Skip to main content

How can we limit which VM types users can spin up to control costs, and what's a safe way to roll out this change without breaking things? Any tips greatly appreciated!

Hello,

You can achieve this requirement by setting up a custom org policy that limits the type of VMs allowed. You can craft and apply this org policy constraint through UI, gCloud (CLI) or API.

https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints

Please see the following example custom org policy constraint to restrict machines to N2D VM series: 

name: organizations/012345678/customConstraints/custom.restrictN2dSeries resource_types: compute.googleapis.com/Instance method_types: - CREATE - UPDATE condition: resource.machineType.startsWith("zones/") && resource.machineType.contains("/machineTypes/") && resource.machineType.matches(".*-n2d-.*") action_type: ALLOW display_name: Restrict GCE VM instances to n2d series description: Only allow the creation and update of GCE VM instances with n2d series.

You can find more details on the Compute Engine specific documentation page here.

Also, we recommend leveraging available tools like Org Policy simulator and dry run before rolling out policy changes to prevent disruption to your organization.

Here is a demo that illustrates this workflow and how to use these tools.