Enhancing the architecture of Microsoft Dev Box

In the rapidly evolving world of software development, efficiency and flexibility are paramount. Microsoft Dev Box stands out as a robust solution designed to streamline development environments, particularly in an enterprise setting. This platform not only simplifies the setup and management of virtual machines but also offers flexibility for developers. In this post, I have gathered some considerations for you, enhancing the architecture of Microsoft Dev Box.

Introduction

Microsoft provides a foundational reference architecture for Microsoft Dev Box, aimed at supporting developers with efficient, scalable, and isolated environments for coding within Azure. While this architecture lays solid groundwork, my analysis suggests that integrating additional components can significantly enhance the deployment of Dev Box for enterprise use. In this article, I will discuss these supplementary components that can further secure and streamline the architecture, ensuring a more robust setup that aligns seamlessly with advanced enterprise needs and compliance requirements.

Too long, didn’t read (TLDR): There is a lot of information in this post. I understand that you might give up at some point. At the end of each section, you’ll find a ‘Recommendations’ that sums it all up for you.

Scope

In this post we solely focus on:

  • Access Management with access packages using Identity Governance.
  • Network configuration such as network connections, subnetting and network security.
  • Security and Compliance, exploring additional RBAC roles and Conditional Access.

What is not discussed:

  • Implementation and configuration of Microsoft Intune.
  • Virtual Machines images for Dev Box.
  • Cost Management and optimizations.

Overview of the architecture

Below, we will dissect each element depicted in the architecture, elaborating on roles, components, and the inter-connectivity between them. This detailed analysis aims to provide a clearer understanding of how Microsoft Dev Box can be optimized for enterprise use, ensuring both robust access management and secure network configurations. By examining each component in detail, we can better appreciate the intricacies that contribute to a successful adoption and implementation of Microsoft Dev Box.

Overview of the Microsoft Dev Box architecture for enterprises.

1. Understanding Microsoft Dev Box

Microsoft Dev Box is a cloud-based development environment service provided by Microsoft, designed to streamline and enhance the efficiency of software development, particularly within enterprise landscapes. It facilitates the management and provisioning of preconfigured, ready-to-code development environments that support a variety of operating systems and integrated development settings. This allows developers to swiftly set up and dive into coding without worrying about the underlying infrastructure.

Additionally, because these environments are containerized and maintained in the cloud, it promotes consistent work settings and reduces the “it works on my machine” problem, thus accelerating the development process and reducing setup time.

Overview of what Microsoft Dev Box is.

2. Access Management

Users of Dev Box login to a Developer Portal where they self-service manage their own instances and configurations. It’s one of the key features that offers flexibility to the end users. In my opinion, we must continue this effort providing self-service authorization and access for users using Dev Box. To achieve this, we use access packages within Identity Governance.

Overview of access infrastructure for Microsoft Dev Box
  1. The user logs in to the My Access portal.
  2. Within the portal, the user requests the access package that adds the user to an Entra ID group.
  3. Now that the user is a member of this group, the Dev Box User role is automatically assigned based on group membership on the Dev Box project.
  4. The user now has the authorization to create new Dev Box instances within the Dev Box project.

Note: Before you continue, please understand what a project within Dev Box is.

2.1 Access packages

Access packages can be used to assign multiple resources to a user. From the portal, users request an access package and will, after approval, be granted access to one or more resources. In our example, we would like to delegate permissions for the Dev Box project. We achieve this, by using an Entra ID group. Members of this group will receive the appropriate role in the Dev Box project to create and manage Dev Box instances.

Request access to the package in the My Access portal
My Access Portal to request access to a Dev Box project

2.2 Role-based Access Control (RBAC)

By using the built-in DevCenter Dev Box User role, you can assign permissions to Entra ID users or groups. You assign the role at the project level in Microsoft Dev Box. Users with this permission can now view the project and create and manage Dev Box instances. When we assign this role to an Entra ID group, new members in this group automatically receive the role.

New role assignment for Dev Box users within a project using the Azure portal
Assign the Dev Box User role to the Entra ID group for this project

2.3 Access Management recommendations

  • Create an Entra ID group for users for each Dev Box project.
  • Use access packages to enable self-service authorization and access to Dev Box projects.
  • Assign RBAC roles to Entra ID groups who are used with access packages.

3. Network Configuration

Dev Box instances use the Microsoft backbone by default. This means that instances are able to communicate directly with the internet without any interference of a firewall. We definitely need more grip on network connectivity, so let’s explore the infrastructure.

The architecture above represents an example of how I would configure networking for Microsoft Dev Box. Lets discuss some areas within it:

  1. Deploy a new network connection for each Dev Box project. There are a few reasons to configure a connection per project:
    • You select a subnet for each connection. This allows us to segment Dev Box instances from different teams.
    • When for some reason the connection should be disabled, other Dev Box projects are not affected.
    • Managing network filtering gets easier. It allows to configure specific rules for specific projects/teams.
  2. Within the centrally managed network, each Dev Box project gets its own subnet and NSG. Once again, there is better control of individual network rules.
  3. Connect the virtual network to your secured virtual hub or deploy an Azure Firewall instance for advanced network filtering.

