# Azure Architecture

In Azure, each service (e.g, VM, SQL server, App service, etc.) is called a resource. The architecture that handles these resources is split into four levels:

<figure><img src="https://3234535347-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkU93ONAZiHsNgO6Mhocr%2Fuploads%2FEuXCIuyv1ygpHjnq4h1N%2Fimage.png?alt=media&#x26;token=0c8446e3-bfe6-47be-9846-015b9346e839" alt=""><figcaption></figcaption></figure>

#### Management Groups

* Management groups are used to manage multiple subscriptions
* There can be a single top-level management group (root) for each directory in Azure
* All subscriptions inherit the roles and conditions applied to the management group

#### Subscriptions

* An Azure subscription is a logical unit of Azure services that links to an Azure account
* An Entra ID Directory may have multiple subscriptions, but each subscription can only trust a single directory
* An Azure role applied at the subscription level applies to all the resources within the subscription

#### Resource Groups

* A resource group acts as a container for resources
* A resource group has its own Identity and Access Management settings for providing role-based access
* An Azure role applied to the resource group is applied to all the resources within the group

#### Resources

* A resource is a deployable item in Azure, such as VMs, App Services, Storage Accounts, etc.
* All resources must be inside a resource group and can only belong to a single resource group