Azure cloud sandbox

The Azure cloud sandbox provides a real, open Azure environment where you can learn through hands-on practice. This article details levels of support, limits, and restrictions to Azure services in the sandbox. See Cloud sandboxes: getting started for instructions on using the sandbox.

Tip: See our AI sandboxes article for a list of supported services in the Azure AI cloud sandbox.

Global restrictions

The Azure cloud sandbox is compatible with a variety of tools and services within Azure. While we strive to offer you the most comprehensive training opportunity possible, there are some limits to what we can provide in a sandbox environment.

We enforce the following restrictions on our Azure sandbox. If you don’t have access to perform an action in the sandbox, you’ll be notified according to our Hands-on playground and labs abuse protocol.

Regions

Actions in the Azure cloud sandbox are restricted to the following:

North America	Asia	Other
Canada East Central US East US East US 2 North Central US South Central US West Central US West US 2	Central India South India West India Japan West Korea Central Korea South East Asia	Germany North Germany West Central Global

Resource groups

The Azure cloud sandbox does not include the option to create additional resource groups—whether directly or through services that automatically generate separate resource groups, such as Network Watcher.

Billing

Users cannot purchase anything, including from the Azure marketplace, or access billing or cost information.

Authorization

Cannot elevate access
Cannot create or modify role definitions or assignments

Other blocked functionality

Add-ons
Management groups
SaaS subscriptions

Supported Azure services

Reference the table below to determine whether an Azure service is supported in the sandbox and to see additional limits and restrictions.

Note: This list is subject to change. We reserve the right to add, remove, or modify support for cloud services at any time.

