IBM Cloud Docs
Organizing IBM Cloud accounts and resources

Organizing IBM Cloud accounts and resources

After you complete your IBM Cloud account setup, consider the best practices for organizing your accounts and resources. The choices you make have a significant impact as you set up access management in later steps, as well as how well your organization can scale over time.

Each deployment of one of the reference architectures is single tenant, meaning the deployment is intended to be used by a single consumer. We recommend creating a new account for each deployment. If you have multiple consumers, then you need multiple accounts. Multiple individual accounts might quickly become unwieldy, so we recommend that you use an enterprise account.

Within an account, all resources managed by IBM Cloud Identity and Access Management (IAM) are placed into resource groups for access control and billing purposes.

For more information, see:

Organization for a single deployment within an account

VPC reference architecture

For the VPC reference architecture, it is recommended that you use two resource groups for each deployment:

  • Management - Holds all of the resources that are needed by your management VPC
  • Workload - Holds all of the resources that are needed by your workload VPC

This creates a clean separation between the layers. The following diagram shows such a layout.

Account with two resource groups for management and workload VPCs
Figure 1. Account with two resource groups for management and workload VPCs

While not shown in the diagram, it is also permissable to take isolation a step further and place your management VPC in one account and your workload VPC in another account.

Satellite reference architecture

For the Satellite reference architecture, you can put all of your IBM Cloud resources that are related to a single Satellite deployment into one resource group.

Account with one resource group for Satellite-related resources
Figure 2. Account with one resource group for Satellite-related resources

Organization for multiple deployments

It is required that you have separate test and production deployments of the reference architecture, and that those deployments are managed by separate accounts. This means you need at least two accounts, each with a dedicated resource group.

VPC reference architecture

The following diagram shows a depiction of this organization for the VPC reference architecture.

Multiple accounts for VPC reference architecture with two resource groups
Figure 3. Multiple accounts for VPC reference architecture with two resource groups

Satellite reference architecture

The following diagram shows a depiction of this organization for the Satellite reference architecture.

Multiple accounts for Satellite reference architecture
Figure 4. Multiple accounts for Satellite reference architecture

Scaling the number of deployments within an account

If for some reason you do not want to use an enterprise account and you have a limited number of consumers, then you might also consider a variation where you maintain separate resource groups for each deployment within an account.

VPC reference architecture

For the VPC reference architecture, this variation is shown in the following diagram. In this case, we still have a test and production account, but we create two new resource groups for each deployment.

Using two accounts with multiple resource groups for VPC reference architecture
Figure 5. Using two accounts with multiple resource groups for VPC reference architecture

While this reduces the number of accounts you need, it can also become problematic because each account is subject to quotas and service limits for VPC.

Satellite reference architecture

For the Satellite reference architecture, we still have a test and production account. We then create one new resource group for each deployment as shown in the following diagram.

Using two accounts with multiple resource groups for Satellite reference architecture
Figure 6. Using two accounts with multiple resource groups for Satellite reference architecture

Managing scalability with an enterprise

Rationale for using an enterprise

Unless you have a limited number of deployments and accounts, it is highly recommended that you use an enterprise. Large enterprises that allow an account structure, cross account networking, resource deployment, and billing to develop organically run the risk of encountering governance, scaling, security, and accounting issues. See Enterprise account architecture for recommendations on how to address these concerns across accounts so that a robust, compliant, and scalable solution can be achieved.

Organizing your enterprise

Within an enterprise, you can create multiple accounts and account groups. With this structure, you can easily manage many accounts and many deployments.

VPC reference architecture

The following diagram shows a single enterprise with one account group that contains separate accounts for each deployment of the VPC reference architecture.

Enterprise account organization with VPC reference architecture
Figure 7. Enterprise account organization with VPC reference architecture

When using enterprise accounts, it is recommended that you use one enterprise account for production and another enterprise account for development. See Planning your enterprise account structure for more information.

Satellite reference architecture

The following diagram shows an enterprise with one account group that contains separate accounts for each deployment of the Satellite reference architecture.

Enterprise account organization with Satellite reference architecture
Figure 8. Enterprise account organization

Next steps