This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

VM Type Restrictions & Safe Rollout - Seeking Advice!

Posted 3 weeks ago
CloudSecNinja
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

How can we limit which VM types users can spin up to control costs, and what's a safe way to roll out this change without breaking things? Any tips greatly appreciated!

Solved Solved
0 1 81
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
akshay_datar
Staff
Reply posted on --/--/---- --:-- AM

Hello,

You can achieve this requirement by setting up a custom org policy that limits the type of VMs allowed. You can craft and apply this org policy constraint through UI, gCloud (CLI) or API.

https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constrai...

Please see the following example custom org policy constraint to restrict machines to N2D VM series: 

name: organizations/012345678/customConstraints/custom.restrictN2dSeries
resource_types: compute.googleapis.com/Instance
method_types:
  - CREATE
  - UPDATE
condition:
  resource.machineType.startsWith("zones/") &&
  resource.machineType.contains("/machineTypes/") &&
  resource.machineType.matches(".*-n2d-.*")
action_type: ALLOW
display_name: Restrict GCE VM instances to n2d series
description: Only allow the creation and update of GCE VM instances with n2d series.

You can find more details on the Compute Engine specific documentation page here.

Also, we recommend leveraging available tools like Org Policy simulator and dry run before rolling out policy changes to prevent disruption to your organization.

Here is a demo that illustrates this workflow and how to use these tools.  

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
akshay_datar
Staff
Reply posted on --/--/---- --:-- AM

Hello,

You can achieve this requirement by setting up a custom org policy that limits the type of VMs allowed. You can craft and apply this org policy constraint through UI, gCloud (CLI) or API.

https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constrai...

Please see the following example custom org policy constraint to restrict machines to N2D VM series: 

name: organizations/012345678/customConstraints/custom.restrictN2dSeries
resource_types: compute.googleapis.com/Instance
method_types:
  - CREATE
  - UPDATE
condition:
  resource.machineType.startsWith("zones/") &&
  resource.machineType.contains("/machineTypes/") &&
  resource.machineType.matches(".*-n2d-.*")
action_type: ALLOW
display_name: Restrict GCE VM instances to n2d series
description: Only allow the creation and update of GCE VM instances with n2d series.

You can find more details on the Compute Engine specific documentation page here.

Also, we recommend leveraging available tools like Org Policy simulator and dry run before rolling out policy changes to prevent disruption to your organization.

Here is a demo that illustrates this workflow and how to use these tools.  

Jump to Solution