Service name	Level of support
AI and Machine Learning services
Autonomous Systems	Not supported
Azure Bot Service	Supported
Cognitive Services	Conditionally supported: Allowed SKUs: S, S0, and S1 Max two services created Max 1000 transactions per cognitive service Note: This includes many older Azure services that have been deprecated and re-released as sub-services.
Enterprise Knowledge Graph	Not supported
Azure Machine Learning	Conditionally supported: Allowed SKUs: Standard DS1 v2, D2 v2, D2s v2, DS2 v2, DS3 v2 Standard F2s v2 or F4s v2 Standard D2 v3 or D2s v3 Max one workspace Max one instance
Azure AI Search	Conditionally supported: Allowed SKUs: Free or basic tier Max one alias Max one data source Max 20,000 documents Max one indexer Max one index Max one search resource Max one skillset Max 500 MB storage Max one synonym map Max 500 MB vector index size
Analytics services
Azure Analysis Services	Supported
Azure Databricks	Not supported
Data Catalog	Not supported
Data Factory	Supported
Data Lake Analytics	Supported
Azure Data Lake Storage Gen2	Supported
Azure Data Share	Supported
HDInsight	Not supported
Azure Data Explorer	Supported
Power BI	Supported
Power BI Embedded	Supported
Microsoft Purview	Supported
Azure Stream Analytics	Conditionally supported: Max one job Max two units
Azure Synapse Analytics	Conditionally supported: Spark Pool limits Only one workspace Allowed nodes: Small size Max three nodes (includes creating a cluster with max set higher than three) Autoscale must be disabled
Blockchain services
Azure Blockchain	Not supported
Azure Blockchain Tokens	Not supported
Compute services
Azure Spring Apps	Not supported
Azure VMware Solution	Not supported
Batch	Supported
Classic deployment model virtual machine	Not supported
Virtual Machines	Conditionally supported: Limits Allowed SKUs: Standard A1 v2 Standard B1ms, B1s, B2ms, B2s Standard D1 v2, DS1 v2 Standard D2, DS1 Standard D2s v3, DS3 v2 Standard F2 Standard D2s_v5 Standard D2s_v4 Standard D2s_v3 Standard DS1_v3 Max 10 instances total Max 10 CPUs across all instances Max 14 GB memory in a single instances Restrictions Blocked from Hybrid Use Benefit No proximity placement groups No TPUs or GPUs
Virtual Machine Scale Sets	Conditionally supported: Max two scale sets Max three instances per scale sets
Azure DevTestLabs	Not supported
Azure Virtual Desktop	Not supported
Azure Lab Services	Not supported
SAP HANA on Azure Large Instances	Not supported
Azure Maintenance	Supported
Azure Quantum	Not supported
Azure Serial Console for Windows	Supported
Service Fabric	Supported
Azure Image Builder	Supported
Azure VMware Solution by CloudSimple	Not supported
Azure Cloud Shell	Supported
Container services
Azure Container Apps	Supported
Container instances	Conditionally supported: Max six container groups Max two containers per group Max two CPUs per container Max 2 GB memory per container
Container Registry	Conditionally supported: Limits Max one registry Restrictions No registry tasks allowed
Azure Kubernetes Service (AKS)	Conditionally supported: Limits Max three clusters Max three nodes per cluster Restrictions Cannot view or manage the secondary resource group created as part of AKS setup Note: You may see an error message when using AKS in labs and sandboxes. You can ignore the message and still use the service with this restriction.
Azure Red Hat OpenShift	Not supported
Database services
Azure Cache for Redis	Not supported
Azure Database for MariaDB	Supported
Azure Database for MySQL	Supported
Azure Database for PostgreSQL	Conditionally supported: Only the following SKUs/sizes are allowed: Standard_B1ms, Standard_B2ms, Standard_B2s, Standard_D2ds_v5, Standard_D2ds_v4, Standard_D2s_v3, Standard_D2ads_v5
Azure Cosmos DB	Conditionally supported: Throughput cannot exceed 1,000 RU/s during its run
Azure SQL Database	Conditionally supported: Limits Only Basic or Standard tiers allowed Allowed SKUs, depending on the type of SQL database/instance: Basic S0, S1, S2, S3, S4 DW100c or DW200c Restrictions No instance pools
SQL Server on Azure Virtual Machines	Supported
SQL Server enabled by Azure Arc	Not supported
Azure SQL Managed Instance	Not supported due to length of time needed to provision, update, or delete (multiple hours on average) No instance pools
Developer Tools services
Azure App Configuration	Supported
Microsoft Dev Box	Not supported
Azure Dev Spaces	Not supported
Azure Spatial Anchors	Supported
Azure Notebooks	Supported
DevOps services
Azure DevOps	Not supported
Azure Hybrid services
Azure Arc-enabled data services	Not supported
Azure Stack HCI	Not supported
Azure Arc-enabled servers	Supported
Azure Arc-enabled Kubernetes	Not supported
Azure Arc site manager	Not supported
Identity services
Note: Some of the unsupported identity services below are available in Active Directory-related labs or pre-created resources within labs, but are not available in sandbox environments.
Microsoft Entra Domain Services	Conditionally supported in AD labs only: Max five apps Max 15 groups Max 15 users
Microsoft Entra ID	Not supported
Microsoft Entra ID B2C	Not supported
Managed identities for Azure resources	Not supported
Integration services
