Cloud Architect, Mattia Lepri Berluti describes the benefits of adopting a Cloud Vending Machine to bring innovation to new heights in your business.

According to Wikipedia:

The earliest known reference to a vending machine is in the work of the Hero of Alexandria, an engineer, and mathematician in first-century Roman Egypt. His machine accepted a coin and then dispensed holy water. In the 21st century – the middle of the Information Age – vending machines have evolved to dispense innovation.

Adopted Cloud? Now the real innovation starts!

If your journey to Cloud has already started within your business, then innovation matters more than ever. Especially now that your chosen Cloud provider(s) has opened your world to a suite of features and services – the kind of which you could only dream of when you relied on your on-premise platform!

The major Cloud providers are innovating at the speed of light to satisfy thousands of different customers’ requirements around the globe, from tens of different industries.

To better understand the pace of the Cloud markets:

  • GCP made 122 announcements just during the 2019 Google Cloud Next event.
  • AWS made 1.421 new announcements in 2018 (83 only during the re:Invent)
  • Microsoft Azure made a total of  842 announcements in 2018.

Just to give you a sense of scale: If you took just two minutes to read each and every announcement from all of the providers, it would take over three days to keep yourself completely up to date!

Whatever provider you have chosen, it is important to keep up with the latest product releases. New services and features can help improve your applications and help you to develop your customer experiences to gain a competitive edge over your competitors.

In Cloudreach, we use Slack and the RSS App to keep our communities up to speed with the latest Azure, GCP and AWS News. We don’t want to miss the opportunity to tell our customers about the latest announcements that they can benefit from as soon as they can!

What is a Cloud Vending Machine?

Imagine that you want to try out a new service that has just been announced at the latest Google NextAWS re:Invent or Microsoft Ignite. It is very likely that your organisation’s policies won’t allow you to just login your favorite console and play with it. What if something goes wrong?

What to do then?

…build a Cloud vending machine.

A Cloud vending machine is a risk-free, controlled, scalable environment, which allows individuals to play with the latest services and tools and understand the applications and benefits outside the restrictions of your policies.

Just Login into your Cloud Vending Machine, request a brand new GCP Project/AWS Account/Azure Subscription to be provisioned,  then go have fun with it!

But how does a vending machine help an organisation to innovate? I’ll give four reasons (and  I bet that your organisation will benefit from at least three all of them) :

  • Test new services and features as soon as they are released by your Cloud Provider(s)
  • Develop a Proof of Concept (PoC) without the limitations you would have in the organisation’s live accounts (especially if you enforce Infrastructure as a Code and segregation of duties)
  • Use disposable training labs
  • Give access to technology to everyone, not just developers or engineers, to help demystify the myths of Public Cloud and promote Cloud culture within your organisation

Essentially, a Cloud Vending Machine safely empowers individuals to try new products and services. It unleashes creativity and potential without the barriers of bureaucracy, creating an environment that speeds up innovation, product development, and, ultimately, business growth.

As usual, Security matters

Sounds great right? Just go ahead and unleash your talented employees to go forth and transform your business.  It is a wonderful theory but not quite that simple, especially when security is concerned.

Security policies and guardrails have to be managed centrally, and a comprehensive Vending Machine solution should take into consideration :

  • Set boundaries – it sounds contradictory for what a vending machine is trying to do but certain restrictions do need to be in place. For example, you probably don’t want end-users to create Access and Secret Keys associated to a root user.
  • Auditing – keep track of everything! Whatever the users are allowed to do, make sure you know exactly what happened, when and where. If your company data is leaked because you allowed Mr. Jeff Opencloud to create a public-facing bucket where he put production data for a PoC, you may want to know about it!
  • Integration with other platform services – minimise the requirements to connect to your estate’s production services. If your requirements include connectivity to other accounts/services, bear in mind the limitations. E.g. if you need to peer VPC in a hub-and-spoke model, Azure supports up to 500 peering connections per VNet, GCP 25 per VPC and AWS 125 per VPC. This model doesn’t scale well for organisations that have a higher number of users.
  • Identity Providers integration – Avoid defining bespoke user identities linked to each CSP Account and hook your Identity Provider (may it be Microsoft Azure AD, Google G Suite,  Microsoft AD, etc..)

…and Money even more!

You will also need to keep an eye on costs.

Complete visibility on costs for each individual is essential. Applying cost guardrails and keeping budgets under control is extremely easy. If the budget assigned to each user/team is exceeded, the account can be safely deleted.

Also, an innovation account should not be forever – each account should be considered disposable by nature, easily created and destroyed when not in use. Always put a time limit on each account lifetime to avoid money-burning zombie accounts.

Usage of expensive or not-authorised services can be centrally limited using preventive and reactive controls. You may not want all of your innovation users to launch a WordPress QuickStart on a $33/hour p3dn.24xlarge in AWS or a $84/hour m2-ultramem-416 in GCP.


The failure of a shared model – goodbye Sandbox

a.k.a. “I already have a sandbox environment, I don’t want to manage tens of accounts!”

Many organisations, from startups to enterprises, use a shared sandbox environment where “everyone can login and try to work” in a semi-controlled chaos that quickly leads to operational madness.

In Cloudreach we used to have one Sandbox environment for each main CSP.

This was ok-ish until we grew to 1000 employees globally during 2019.

Sandbox accounts are not ideal in this situation for several reasons:

  • It’s a shared environment – everyone sees everything. Users want to focus on their applications and resources, they’re not interested in the other 1000 EC2 instances.
  • It’s operationally complex – you would need to rely on mandatory tags to enforce compliance and lifecycles, it’s almost impossible to manage costs.
  • It’s not scalable – a single account has API and resource limits. We like solutions to be scalable, not constrained by design.

We decided to move from a sandbox model to a “Personal Labs” model.

What’s our definition of Lab? A disposable, short-lived environment that doesn’t hold any company data or intellectual property.

In other words, an environment where you can actually do some real work”

We ended up developing a unique Multi-Cloud Vending Machine, integrated with our identity provider. It is both secure and cost-effective.

Leveraging our Cloud System Developers, we developed a fully automated solution which includes:

  1. An integration layer with our internal tools, to manage account requests
  2. An orchestration engine to manage the lifecycle of hundreds of accounts, interacting with each Cloud Service Provider API
  3. A unified billing dashboard to have full visibility on the current and past charges

The introduction of the Vending Machine has had a definitive impact on our organisation, giving us the ability to learn, build and test solutions that we propose and implement successfully for our customers.

If your business is considering adopting multi-cloud solutions, or just want to keep up to date with the latest technologies, I highly encourage you to explore the concept of Cloud Vending Machine within your organisation and just see how quickly you witness the benefits from it!


I have deliberately made no explicit references to implementation details specific to the technology involved – an innovation, laboratory or training account could be an AWS Account, an Azure Subscription or a GCP Project (or a combination of the three!)

Using a Cloud Vending Machine, your business can bring innovation to the next level and, enabled by best of breed technology, gain a significant competitive advantage over your competitors.

If you want to talk about Cloud Vending Machines, Innovation Labs, Multi-Cloud Account orchestration, please get in touch

(Don’t ask us to do it on-premise. We don’t think it would work so well ;))