Reasons for isolating production from non-production workloads
Segregating production from non-production workloads in a cloud environment can provide several benefits, including:
- Security: By isolating production workloads from non-production workloads, it can reduce the risk of unauthorized access or breaches to production systems.
- Compliance: Some industries have strict regulatory requirements that mandate the separation of production and non-production environments.
- Performance: Production workloads often have different performance requirements than non-production workloads, so separating them can ensure that production workloads have the resources they need to run smoothly.
- Cost: Segregating production and non-production workloads can help organizations more effectively manage costs by only paying for the resources needed by production workloads.
- Licensing optimization: Cloud providers such as Azure provides the ability to create a multi subscription environment (aka Azure Landing Zone architecture) where different licensing models can be applied; for example, apply development licensing to non-production subscriptions
- Recoverability: In case of an incident, it’s easier to recovery the production environment separately from the non-production one.
- Testing: By isolating non-production environments, organizations can test new features and updates in an isolated environment before deploying them to production, which can reduce the risk of introducing bugs or compatibility issues.
Techniques to segregate production from dev/test and UAT
There are several ways to segregate production from non-production workloads in the cloud, including:
- Subscriptions: Fully isolated production from non-production environment with different billing, policies and access controls per subscription.
- Virtual Private Clouds (VPCs): VPCs can be used to create isolated networks within a cloud environment. Production and non-production workloads can be placed in separate VPCs, which can help to ensure that only authorized resources have access to production systems.
- Network Security Groups (NSGs): NSGs can be used to control network traffic between production and non-production workloads. For example, NSGs can be used to restrict incoming and outgoing traffic to production systems, which can help to prevent unauthorized access.
- Security Groups: Security groups can be used to limit access to production systems by only allowing traffic from authorized IP addresses or ranges.
- Identity and Access Management (IAM): IAM can be used to control access to production systems by creating roles and policies that only allow authorized users or systems access to production resources.
- Resource tagging: Tagging resources with labels (e.g. ‘production’, ‘non-production’) and using those tags to filter resources and apply policies can be a good way to keep track and manage resources.
- Resource group: Grouping resources based on their function, such as production and non-production, can make it easy to manage, monitor, and scale resources
- Service segmentation: Use service specific segmentation solutions, such as Kubernetes namespace, Azure Dev Spaces, or AWS App Runner to segment resources.
It’s important to note that these methods can be used together to provide multiple layers of security and control, and the best approach will depend on the specific requirements of an organization.