Sandbox environments provide an efficient and cost-effective means of testing new features, assessing security configurations, isolating code executions, and troubleshooting technical issues. Through shared testing instances, they can also be powerful tools for collaboration, all without impacting your production environment.
By leveraging Azure Virtual Machines alongside multiple storage options, Azure Sandbox allows you to experiment with application development, application testing, training and onboarding, and even proof of concept demonstrations alongside Azure capabilities, features, and services. However, you must first define both your use case and your security policies.
This piece provides an overview of how to create, configure, and launch Azure Sandbox for testing and training, along with recommended best practices.
Why Create an Azure Sandbox?
By creating a sandbox environment in Azure, you gain all the benefits of a full IT lab at a fraction of the cost. This allows you to accelerate both software development and sales enablement without the considerable expense that normally entails. More importantly, you can do this without disrupting or exposing your production environment.
How to Create a Sandbox Environment in Azure
First Steps
When you create your Microsoft Azure account, you’ll start as a free user with the option of a trial period and $200 in credit. If you intend to leverage Azure for anything other than personal use, this is not recommended. In order to create an Azure Sandbox, you’ll need a subscription.
You’ll also need the following:
- An Azure Active Directory tenant for identity and access management (IAM). This can be an existing AAD tenant, though you can alternatively create a new Azure AD tenant either manually or via the directory creation experience.
- An Owner Azure RBAC role assigned to the account with an Azure subscription and a Contributor role for end users. Make sure you verify that both roles have the permissions they require.
- A clear idea of your required resources, services, and Azure components.
Configuring Your Azure Cloud Environment
Before you can start creating sandboxes, you must first set up Azure Cloud. Start by creating a resource group (or several, if you have more than one use case for Azure Sandbox). Next, you’ll want to determine how you provision your resources.
You have several options:
- Manual provisioning.
- Azure Resource Manager (ARM) templates.
- Powershell scripts.
- Azure CLI commands.
With your resources created and provisioned, create a virtual network through the Azure portal, then create one or more subnets. Finally, create a Network Security Group with inbound and outbound access rules and assign it to your subnets. These rules should be based on a zero trust network access (ZTNA) framework.
Securing Azure Sandbox
Although your Azure Sandbox is separate from your production environment, sandbox accounts can still be incredibly valuable to threat actors. Not only can they potentially gain access to sensitive resources, they may be able to probe a simulation of your network for vulnerabilities. To keep both your sandbox and your Active Directory deployment safe, you should employ the following security measures:
- Use Azure Active Directory for Identity and Access Management. This will allow you to blend security with convenience through single sign on, multi factor authentication, role-based access control, seamless application management and identity governance.
- Enable Azure Security Center, and use it alongside Azure Monitor and Azure Analytics to keep track of all sandbox activity.
- If accidental modification or deletion of resources and resource groups is a concern, enforce resource locks.
- Use Azure Policy to define and enforce rules related to corporate and regulatory compliance. Potential controls could include:
- Require specific service configurations.
- Resource tagging.
- Automatic deletion of unused resources or instances.
- Role-based access controls.
- Standardized application deployments.
- Restrict public Internet access to certain resources.
- Apply further isolation to your sandbox environment via Azure Virtual Networks.
- Deploy an endpoint protection solution such as Windows Defender.
- Assign user roles and permissions based on the principles of Least Privilege.
How to Open Azure Sandbox
Once Azure Cloud is configured, you can create an Azure Sandbox environment with the following steps:
- Sign in to the Azure Portal, and click on Create a Resource on the dashboard.
- Select the “Sandbox” option, then click Create.
- Select your subscription, resource group, and Virtual network.
- Choose which products and services you want to include in your sandbox.
- Name your sandbox and select your region.
- Click on “Review + Create” followed by Create.
Best Practices for Azure Sandbox
Control Your Environments
In order to keep your production environment fully separate from your development and testing environment, it may be worthwhile to create a separate Azure subscription exclusively for Azure Sandbox. This also provides you with more control over your sandbox environments, as you can apply whatever policies you require without worrying about their impact on production.
Embrace Automation
You can further streamline your Azure Sandbox deployments by automating resource and configuration management through a tool like Azure DevOps. Automation can also help reduce unnecessary spend by cleaning unused or underutilized resources, preventing unauthorized access, and applying updates.
Limit Instances and Resources
Azure comes with a number of built-in tools for quota management that you can use to limit resource usage for both individual sandbox instances and resource groups. It is recommended that you leverage these capabilities. Otherwise, you may be hit with unexpected costs.
Similarly, you should also limit the regions in which users can create resources, both to reduce latency and to reduce the likelihood of forgotten instances.
Manage Your Versioning with Source Control Tools
Azure DevOps, one of the many utilities packaged with the Azure Cloud, includes built-in source control tools to help your team keep track of changes in both testing and production. You can also use a repository such as Git.
Using Azure Sandbox for Testing and Development
Create an Azure DevTest Lab
One of the most powerful services available through Azure is the capacity to create a sandboxed Azure DevTest Lab .
This virtual IT lab that can be used for everything from testing and training to development. The service allows users to quickly create and share both infrastructure-as-a-service virtual machines and platform-as-a-service environments. These instances can be created via preconfigured bases, Azure Resource Manager templates, or custom artifacts.
The process for creating a DevTest lab is very similar to creating an Azure Sandbox — log into the Azure Portal, click on Create a Resource, search for and select DevTest Labs, and enter in all requisite information.
Next Steps: Discover an Easier Way to Explore Azure Sandboxing
Azure Sandbox is an incredibly versatile service, made all the more valuable by the Azure Cloud’s extensive toolkit. But that versatility can be a double-edged sword. An improperly-configured cloud or sandbox can do more harm than good, driving up costs and exposing sensitive assets to bad actors.
That’s where CloudShare comes in. Our nimble, on-demand sandbox environments are the perfect complement for Azure Cloud, and we ensure that no matter how complex your requirements and use case are, spinning up a new instance requires only a few clicks. Our specialized virtual IT labs offer simplified setup wizards, VM import, and a huge library of licensed templates while also integrating readily with the most popular development tools.
Ready to get started with your next Azure sandbox? Learn more about sandboxing with CloudShare and how it can save time, reduce costs, and support collaborative software development in your organization.
