Governing Cloud Sprawl

Junk drawers are great for kitchens.  I get to throw in whatever tools I’ll eventually need into a single drawer and forget they exist until I critically need to find it. Once I remember the hex wrench is in the junk drawer when I do go to look for it, I can’t find it in the disorganized mess of the drawer.  Ultimately, I end up buying a new hex wrench of the wrong size, trying to use a screwdriver unsuccessfully, and eventually super glue; only to immediately find the wrench I was looking for after I’ve damaged the screw.  Oh well!  My new shiny hex wrench goes in the junk drawer, and I’ll repeat the process again later.  Fortunately, I maintain a smart group of people around me who suggest things like magnetic bars in my garage I can store small tools on, specific jars for screws, nails, washers, nuts, bolts. 

Azure Junk Drawers Are a Recipe for Disaster 

Okay, let us be honest junk drawers are NOT a fantastic idea for kitchens.  They are even worse for the cloud.  Imagine mixing development, QA, and prod resources all in a single bucket. Sorting through that junk drawer to find the resource you are looking for right when you need it can lead to production outages in critical times.  Maintaining permissions when everyone is in your azure junk drawer can be hard as well, and often requires discrete excessive access control at the resource level which can lead to mistakes.  Discarded VM’s from decommissioned projects that are spending money for no gain for months potentially years in the back of our Azure junk drawer can cost us hundreds of dollars per month, over years cost overrun impacts revenue that could have been used to fund continued innovation. 

Avoid the Crisis of Trying to Find Something During a Crisis 

Early in my career as a developer an aging part of our software platform suffered a SQL Injection attack.  I had the pleasure to watch a trusted and experienced team check databases for what had been accessed, scan machines for vulnerabilities, contact clients to describe the problem, restore databases to a previous state prior to the injection attack and resume full operation within hours. We were not specifically targeted, many other organizations were hit by the same attack, and days later we saw that other organizations were struggling to restore operational integrity.  This was all on-premises and we had a strong understanding of our platform assets and what would be susceptible to attack; and how to rectify it.  If we did not have strong governance around considerations such as naming, we would have had a more difficult time resolving the issue.  An effective governance strategy in Azure has many facets and addressing a compromised resource may involve tearing down a resource group and all its resources entirely and rebuilding within minutes. When everything is in the same drawer, potentially a drawer labeled “DEV,” tearing down an entire resource can represent days of recreation. When that drawer says “PROD,” this could mean lost revenue for days or weeks.  When the drawer says “CHAOS” your business is at risk. 

Azure Governance Easy Buttons 

1. Compartmentalize resources with management groups and subscriptions 
2. Create a tagging policy to test that required tags exist, such as an environment tag 
3. Create a tagging policy that appends additional tags to resources 

Governance aspects built into Azure itself are first-class citizens.  Using a management group to represent our organizational structure we can limit access to subscriptions.  Developers wouldn’t have access to production subscriptions.  Products should align to a subscription, any deployment to azure can test for a matched tag to enter the subscription as one policy deny operation, another policy adds the team and scope automatically if they don’t already exist in the deployment during a policy append operation. Now we can be certain that we can find all resources when we need them and be certain that they are in the right environment.  During a cost audit we know what team created the resource so we can talk to that team about justifying the cost. During a threat modeling exercise, we can be certain all the resources are identified. If you already have a mess in Azure leveraging governance is the first step to sorting out our junk drawers. 

Avoiding Junk Drawers Entirely 

From a governance and cloud maturity perspective we can also leverage Azure Blueprints where our infrastructure is also codified and governed within our organization. Blueprints can be iterated on a lot like source code. The easiest junk drawers to sort out are the ones that never existed in the first place! 

• How are you managing your resources in Azure?  Ask yourself some simple questions:
• Do you know where your Azure resources are being created?
• Are your resource creation standards consistent?
• Are your resource creating standards enforceable?
• Can you decommission projects with confidence?
• Can you recreate resources in Azure with confidence? 

If you don’t know the answers to these questions you have some degree of Azure Junk Drawer. If you want to learn more about cloud governance, download our Azure Governance Playbook today!