What is Cloud Sprawl & How Do I Avoid It?

Posted by Phil DeVeau - January 15, 2021

An effective governance strategy in Azure has many facets and addressing a compromised resource may involve tearing down a resource group and all its resources entirely and rebuilding within minutes.

header-picture

Governing Cloud Sprawl

Junk drawers are great for kitchens.  I get to throw in whatever tools I’ll eventually need into a single drawer and forget they exist until I critically need to find it. Once I remember the hex wrench is in the junk drawer when I do go to look for it, I can’t find it in the disorganized mess of the drawer.  Ultimately, I end up buying a new hex wrench of the wrong sizetrying to use a screwdriver unsuccessfully, and eventually super glue; only to immediately find the wrench I was looking for after I’ve damaged the screw.  Oh well!  My new shiny hex wrench goes in the junk drawer, and I’ll repeat the process again later.  Fortunately, I maintain a smart group of people around me who suggest things like magnetic bars in my garage I can store small tools on, specific jars for screws, nails, washers, nuts, bolts. 

Azure Junk Drawers Are a Recipe for Disaster 

Okay, let us be honest junk drawers are NOT a fantastic idea for kitchens.  They are even worse for the cloud.  Imagine mixing development, QA, and prod resources all in a single bucketSorting through that junk drawer to find the resource you are looking for right when you need it can lead to production outages in critical times.  Maintaining permissions when everyone is in your azure junk drawer can be hard as well, and often requires discrete excessive access control at the resource level which can lead to mistakes.  Discarded VM’s from decommissioned projects that are spending money for no gain for months potentially years in the back of our Azure junk drawer can cost us hundreds of dollars per month, over years cost overrun impacts revenue that could have been used to fund continued innovation. 

Avoid the Crisis of Trying to Find Something During a Crisis 

Early in my career as a developer an aging part of our software platform suffered a SQL Injection attack.  I had the pleasure to watch a trusted and experienced team check databases for what had been accessed, scan machines for vulnerabilities, contact clients to describe the problem, restore databases to a previous state prior to the injection attack and resume full operation within hoursWe were not specifically targeted, many other organizations were hit by the same attack, and days later we saw that other organizations were struggling to restore operational integrity.  This was all on-premises and we had a strong understanding of our platform assets and what would be susceptible to attack; and how to rectify it.  If we did not have strong governance around considerations such as naming, we would have had a more difficult time resolving the issue.  An effective governance strategy in Azure has many facets and addressing a compromised resource may involve tearing down a resource group and all its resources entirely and rebuilding within minutesWhen everything is in the same drawer, potentially a drawer labeled “DEV,” tearing down an entire resource can represent days of recreationWhen that drawer says “PROD,” this could mean lost revenue for days or weeks.  When the drawer says “CHAOS” your business is at risk. 

Azure Governance Easy Buttons 

  1. Compartmentalize resources with management groups and subscriptions 
  2. Create a tagging policy to test that required tags exist, such as an environment tag 
  3. Create a tagging policy that appends additional tags to resources 

icon-1Governance aspects built into Azure itself are first-class citizens.  Using a management group to represent our organizational structure we can limit access to subscriptions.  Developers wouldn’t have access to production subscriptions.  Products should align to a subscription, any deployment to azure can test for a matched tag to enter the subscription as one policy deny operation, another policy adds the team and scope automatically if they don’t already exist in the deployment during a policy append operationNow we can be certain that we can find all resources when we need them and be certain that they are in the right environment.  During a cost audit we know what team created the resource so we can talk to that team about justifying the costDuring a threat modeling exercise, we can be certain all the resources are identifiedIf you already have a mess in Azure leveraging governance is the first step to sorting out our junk drawers. 

Avoiding Junk Drawers Entirely 

From a governance and cloud maturity perspective we can also leverage Azure Blueprints where our infrastructure is also codified and governed within our organizationBlueprints can be iterated on a lot like source codeThe easiest junk drawers to sort out are the ones that never existed in the first place! 

  • How are you managing your resources in Azure?  Ask yourself some simple questions:
  • Do you know where your Azure resources are being created?
  • Are your resource creation standards consistent?
  • Are your resource creating standards enforceable?
  • Can you decommission projects with confidence?
  • Can you recreate resources in Azure with confidence? 

If you don’t know the answers to these questions you have some degree of Azure Junk Drawer. If you want to learn more about cloud governance, download our Azure Governance Playbook today!

Topics: Visibility

Modern Enterprise & Cloud Governance Playbook

Recent Posts

Collaborative Cloud Governance: Auditability & Visibility

read more

How Does the Cloud & Azure Transform Traditional Governance?

read more

DevOps Enables Modern Governance

read more