Home

Awesome

Azure - Considerations for Dev/Test "Sandboxes"

<br/> <br/> <p align="center"> <img src="./images/header.png"> </p>

<br/><br/>

Overview

This guide is intended to provide considerations when designing an Azure sandbox solution for your organizations Microsoft Azure focused cloud development teams. It will guide you through a thought process which is intended to help map out the reguirements in a logical way and also to provide some ideas of how to meet the various scenarios and needs of both the cloud development teams and Center IT Teams.

<br/>

Note: This is not a formal Microsoft recommendation but rather an opinion based upon experiances I've had when trying to solve these challenges with customers I've worked with and those of my fellow Cloud Solution Architects.

<br/>

What is a sandbox and why do organizations need them?

So what is a sandbox? No, it's not only a pit fall of sand for the kids to play in, it's also a reference to a "play area" for developers to play in, or more importantly - learn, build, test and innovate - in this case, on the Microsoft Azure cloud.

According to Wikipedia...

As everyone should know by now, developers and Production environments do not mix. No disrespect to developers (which are awesome by the way), but it's imperative that access and changes to Production systems is kept under tight control. It is also imperative that an organisation can innovate and grow at the pace it needs to within well defined, well managed guardrails. The intent of sandbox environments is to provide a safe enviroment that meets developers needs when it comes to learning, testing and innovation while protecting an organizations data and services.

<br/>

Sandbox Profiles

Like a lot of situations, there is not a 'one-size-fits-all' solution when it comes to cloud development sandboxes. On the one hand we have cloud developers that want to learn, build, test and innovate quickly. Then on the other hand, an organization needs to ensure that any development activity does not increase the risk of data exfiltration, exposes any security vulnerabilities, or put their organization at risk.

There is a need to balance flexibility and security. Acknowledging that there is not a 'one-size-fits-all' solution, we can see that not one, but multiple sandbox scenarios are required to meet both ends of the spectrum, and also fill the gap in between.

These are some guiding principles that I've seen work well:

Like many things in life, you can't keep everyone happy all the time, and finding the right balance can be tricky. There is however an approach that can go a long way to satisfying most requirements, and that is to consider, at minimum, the following three types of sandbox types:

  1. Highly Managed Sandbox - From a developer’s perspective, things are mostly managed for them within the sandbox.
  2. Lightly Managed Sandbox - From a developer’s perspective, this is the middle ground where management is a responsibly shared between developers and Central IT Teams.
  3. Isolated Sandboxes (Dedicated) - From a developer’s perspective, things are mostly managed by them within the sandbox.
<p align="left"> <img src="./images/overview.png"> </p>

Note: For a side-by-side table view of the various sandbox types, download this comparison summary PDF.

<br/>
<br/> <p align="left"> <img src="./images/sandbox-icon.png"> </p>

Highly Managed Sandbox:

From a developer’s perspective, things are mostly managed for them within this type of sandbox environment. A 'Highly Managed Sandbox' is designed mostly to provide self-service capabilities to developers including virtual machine provisioning, and curated solutions that are managed on their behalf.

This type of sandbox is intended for individual developers and/or development teams that require relatively simple and quick stand-up time typically through the use of some form of self-service capability, and would prefer someone else to cover most of the management overhead on their behalf.

Because this type of sandbox is more tightly controlled and is highly managed by a Centeral IT Team, it is more likely acceptable that there could be some form of networking connectivity back into Production and/or other restrictive environments.

<br/>

Note: Although self-service services can be very benefitual to developers and help them get moving quickly, organizations need to be aware of the time and effort involved as it can be a long journey to build up a catalog of services and reusable IaC (Infrastructure-as-Code) resources.

<br/> <p align="center"> <img src="./images/scale-high.png"> </p> <br/>

Example of Self-Service services:

<br/>

Highly Managed Sandbox Properties:

<br/>

Images for Highly Managed Sandbox:

<p align="center"> <a href="./images/dtl-overview-big.png"><img src="./images/dtl-overview-small.png"></a> </p>

<br/><br/>

<p align="center"> <a href="./images/dtl-networking-big.png"><img src="./images/dtl-networking-small.png"></a> </p>

<br/><br/>

<p align="center"> <a href="./images/ma-overview-big.png"><img src="./images/ma-overview-small.png"></a> </p>

<br/><br/>

<p align="center"> <a href="./images/custom-overview-big.png"><img src="./images/custom-overview-small.png"></a> </p> <br/>
<br/> <p align="left"> <img src="./images/sandbox-icon.png"> </p>

Lightly Managed Sandbox:

From a developer’s perspective, this is the middle ground where management is a responsibly shared between developers and Central IT Teams. This type of sandbox is designed mostly to provide a more flexible, managed sandbox environment compared to the ‘Highly Managed’ scenario.

This type of sandbox is intended for individual developers and/or development teams that require relatively simple and quick stand-up time but require a little more flexibility than that provided by the ‘Highly Managed’ sandbox.

One of the main differences between this type of sandbox compared to the 'Highly Managed' type is that developers can operate outside of typically more restrictive Self-Service services and can have a bit more freedom within the context of Resource Groups.

<br/> <br/> <p align="center"> <img src="./images/scale-light.png"> </p> <br/> <br/>

Example of tooling:

<br/>

Lightly Managed Sandbox Properties:

<br/>

Images for Lightly Managed Sandbox:<p align="center"> <a href="./images/light-overview-big.png"><img src="./images/light-overview-small.png"></a>

</p> <br/>
<br/> <p align="left"> <img src="./images/sandbox-icon.png"> </p>

Isolated Sandboxes - Dedicated:

From a developer’s / project teams perspective, things are mostly managed by them within this type of sandbox environment. An 'Isolated Sandbox' is designed mostly to provide dedicated, isolated environments which provide the highest degree of customisation and self-management that is largely the responsibility of the individual sandbox subscription owners/project teams.

This type of sandbox is intended for larger product / application development teams that require a much higher level of control without the resrictions that are typically present in more highly managed environments, and would prefer to cover most of the management overhead themselves.

Because this type of sandbox has less controls enforced and is not managed by a Centeral IT Team, it should be prevented from most forms of networking connectivity (or other integration) with other environments including Production and other restrictied enviromnets without exception.

<br/>

Note: In scenarios where workloads require integration into Production or other restrcited environmnets, it would typically be better to consider the ‘Lightly Managed’ sandbox type.

<br/> <p align="center"> <img src="./images/scale-isolated.png"> </p> <br/>

Example Tooling:

<br/>

Isolated Sandbox Properties:

<br/>

Images for Isolated Sandbox:

<p align="center"> <a href="./images/isolated-overview-big.png"><img src="./images/isolated-overview-small.png"></a> </p> <br/>
<br/>

Reference Links

<br/><br/>

<!-- Local --> <!-- External -->