/ Insights / Why your Azure tenant needs sandbox subscriptions Insights Why your Azure tenant needs sandbox subscriptions September 22, 2023 Nathan LasnoskiHello, fellow cloud enthusiasts! Today I’m going to talk about a very important topic: sandbox landing zones in the cloud adoption framework. If you’re not familiar with the cloud adoption framework, it’s a set of best practices and guidance from Microsoft to help you plan and implement your cloud journey. Sandbox landing zones are isolated environments where you can test and experiment with Azure resources without affecting your production, development, or user acceptance testing (UAT) environments. They’re like playgrounds for cloud architects, engineers, and developers who want to try new things, learn new skills, or conduct proof of concepts (POCs) before deploying them to the real world.Sounds awesome, right? But how do you create and manage sandbox landing zones? And what are some of the best practices to follow? Don’t worry, I’ve got you covered. In this blog post, I’ll explain everything you need to know about sandbox landing zones in the cloud adoption framework. Let’s get started!What are sandbox landing zones?Sandbox landing zones are Azure subscriptions that are placed in a dedicated management group called the sandbox management group. This management group is part of the enterprise-scale architecture that the cloud adoption framework recommends for organizing your Azure resources. You can learn more about the enterprise-scale architecture here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/implementationThe sandbox management group inherits policies from the management groups above it in the hierarchy, such as the root management group and the platform management group. These policies define the governance and compliance rules for your Azure environment, such as which regions, resource types, and naming conventions are allowed or denied.However, the sandbox management group also has its own policies that are specific to sandboxes. These policies are designed to ensure that sandboxes are isolated from other environments, have limited access and permissions, and have cost controls and expiration dates. For example, some of the policies that are applied to sandboxes are:Deny virtual network peering cross subscription: This policy prevents sandboxes from connecting to other networks outside of their own subscription.Deny ExpressRoute/VPN/Virtual WAN creation: This policy prevents sandboxes from creating gateways or hubs that could link them to other networks or on-premises systems.Deny public IP address creation: This policy prevents sandboxes from exposing resources to the internet.Enforce tag and its value: This policy enforces sandboxes to have a tag called “sandbox” with a value of “true”. This helps identify and track sandbox resources.Enforce budget: This policy enforces sandboxes to have a budget limit that triggers an alert when it’s reached or exceeded.Enforce expiration date: This policy enforces sandboxes to have an expiration date that triggers an action when it’s reached, such as deleting or moving the sandbox resources.You can find more information about the policies that are included in the enterprise-scale reference implementations here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/policiesWhy do you need sandbox landing zones?Sandbox landing zones are useful for several reasons. Here are some of the benefits of using them:They provide a safe and controlled environment for learning and experimenting with Azure resources. You can test different scenarios, configurations, and features without worrying about breaking anything or affecting other environments.They enable faster and easier innovation and prototyping. You can quickly spin up and tear down sandboxes as needed, without waiting for approvals or provisioning processes. You can also use sandboxes to validate new Azure services or resources before formally approving them for your organization.They reduce costs and risks. By using sandboxes, you can avoid spending money on resources that are not needed or used in production. You can also avoid security breaches or compliance violations by isolating sandboxes from other environments.What are some best practices for sandbox landing zones?Here are some best practices that you should follow when using sandbox landing zones:Use a naming convention for your sandboxes. This helps you identify and organize your sandboxes easily. For example, you can use a prefix like “sandbox-” followed by a descriptive name for your sandbox, such as “sandbox-webapp-poc” or “sandbox-vm-test”.Use tags for your sandboxes. This helps you track and manage your sandboxes effectively. For example, you can use tags like “owner”, “project”, “purpose”, “status”, etc. to provide more information about your sandboxes.Use budgets for your sandboxes. This helps you control and optimize your costs. For example, you can set a budget limit for each sandbox and configure alerts or actions when the limit is reached or exceeded.Use expiration dates for your sandboxes. This helps you avoid wasting resources and money on sandboxes that are no longer needed or used. For example, you can set an expiration date for each sandbox and configure actions like deleting or moving the sandbox resources when the date is reached.Use feedback loops for your sandboxes. This helps you improve and learn from your experiments. For example, you can document your findings and outcomes from your sandboxes and share them with your team or organization. You can also use tools like GitHub or Azure DevOps to collaborate and iterate on your sandboxes.ConclusionSandbox landing zones are a great way to learn and experiment with Azure resources in a safe and controlled environment. They enable faster and easier innovation and prototyping, while reducing costs and risks. By following the cloud adoption framework guidance and best practices, you can create and manage sandbox landing zones effectively and efficiently.I hope you enjoyed this blog post and learned something new about sandbox landing zones in the cloud adoption framework.Happy clouding!