Sandbox Landing Zone

A sandbox landing zone is a pre-configured environment that is specifically designed for learning and experimentation with Azure. Sandboxes are strictly treated as ephemeral environments that must be torn down after an experiment has concluded.

⚠️ It is forbidden to use sandbox landing zones with data classified as "internal" or higher confidentiality level.

This landing zone places a few restrictions on Azure Services that are not deemed suitable for experimentation.

This landing zone intergrates below the online management group in the organization hierarchy.

The resource hierarchy of this landing zone looks like this:

`sandbox` management group for sandbox landing zone
   └── *application team subscriptions*

Active Policies

Service and Location Restrictions

PolicyEffectDescriptionRationale
Enforce ALZ Sandbox GuardrailsDenyThis initiative will help enforce and govern subscriptions that are placed within the Sandbox Management Group. See https://aka.ms/alz/policies for more information.Forbids use of certain Azure Services that are unsuitable for experimentation environments because they incur high cost and/or allow establishing non-zero-trust connectivity via VNet peering to other services.
The following services are forbidden:
- microsoft.network/expressroutecircuits
- microsoft.network/expressroutegateways
- microsoft.network/expressrouteports
- microsoft.network/virtualwans
- microsoft.network/virtualhubs
- microsoft.network/vpngateways
- microsoft.network/p2svpngateways
- microsoft.network/vpnsites
- microsoft.network/virtualnetworkgateways

Compliance Statements

  • Playground / Sandbox Environments: It's a best practice for development, testing, and learning purposes, providing a safe and secure area to explore Azure services and features. This allows users to gain hands-on experience without the risk of impacting critical systems.
  • Service and Location Restrictions: Forbids use of certain Azure Services that are unsuitable for experimentation environments because they incur high cost and/or allow establishing non-zero-trust connectivity via VNet peering to other services.