Link Search Menu Expand Document

Azure Environment

Azure Environment

The user account provisioned through the Katacoda environment will have access to an isolated resource group per user, defined under O’Reilly’s global subscriptions. Note that the temporary user account is active for 60-minutes then deactivated. Please see the Azure Sandbox example (through direct link only) on and an example source.

Scenario Set-up

  1. Base imageID to configure in index.json:
     "imageid": "orm-azure"
  2. index.json should be configured to auto-execute the script.
     "intro": {
         "text": "",
         "courseData": "",
         "code": "",
  3. The script should include:
     chmod +x /opt/get-azure
     for i in {1..20}; 
         /opt/get-azure && . ~/.azureenv && break || sleep 1; 

    The environment includes Azure credentials in the file ~/.azure-resp, and there is a helper script /opt/get-azure that configures the following environment variables:

  • Username: Active Directory user’s principal name. Follows the pattern user-*<random_characters>
  • Password: Active Directory user’s password.
  • Resource: Each user has one resource group associated under a common subscription (Azure subscription 1). The resource group has the same name as the active directory user. For example, if the user is, the resource group is user-zzzpzxkshdzs. This resource group name can also be referenced using the $resource variable.

The user is assigned the role CloudLabsOwner, for their associated resource group. This role is a custom role based on the built-in Owner role but with notActions:

    "notActions": [
           ], These actions are disabled to prevent the users from manipulating internal policies and to restrict resource providers and manage costs.

Note: The resource group region is limited to the East US and West US regions.

Pre-Installed Tools

  • Azure CLI
  • jmespath
  • databricks-cli
  • Extensions:
    • ad
    • aem
    • arcdata
    • authV2
    • azure-devops
    • azure-iot
    • baremetal-infrastructure
    • communication
    • connectedk8s
    • connectedmachine
    • costmanagement
    • customlocation
    • databox
    • databricks
    • datafactory
    • desktopvirtualization
    • dev-spaces
    • express-route-cross-connection
    • front-door
    • healthcareapis
    • hpc-cache
    • image-copy-extension
    • k8s-configuration
    • k8s-extension
    • kusto
    • managementpartner
    • ml
    • monitor-control-service
    • peering
    • rdbms-connect
    • redisenterprise
    • resource-graph
    • sap-hana
    • sentinel
    • spring
    • spring-cloud
    • ssh
    • stack-hci
    • storagesync
    • support
    • timeseriesinsights
    • vm-repair
    • vmware
    • webpubsub

Resource Providers

Listed below are the resource providers currently allowed/disallowed for scenarios. If one is missing, please submit a support ticket for our evaluation. We are actively expanding our capacities.


If the resource provider is not explicitly stated in this list, it is not currently supported.

- Microsoft.ContainerRegistry
- Microsoft.ContainerService
- Microsoft.ContainerInstance
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.DocumentDB
- Microsoft.Web
- Microsoft.KeyVault
- Microsoft.EventHub
- Microsoft.ServiceBus
- Microsoft.Network
- Microsoft.Cdn
- Microsoft.Synapse
- Microsoft.Authorization/policyDefinitions/write
- Microsoft.Authorization/policyDefinitions/read
- Microsoft.DevTestLab
- Microsoft.OperationalInsights
- Microsoft.PolicyInsights
- Microsoft.OperationsManagement
- Microsoft.HDInsight
- Microsoft.CognitiveServices
- Microsoft.Databricks
- Microsoft.ManagedIdentity


- Microsoft.Blueprint
- Microsoft.CostManagement/exports
- Microsoft.AzureActiveDirectory
- Subscription Management

Blocked Actions

- Microsoft.ContainerService/managedClusters/users/impersonate/action
- Microsoft.ContainerService/unregister/action
- Microsoft.Sql/unregister/action
- Microsoft.Compute/unregister/action
- Microsoft.web/unregister/action
- Microsoft.KeyVault/unregister/action
- Microsoft.EventHub/unregister/action
- Microsoft.ServiceBus/unregister/action
- Microsoft.Network/unregister/action
- Microsoft.Cdn/unregister/action
- Microsoft.operationalinsights/unregister/action
- Microsoft.PolicyInsights/unregister/action

App Service Plan

Allowed Free and shared, basic, and standard service plans. Docs

  • SKU names F1, D1, B1, B2, B3, S1, S2, S3

Virtual Machines

Allowed General purpose VMs. Docs

  • Sizes: Basic_A0, Basic_A1, Basic_A2, Basic_A3, Basic_A4, Standard_A0, Standard_A1, Standard_A1_v2, Standard_A2, Standard_DS1_v2, Standard_DS2_v2.

Disallowed the use or creation of VMs or VMs scale sets that require a Windows_Server license.

Cognitive Services

- Allowed SKUs: F0, S0, S1, S2.


- Allowed standard workspaces.


- Allowed Basic, Standard tiers.


- Allowed SKUs (requestedServiceObjectiveName): Free, Basic, S0, S1, S2, S3, S4, S6, S7, S9, S12, DW100c, DW200c.

Synapse Big Data Pools

- Allowed nodesizes: small and medium.

Virtual Machine Scale Sets

Allowed General purpose VMs. Docs

  • Sizes: Basic_A0, Basic_A1, Basic_A2, Basic_A3, Basic_A4, Standard_A0, Standard_A1, Standard_A1_v2, Standard_A2, Standard_DS1_v2, Standard_DS2_v2.

Azure Kubernetes Service (AKS)

Allowed up to 5 agent pools.


Resource Groups and Providers

Don’t create/delete new resource groups. Use the provided resource group instead of the one available in the $resource environment variable.


az group create --name lesson38rg --location eastus
az group delete --name lesson38rg --no-wait --yes


az vm create --name 'MyVM' \
--image UbuntuLTS \
--location eastus \
--resource-group $resource \
--admin-username azureuser \
--public-ip-sku Basic
az monitor activity-log list --resource-group $resource
az monitor autoscale list --resource-group $resource

Don’t register the resource provider. The resource provider should be already registered, and if it is not, let us know. If it falls within the current development scope, we can register the provider.

Azure Kubernetes Service

Don’t include the enable-addons monitoring option when creating a new cluster


az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \
--enable-addons monitoring \.


az aks create \
--resource-group lesson08rg \
--name lesson08AksCluster \
--node-count 3 \


Don’t use keyvault commands that require access to resources created at subscription level. For example:

az keyvault list-deleted
az keyvault recover --location eastus --name $keyVaultName --resource-group $resource
az keyvault purge --name $keyVaultName