Adopting an Alibaba Cloud multi-account strategy can provide many benefits without a lot of extra effort. Alibaba Cloud makes it quite easy to create new accounts on a whim and can simplify things with consolidated billing. Let’s take a look at why you might want to split your monolithic Alibaba Cloud account into micro-accounts. Before getting started, let’s get familiar with a few terms:
The basis of a well-architected multi-account Alibaba Cloud environment is Resource Management, an Alibaba Cloud service that enables you to centrally manage and govern multiple accounts.
An entity that you create to consolidate your Alibaba Cloud accounts so that you can administer them as a single unit. You can use the Alibaba Cloud Resource Management console to centrally view and manage all of your accounts within your organization. A resource organization has one master account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and folders nested under the root. Each member account can be directly in the root or placed in one of the folders in the hierarchy. A resource organization has the functionality that is determined by the feature set that you enable.
The parent container for all the accounts for your resource organization. If you apply a control policy to the root, it applies to all folders and member accounts in the resource organization.
Currently, you can have only one root. Resource Management automatically creates it for you when you create a resource directory.
A container for accounts within a root. A folder also can contain other folders, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of folders that reach down, ending in accounts that are the leaves of the tree. When you attach a control policy to one of the nodes in the hierarchy, it flows down and affects all the branches (folders) and leaves (member accounts) beneath it. A folder can have exactly one parent, and each member account can be a member of exactly one folder.
A standard Alibaba Cloud account that contains your Alibaba Cloud resources. You can attach a control policy to a member account to apply controls to only that one account.
There are two types of accounts in a resource organization: a single account that is designated as the master account, and member accounts.
- The master account is the account that creates the resource organization. From the organization’s master account, you can do the following:
- Create accounts in the organization
- Invite other existing accounts to the organization
- Remove accounts from the organization
- Manage invitations
- Apply policies to entities (roots, folders, or accounts) within the organization
The master account has the responsibilities of a payer account and is responsible for paying all charges that are accrued by the member accounts. You can’t change a resource directory’s master account.
- The rest of the accounts that belong to a resource directory are called member accounts. An account can be a member of only one resource directory at a time.
Control policies are a type of resource organization policy that you can use to manage permissions in your resource organization. Control policies offer central control over the maximum available permissions for all accounts in your organization. Additionally, control policies help you to ensure your member accounts stay within your organization’s access control guidelines.
Resource Group allows you to sort resources owned by your Alibaba Cloud account into groups. This simplifies the resource and permission management within your Alibaba Cloud account.
Tags are used to identify cloud resources. The tags allow you to categorize, search for, and aggregate resources that have the same characteristics from different dimensions.
Reasons to Adopt a Multi-Account Strategy
Now that we already know what Alibaba Cloud Resource Management is and how it works, let’s talk now about the reasons to adopt a multi-account strategy:
1. Centralized management of accounts and resources
You can allocate Alibaba Cloud accounts to different teams, projects, or products within your company ensuring that each of them can rapidly innovate while allowing for their own security requirements
2. Security and governance
Segmenting into multiple accounts helps to isolate workloads or applications that have specific security requirements, or need to meet strict guidelines for compliance. Additionally, having a “production” account separate from a “development” account lets you give broader access to your developers and operations teams based on which account they need access to.
3. Cost allocation and billing
Using multiple Alibaba Cloud accounts simplifies how you allocate your Alibaba Cloud cost by helping identify which product or service line is responsible for an Alibaba Cloud charge.
4. Adapt to business processes
You can easily organize multiple Alibaba Cloud accounts in a manner that best reflects the diverse needs of your company’s business processes that have different operational, regulatory, and budgetary requirements.
Ultimately, a multi-account Alibaba Cloud environment enables you to use the cloud to move faster and build differentiated products and services, all while ensuring you do so in secure, scalable and resilient manner.
About Roopu Cloud
If you have any questions or concerns about Alibaba Cloud, you can contact us. We are experts in building and implementing cloud solutions in the Alibaba Cloud platform as well as in other Chinese cloud platforms. Let us help you!