Restrict allowed virtual machine sizes for labs

In this article, you learn how to restrict the list of allowed lab virtual machine sizes for creating new labs by using an Azure policy. As a platform administrator, you can use policies to lay out guardrails for teams to manage their own resources. Azure Policy helps audit and govern resource state.

Note

This article references features available in lab plans, which replaced lab accounts.

Configure the policy

1. Sign in to the Azure portal, and then go to your subscription.

2. From the left menu, under Settings, select Policies.

3. Under Compliance, select Assign Policy.

   

4. Select the Scope which you would like to assign the policy to, and then select Select.

   Select the subscription to apply the policy to all resources. You can also select a resource group if you need the policy to apply more granularly.

   

5. Select Policy definition.

6. In Available Definitions, search for Lab Services, select Lab Services should restrict allowed virtual machine SKU sizes, and then select Add.

   

7. On the Basics tab, select Next.

8. On the Parameters tab, clear Only show parameters that need input or review to show all parameters.

   

9. In Allowed SKU names, clear the check boxes for any SKU that you don't allow for creating labs.

   By default all the available SKUs are allowed. Use the following table to determine which SKU names you want to allow.

   SKU Name	VM Size	VM Size Details
   CLASSIC_FSV2_2_4GB_128_S_SSD	Small	2vCPUs, 4 GB RAM, 128 GB, Standard SSD
   CLASSIC_FSV2_4_8GB_128_S_SSD	Medium	4vCPUs, 8 GB RAM, 128 GB, Standard SSD
   CLASSIC_FSV2_8_16GB_128_S_SSD	Large	8vCPUs, 16 GB RAM, 128 GB, Standard SSD
   CLASSIC_DSV4_4_16GB_128_P_SSD	Medium (Nested virtualization)	4 vCPUs, 16 GB RAM, 128 GB, Premium SSD
   CLASSIC_DSV4_8_32GB_128_P_SSD	Large (Nested virtualization)	8vCPUs, 32 GB RAM, 128 GB, Premium SSD
   CLASSIC_NCSV3_6_112GB_128_S_SSD	Small GPU (Compute)	6vCPUs, 112 GB RAM, 128 GB, Standard SSD
   CLASSIC_NVV4_8_28GB_128_S_SSD	Small GPU (Visualization)	8vCPUs, 28 GB RAM, 128 GB, Standard SSD
   CLASSIC_NVV3_12_112GB_128_S_SSD	Medium GPU (Visualization)	12vCPUs, 112 GB RAM, 128 GB, Standard SSD

10. In Effect, select Deny to prevent a lab from being created when a VM SKU isn't allowed.

    

11. Optionally, on the Non-compliance messages tab, enter a noncompliance message.

    

12. On the Review + Create tab, select Create to create the policy assignment.

You've created a policy assignment to allow only specific virtual machine sizes for creating labs. If a lab creator attempts to create a lab with any other SKU, the creation fails.

Note

New policy assignments can take up to 30 minutes to take effect.

Exclude resources

When applying a built-in policy, you can choose to exclude certain resources, except for lab plans. For example, if the scope of your policy assignment is a subscription, you can exclude resources in a specified resource group.

You can configure exclusions when creating a policy definition by specifying the Exclusions property on the Basics tab.

Exclude a lab plan

You can exclude a lab plan from a policy assignment by specifying the lab plan ID in the policy definition.

1. To get the lab plan ID:

   1. In the Azure portal, select your lab plan.

   2. Under Setting, select Properties, and then copy the Id.

      

2. To exclude the lab plan from the policy assignment:

   1. Assign a new policy definition.

   2. On the Parameters tab, clear Only show parameters that need input or review.

   3. For Lab Plan Id to exclude, enter the lab plan ID you copied earlier.

      

Related content

• Use Azure Policy to audit and manage Azure Lab Services?

• What is Azure policy?