3.1 Network Connection

Microsoft allows us define one or more network connections within a Dev Center. By configuring these types of connections, we directly integrate with an existing virtual network. As a result, all traffic routes over the virtual network instead of the Microsoft backbone.

Example of creating a new network connection in the Azure portal
Example of creating a new network connection

3.2 Virtual Network

The connections should lead to a centrally managed Virtual Network. When using the landing zone architecture, preferably deploy this network in your Connectivity subscription. The benefit of this setup is that it allows for better management and overview of the connectivity from and to Dev Box instances. Also, since you could consider Microsoft Dev Box as a shared service, the infrastructure should be managed by the Cloud Center of Excellence (CCoE) team.

Be sure to include some sort of network filtering by peering it to your secured virtual hub of deploy an Azure Firewall instance.

3.3 Subnetting

Allocate a subnet for each Dev Box project combined with a Network Security Group (NSG). This ensures that connectivity is segmented on a per-project basis. Consider to create a baseline for the NSG to filter network traffic before it even hits a firewall in the network. For example, consider to prevent cross-project network interference and/or deny high risk network protocols by default.

Example of a connected Dev Box instance in the virtual network on the Azure portal
The Dev Box instance shows as a connected device in the subnet

3.4 Network recommendations

  • Configure network connections per Dev Box project (in its own subnet).
  • When using the Azure landing zone architecture, consider deploying the virtual network in the Connectivity landing zone. It centralizes operations and prevents a widespread of network connections.
  • Create a subnet for each Dev Box project. Subnets provide the lowest level of network segmentation on the Azure platform and prevents cross-project traffic.
  • Create Network Security Groups (NSG) for each subnet, and preferably route all traffic over the Azure Firewall for enhanced network filtering.
  • When using Azure Firewall, create a rule collection for each subnet. Set a baseline to determine what type of traffic is allowed by default. Only allow additional types of traffic based on requests per Dev Box project.

4. Security and Compliance

There is some baseline configuration to consider in the architecture. Lets briefly discuss them below.

4.1 Provide admin access to a project

There is an option to delegate project administration. With these permissions, users can view network connections and view, update and delete dev box pools in the project. Consider to support this type of authorization.

4.2 Conditional Access for the Developer Portal

For the Developer Portal, configure a Conditional Access policy that requires multi-factor authentication (MFA) and restricts access based on user location or device compliance status. As a result, risks of unauthorized access are mitigated.

Example of the Conditional Access flow for the Developer Portal.
Example of the Conditional Access flow for the Developer Portal

4.3 Conditional Access within Dev Box

Regarding Dev Box instances, set up Conditional Access policies scoped specifically to prevent users from accessing any Entra ID connected applications within these instances unless they meet certain compliance criteria or are part of designated groups.

For example, you could argue that Dev Box is intended for development purposes only. Therefore, Microsoft 365 applications such as Outlook or Microsoft Office are not allowed.

  • Users: Include targeted users.
  • Target resources: Select Cloud apps, and include Office 365 when selecting the Select apps radio button.
Include the Office 365 application in the Conditional Access policy
  • Conditions: Under Filter for devices, create a new rule syntax to query Dev Box instances. All Dev Box instances identify with the model Microsoft Dev Box in Microsoft Intune.
Filter Dev Box instances based on a rule syntax
Kusto
device.model -startsWith "Microsoft Dev Box"
  • Grant: Select Block access.

Targeted users who now navigate to any Microsoft 365 application cannot access it within their Dev Box.

Access to a Microsoft 365 application blocked by Conditional Access inside a Dev Box.
Access blocked by the Conditional Access policy in Dev Box

4.4 Security and Compliance recommendations

Conclusion

In conclusion, Microsoft Dev Box offers a dynamic and effective platform for managing development environments, particularly within an enterprise setting. By properly implementing access management, network configuration, and security protocols, organizations can enhance both flexibility for developers and overall system security.

These best practices, outlined through the use of access packages, role-based access control, network segmentation, and Conditional Access policies, not only streamline the setup and use of Dev Box but also ensure that it aligns with the organization’s compliance and governance standards.

Ultimately, these strategies will empower enterprises to leverage Microsoft Dev Box in optimizing development operations while maintaining strong security and operational control. With these measures in place, organizations can look forward to reaping the benefits of a robust, secure, and highly efficient development environment.

Are you using Dev Box already?

I am curious to know if you already have experience using Dev Box. Do you have any additional recommendations or feedback? Please let me know in the comments below. I am eager to hear your thoughts and suggestions.