Q. How can I restrict the type of VM SKUs that can be used in an Azure subscription or Resource Group?

A. In most production environments the users of Azure will not have direct access to create resources via the portal or via script. Instead the organization will define a number of JSON templates that deploy a set of standard configurations and these are exposed to the users through a service catalog. This enables the organization to tightly control the types of resources in Azure and that they meet and required configurations/governance.

It is also possible to use Azure Resource Manager policies at subscription and resource group levels that can control various aspects include allowed locations, SKUs of VMs and Storage Accounts, encryption requirements, tag requirements, Windows and Linux images and other types of resources. Many policies can be defined via the portal through the Policies tab under Settings while all can be defined via JSON. As an example:

  • Open the Subscriptions in the Azure portal
  • Select a subscription
  • Select the Policies tab under Settings
  • Click Add assignment
  • Select the type of Policy definition
  • Complete details

The JSON of the policy will be displayed. For example:

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.Compute/virtualMachines"
            },
            {
                "not": {
                    "field": "Microsoft.Compute/virtualMachines/sku.name",
                    "in": "[parameters('listOfAllowedSKUs')]"
                }
            }
        ]
    },
    "then": {
        "effect": "Deny"
    }
}

For more detail on resource policies including the JSON to completely define see https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-policy.