API Management	Conditionally supported: Allowed SKUs: Developer, Basic, Standard, and Consumption
Azure Communication Services	Not supported
Event Grid	Supported
Event Hubs	Conditionally supported: Limits Allowed capacity/pricing: basic and standard Restrictions Cannot use clusters Cannot use Capture
Azure API for FHIR	Supported
Healthcare APIs	Not supported
Logic Apps	Supported
Notification Hubs	Supported
Power Platform	Not supported
Azure Relay	Supported
Service Bus	Supported
IoT services
Azure IoT Hub	Conditionally supported: Allowed SKUs: S1 or B1 Max two Hubs Can only specify one unit when creating a Hub
Device Update for IoT Hub	Not supported
Azure Digital Twins	Not supported
Azure IoT Central	Conditionally supported: Allowed SKUs: ST1
Azure Time Series Insights	Supported
Windows 10 IoT Core Services	Not supported
Azure IoT Hub Device Provisioning Service	Supported
Management services
Azure Advisor	Supported
Azure Resource Manager	Supported
Automation	Conditionally supported: Max one Automation account Max three runbooks Max five running or starting jobs
Cost Management and Billing	Not supported
Azure Blueprints	Conditionally supported: Cannot create or delete any assignments
Classic deployment model	Not supported
Azure Custom Providers	Not supported
Lifecycle Services	Not supported
Azure Policy	Supported
Azure Lighthouse	Supported
Management Groups	Not supported
Azure Site Recovery	Conditionally supported: Cannot take action with any certificates Vault immutability can be enabled, but not locked
Azure Resource Graph	Not supported
Azure Service Health	Supported
Scheduler	Not supported
Azure Managed Applications	Not supported
Media services
Media Services	Supported
Migration services
Azure Data Box	Not supported
Azure Stack Edge
Azure Database Migration Service
Azure Migrate
Monitoring services
Azure Monitor - Alerts Management	Supported
Azure Monitor - Change Analysis	Supported
Azure Monitor - Insights	Supported
Azure Monitor - Intune	Not supported
Azure Monitor - Operational Insights	Supported
Azure Monitor - Operations Management	Supported
Azure Monitor - Workload Monitor	Not supported
Network services
Content Delivery Network	Supported
Classic deployment model virtual network	Not supported
Virtual networks managed by PaaS services	Not supported
Azure Peering	Supported
Application Gateway	Supported
Azure Bastion	Supported
Azure DDoS Protection	Not supported
Azure DNS	Supported
Azure ExpressRoute	Not supported
Azure Firewall	Conditionally supported: Allowed SKUs: basic
Azure Front Door	Supported
Azure Private Link	Supported
Azure Route Server	Supported
Load Balancer	Supported
Network Watcher	Conditionally supported: Cannot access, use, or modify Network Watcher Resource Group Note: Other supported Azure resources that rely on this service will function as long as it doesn't require users to modify anything in the Network Watcher Resource Group itself.
Traffic Manager	Supported
Virtual Network	Conditionally supported: All actions for ExpressRoute Circuits and Gateways are denied
Virtual Network NAT	Supported
Virtual Network Manager	Not supported
Virtual WAN	Supported
VPN Gateway	Conditionally supported: Only the Basic, VpnGw1AZ, and VpnGw2AZ SKUs are allowed
Security services
Azure Attestation	Supported
Customer Lockbox for Microsoft Azure	Supported
Data Protection	Not supported
Azure Dedicated HSM	Supported
Microsoft Defender Advanced Threat Protection	Not supported
Key Vault	Supported
Security Center	Supported
Microsoft Sentinel	Supported
Extended Security Updates	Not supported
Storage services
Classic deployment model storage	Not supported
Elastic SAN	Not supported
Azure HPC Cache	Not supported
Azure Import/Export	Not supported
Azure NetApp Files	Supported
Object Store	Not supported
Storage	Conditionally supported: Cannot lock immutability policies Cannot create or modify legal holds No purge protection
StorSimple	Not supported
Web services
App Service	Conditionally supported: Allowed SKUs: F1, B1, B2, B3, S1, Y1 Max two server farms
App Service Certificates	Supported
Bing Maps	Not supported
Azure Functions	Supported
Azure Maps	Supported
Azure SignalRService	Supported
5G and Space services
Network Function Manager	Not supported
Azure Private 5G Core
Azure Orbital Ground Station

Hands-on playground abuse

We actively monitor the Hands-on playground for abusive, prohibited, or otherwise unacceptable behavior that goes against the educational purpose of these tools. Abuse of the Hands-on playground is enforced by our Hands-on playground and labs abuse protocol to ensure compliance with the Terms of Use (opens in new tab) you agreed to at sign-up.

To avoid workarounds, we don’t provide specifics of what we look for to identify abuse or how we identify it, but a few general examples of misuse and abuse are listed below:

Incorrect instance type
10 or more virtual machines created at a time
10 or more vCPU across all virtual machines
Attempting to use resources for crypto mining
Excessive network traffic
DDoS or port scanning external hosts

This list is not comprehensive, so if you have questions, requests, or want to check whether an activity is allowed in the sandbox, contact Support prior to starting the activity.

Learn, have fun, and please respect the playground.