Implementing a Sandbox Environment in Microsoft Azure
When working with Microsoft Azure, you may want an environment for learning, whether for an individual or a team.
This article aims to highlight some reference implementation considerations for implementing a Sandbox environment within the Microsoft Azure platform.
π Overviewβ
When working with Microsoft Azure, you may want an environment for learning, whether for an individual or a team.
Cloud Sandboxes are contained, isolated environments that allow the evaluation of new Cloud services and features (without impacting production environments).
This follows from a previous article about Sandbox Design considerations but focuses on the implementation elements. This article aims to give you some ideas on how you can achieve Sandbox vending and is opinionated based on my experience. However, it's purely intended to show one (of many) possible ways. Just make sure you understand the business requirements and what you need to achieve.
A design area of the Ready phase of the Cloud Adoption Framework is the design and implementation of the Azure Landing Zone, it would be asmiss of me not to bring up Subscription vending.
"Subscription vending provides a platform mechanism for programmatically issuing subscriptions to application teams that need to deploy workloads."
Subscription Vending is the foundation of what we will discuss today: Sandbox vending.
I will base this article on Unmanaged Sandboxes (Subscription-scoped Sandboxes); however, much of the same information can be used across all Sandbox types.
π¬ Scenarioβ
The scenario we are going to run through today involves creating an Unmanaged (i.e., subscription-scoped) Sandbox (Sandbox vending) per user or team, which could be a method of implementing it.
To go through this scenario, we will use the following Disciplines of Cloud Adoption to help separate elements.
Discipline | Description |
---|---|
Cost Management | Cost is a primary concern for cloud users. Develop policies for cost control for all cloud platforms. |
Security Baseline | Policies and enforcement apply those requirements across network, data, and asset configurations. |
Resource Consistency | Resources can be configured consistently to manage risks related to onboarding, drift, discoverability, and recovery. |
Identity Baseline | Identity Baseline discipline focuses on ensuring that identity is consistently applied across cloud adoption efforts. |
Deployment Acceleration | Centralization, standardization, and consistency in approaches to deployment and configuration improve governance practices. |
π° Cost Managementβ
π° FinOpsβ
When working with a Sandbox environment, you need to be aware of the costs associated with it. FinOps principles can be key.
Tags can be key to help you showback/chargeback costs and help you assign resource owners.
Recommended Tags for a Sandbox environment could be:
- "costCenter": "sandbox"
- "costModel": "show-back"
- "environment": "sandbox"
- "resourceowner": "your_name"
- "project": "sandbox_project"
Although the Sandbox environment is for learning, you still need to be aware of its associated costs and keep these as lean as possible.
You can also implement Cost Management and Governance workbooks that allow Sandbox users access to interactive dashboards to help them understand their costs and usage.
- Governance workbook - Monitor the governance posture of your Azure environment. Leverage recommendations to address compliance issues.
- Cost optimization workbook - Give your engineers a single pane of glass for cost optimization with this handy Azure Monitor workbook.
π° Budgetsβ
Implement Budgets for each Sandbox, assigned to the Sandbox owner.
Monthly resource spending should be forecast initially and amended as the footprint changes.
Budget alerts are set up to highlight unplanned spending, not to prevent it (i.e., they are alerting thresholds, not limits).
Each Sandbox environment could start with a consistent Budget and can be adjusted IF required as an exception. Budgets are intended to drive Sandbox owners to keep their costs under control by having the information on hand.
π Security Baselineβ
Security is a key concern for any environment, and the Sandbox environment is no different; however, there are some tradeoffs. The key to a successful Sandbox environment is that it's an environment for learning, so the level of security you would adopt should be less. However, there are some stop gaps that should be implemented.
π‘οΈ Defender for Cloudβ
Defender for Cloud is a cloud-native application protection platform (CNAPP) that consists of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities.
Defender for Cloud should be enabled on all Sandboxes to help protect against threats and increase visibility. It is a great learning tool.
As people learn how to use Azure technologies, they may not necessarily know how to secure them or how their services might be adapted for a more secure environment. Defender for Cloud helps increase the knowledge around resources in alignment with current security best practices.
"While the security team is responsible for improving the security posture, team members might not actually implement security recommendations. Using governance rules driven by the security team helps you to drive accountability and an SLA around the remediation process."
Governance rules are key.
For example, using Tags, you could assign resource owners to resources and help drive accountability, alerts, and remediation. Defender for Cloud can be a great learning tool by informing your Sandbox users of potential security issues.
You should also consider possible scenarios, such as the Sandbox environment being one method to exfiltrate data, so make sure you look at Purview and data sensitivity.