Cost Controls for Cloud Labs
- 13 Sep 2024
- 6 Minutes to read
- Print
Cost Controls for Cloud Labs
- Updated on 13 Sep 2024
- 6 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
Skillable understands the need to provide a delightful user experience, while also keeping costs to a minimum. To help achieve your goals to this end, we have a number of settings and processes in place to ensure this is fully achievable! In this article we will review a myriad of ways to ensure you’re keeping costs only as high as they absolutely need to be.
Lab Profile Settings
Skillable Studio has a number of settings that empower Lab Administrators and Lab Developers to better control the cost labs have on their business both Skillable and the cloud provider for the lab. The following settings all can impact the cost of a lab:
Setting | Location | Default Value | Cost Impact |
|---|---|---|---|
Duration | Basic Information | 1 Hour | The duration configured on a lab is the primary factor in any Skillable billing models. Ensure this reflects the appropriate amount of time a user needs in the lab. |
Prompt User to Extend Time | Basic Information | Enabled | This setting allows users to extend their time in the lab for up to 50% more than the configured duration. Skillable does not charge for this extra time, but if your lab is in a cloud platform there may be additional cloud charges during this period. |
Cloud | Contributor | The role configured on cloud user accounts does not directly impact costs, but it does impact what users are able to do in the cloud platform which can indirectly impact costs. | |
Cloud | N/A | Access Control Policies are the primary cost control mechanism for cloud labs. They allow lab developers to define which precises resources users are or are not allowed to deploy in the cloud platform. | |
Max Active Instances | Advanced | Unlimited | Max active instances allows you to limit the number of simultaneous users in the lab. While this does not directly impact the cost of the lab itself, it allows you to better control the scale at which you would like to deliver that lab, and in turn it’s overall costs. |
Allow User to Cancel Labs | Advanced | Enabled | It is generally recommended to leave this on with the exception of labs being used for tests/exams. This setting while on does not impact your costs at all, while disabled it can result in labs living longer than the student requires which can cause cloud charges to continue to accumulate. |
Allow User to Save Labs | Advanced | Enabled | For non-cloud and cloud labs alike, when a learner saves a lab - the timer against their duration is paused and they can return any time in the next 7 days to pick up where they left off. This is a wonderful user benefit, however with cloud labs it is important to note that anything deployed to the cloud platform continues to incur charges during that time. |
Auto-Save Incomplete Labs | Advanced | Enabled | When enabled in a lab with saves also enabled, this setting causes the following 3 settings to save a lab. If disabled, it will cancel the lab - terminating the instance and any resources. |
Save/Cancel Labs When Last Lab Client Heartbeat Exceeds | Advanced | 15 Minutes | This setting controls how long after the user closes a browser window a lab is saved or canceled. This only applies if the closed the window without manually using the save or cancel option, if they used the manual option it occurs immediately. A longer duration waits longer before saving/canceling the lab while a shorter one can reduce costs in cloud labs if they are cloud virtualization or have saves disabled. |
Save/Cancel Labs When Last Activity Exceeds | Advanced | 60 Minutes | This setting controls how long after a user has interacted with the lab that it is saved or canceled. |
Activity Required to Enable Auto-Save | Advanced | 5 Minutes | This setting defines how much activity a user must have in the lab before the previously outlined auto-save options will save instead of cancel the instance. The intent of this setting is that if a user has not engaged with the lab at all, Skillable will tear down all resources (possibly reducing costs) and re-deploy them in a fresh instance when the user next launches. |
Cloud User Account Roles
When a user launches a Skillable Cloud Slice lab, a user account is often provisioned and provided to the user. While these user accounts and the roles provided to them are considered secure, one should always follow the principal of least privilege. Only give a user as much access as they need to accomplish the lab. This ensures that they do not have the ability to potentially do more than they need which could result in additional charges. In Azure, this means to provide the Reader role as often as possible and assigning the Owner role as little as possible. For labs that are utilizing cloud VMs in the Skillable UI (Cloud Virtualization) and there is no need for the lab user to deploy any resources into the cloud provider, do not create a cloud user account at all.
Best Practice: Use the Principal of Least Privilege
If a lab is using Azure or AWS Virtualization only, it is recommended to not provide a user account.
If multiple role types are available (e.g. Owner, Contributor, Reader), provide the role with the least permissions that can still accomplish the lab steps.
Access Control Policies
Skillable requires any cloud lab that provides the user access beyond a Reader role to the cloud platform utilizes at least one Access Control Policy. While Access Control Policy (ACP) is a singular term Skillable uses across all cloud providers, Skillable ACPs utilize the cloud provider’s native policy frameworks (Azure Policy & AWS IAM Policies).
Read more about ACPs:
Best Practice: Use the Principal of Least Privilege
Create Access Control Policies that allow a user to create only exactly what they need to accomplish a given scenario. This prevents “runaway” cloud charges that may stem unintentionally from users exploring or intentionally from someone being abusive.
Cloud Security Reviews
Lab Profiles that use cloud orchestration are required to undergo a Cloud Security Review by Skillable cloud subject matter experts before they are available outside of Skillable Studio. Security reviews evaluate numerous components of cloud slice labs (such as Access Control Policies, Life Cycle Actions, and user permissions) to determine its risk level for unwanted use of cloud subscriptions. While some labs are exempt, labs that meet the following criteria are not:
Has a Cloud Platform selected (in the Orchestration section of the Cloud tab on Lab Profile),
andCreates a Cloud Resource Group (also on the Cloud Tab of the Lab Profile)
andProvides a user account permissions to that resource group
and
Has a non-exempt Access Control Policy (Click here to find out which policies are exempt.) Skillable Studio will automatically flag that Lab Profile for Security Review.
Best Practice: Maintain a Low Risk Level
Skillable labs running against cloud platforms will have one of 4 Risk Levels - Exempt, Low, Medium, and High. Strive to make every lab either exempt or a low risk level.
Read more about Cloud Security Reviews
Was this article helpful?