We currently have an Azure Policy only allowing certain VM SKUs when building new VMs across our tenant. However, we have a new need for a single application team to use a SKU that's not in the existing approved list (H100 for machine learning), but we don't want this SKU allowed outside their resource groups.
As far as I can tell, the only way to do this is:
Create a permanent exemption on the existing policy for their resource groups, AND Create a NEW policy that contains all the normally allowed SKUs and the new SKU, scoped to only their resource groups.
This feels clunky - is there a simpler way to accomplish this goal?
You can use the below Azure Policy to enforce allowed VM SKUs across your tenant, with a tag-based exception for a specific high-performance SKU (Standard_H100) used for machine learning workloads.
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"in": "[parameters('approvedSkus')]"
},
{
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"equals": "Standard_H100"
},
{
"field": "tags['allowH100']",
"equals": "true"
}
]
}
]
}
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {
"approvedSkus": {
"type": "Array",
"metadata": {
"displayName": "Approved VM SKUs",
"description": "List of globally allowed VM SKUs."
}
}
}
}
This policy will only allow VM SKU's and Denies all other VM SKUs
"Standard_D2s_v3", "Standard_E4s_v4", "Standard_B2ms"`
It will allow itStandard_H100, but only when the resource group is having the tag named allowH100
And it will be deny Standard_H100 **everywhere else unless this tag is present.