test, providing separation of permissions, or to utilize different funding sources (Driver Worktags).
Submit an IT support request that contains the following information.
Visit the Azure portal and login with your Directory ID and passphrase. For more information, see Azure Portal Overview documentation.
UMD maintains a Unified Support contract with Azure which is available to all member Azure subscriptions. Administrators can use the Help + support portion of the Azure portal to open cases directly with Azure support. More information on the features and response times of Unified Support can be found at the following pages.
Azure maintains a shared responsibility model, whereby Azure is responsible for the security of the cloud itself, while the customer is responsible for the security of the resources in the cloud. In simple terms, this means that Azure is responsible for ensuring that the Azure Virtual Machines service itself does not get hacked, but you are responsible for ensuring that your virtual machine instances are not hacked.
Azure will not protect you from weak passwords, mis-configured firewalls, failure to apply patches in a timely manner, etc. For more information, see Shared Responsibility Model.
We provide 2 options for networking in Azure: Cloud Native and Campus Connectivity. Each model has its advantages and disadvantages. Please note that it is not possible to switch between these 2 models without deleting and re-creating your subscription and all resources, so careful planning and consideration is required. The Other option is reserved for specific use-cases. DIT staff are available to assist in making this decision if required.
This model provides no private access between your Virtual Network (VNet) and the campus network, all connectivity will traverse the public internet. You may use whatever private addressing scheme you want for your VNet, and public connectivity will be via Azure provided IP addresses. There is no security inspection/protection between your resources and the internet.
This model has the advantages of scale and reliability, you are not dependent on the UMD campus network, and can allocate as large or as small a VNet as Azure will allow. You can also set up the VNets without the assistance of DIT. This model has the disadvantage that there is no private connectivity to campus (such as to access on-campus databases), and no security protections are provided by DIT.
This model provides direct access between your virtual network (VNet) and the campus network via redundant 5GB Express Route network. Your VNet will use UMD allocated private address space. Firewalls both on-prem and in Azure can be configured to allow access in either direction. We can also provide a limited number of public IP addresses which can be used for services that must be internet accessible (public web servers for example).
All traffic between in/out of your VNet is protected and inspected.
This model provides several advantages such as direct access to campus resources and additional security protections including the ability to use the Campus VPN for role based access. It has the disadvantage of limiting the number of internet facing resources (public IP addresses are a very limited resource), and restrictions on IAM permission assignments. It also requires the networking (VNet, subnets, route tables, etc.) to be configured by DIT.
We have a UMD Microsoft Azure Billing Process article covering all things Azure billing.
Complete and submit the following Form to initiate the transfer of your external Azure subscription into our organization.
Some considerations to keep in mind when importing an existing account are:
We are unable to setup the Campus Connectivity networking option in an existing account.
Generally the subscription transfer process involves the following steps: