Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Approved VM Size Compliance

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: MachineLearning-013

Determine if the compute instances provisioned for your Azure Machine Learning workspaces have the desired size(s) established by your organization based on the workload deployed. The desired SKU size(s) must be defined in the conformity rule settings, in the Trend Cloud One™ – Conformity account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Cost
optimisation

Limiting the size of compute instances in your Azure Machine Learning workspaces can help you to better manage your cloud compute power, address internal compliance requirements, and prevent unexpected charges on your Azure bill.

Audit

To determine if your Azure Machine Learning compute instances have the desired size(s), perform the following operations:

Using Azure Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved VM Size Compliance rule settings, and identify the compute instance size(s) approved by your organization.

02 Sign in to the Microsoft Azure Portal.

03 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

04 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

05 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

06 Click on the name (link) of the Machine Learning workspace that you want to examine.

07 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

08 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab to list the compute instances provisioned for the selected Azure Machine Learning workspace.

09 Click on the name (link) of the compute instance that you want to examine.

10 Select the Details tab and check the size of the compute instance, listed as value for the Virtual machine size attribute. If the instance size is different than the one(s) allowed by your organization and identified in step no. 1, the selected Azure Machine Learning compute instance was not launched using the approved, compliant size.

Using Azure CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Approved VM Size Compliance rule settings, and identify the compute instance size(s) approved by your organization.

02 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

03 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

04 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

05 Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription: 

az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

06 The command output should return the requested Azure Machine Learning workspace identifiers: 

Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

07 Run ml compute list command (Windows/macOS/Linux) with custom output filters to list the name of each compute instance provisioned for the selected Azure Machine Learning workspace: 

az ml compute list
	--resource-group cloud-shell-storage-westeurope
	--workspace-name tm-ml-project5-workspace
	--output table
	--query "[].{Name:name}"

08 The command output should return the requested compute instance identifiers (names): 

Name
----------------------
project5-ml-instance01
project5-ml-instance02
project5-ml-instance03

09 Run ml compute show command (Windows/macOS/Linux) with the name of the Azure Machine Learning compute instance that you want to examine as the identifier parameter, to describe the VM size of the selected compute instance: 

az ml compute show
	--name project5-ml-instance01
	--workspace-name tm-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--query "size"

10 The command output should return the size of the specified compute instance: 

"Standard_E16s_v3"

Compare the VM size returned by the ml compute show command output with the one(s) allowed by your organization, identified in step no. 1. If the instance size is not listed in the conformity rule configuration settings, the selected Azure Machine Learning compute instance was not launched using the approved, compliant size.

Remediation / Resolution

To resize your Azure Machine Learning compute instances to the instance size(s) established by your organization, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Machine Learning workspace for Value, then choose Apply to list the Azure Machine Learning workspaces available in the selected subscription.

05 Click on the name (link) of the Machine Learning workspace that you want to access.

06 In the resource navigation panel, select Overview, and choose Launch studio to open the Azure Machine Learning Studio.

07 In the left navigation panel, under Manage, choose Compute, and select the Compute instances tab.

08 To resize your Azure Machine Learning compute instances to the instance size(s) approved by your organization, you must re-create your compute instances with the appropriate VM size. Choose New and perform the following actions to create your new, compliant compute instance:

  1. For Required settings, enter a name for the new instance in the Compute name box, select the instance type from the Virtual machine type, choose Select from all options under Virtual machine size, and select the VM size approved by your organization. Choose Next to continue the setup process.
  2. (Optional) For Scheduling, choose whether to schedule the compute to start or stop on a recurring basis. You can also configure instance auto shutdown on this step. Choose Next to continue.
  3. For Security, configure security settings such as SSH access, virtual network injection, root access, Single Sign-On (SSO), and managed identity for your new compute instance. Choose Next to continue the setup.
  4. (Optional) For Applications, choose Add application, and add custom applications you may want to use on your compute instance. You can also choose to provision the new instance with a creation and/or startup script on this step. Choose Next to continue.
  5. (Optional) For Tags, use the Name and Value text fields to create the tagging schema for your compute instance. Choose Next to continue the setup.
  6. For Review, review the instance configuration and choose Create to deploy your new, compliant compute instance.

09 (Optional) To remove the non-compliant compute instance from your Azure Machine Learning workspace, select the instance that you want to remove, select Delete, and choose again Delete in the confirmation box.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run ml workspace list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription: 

az ml workspace list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Azure Machine Learning workspace identifiers: 

Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

06 To resize your Azure Machine Learning compute instances to the instance size(s) approved by your organization, you must re-create your compute instances with the appropriate VM size (e.g., Standard_DS3_v2). Run ml compute create command (Windows/macOS/Linux) to create your new, compliant compute instance: 

az ml compute create
	--name ml-approved-instance01
	--size Standard_DS3_v2
	--type ComputeInstance
	--workspace-name tm-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope

07 The command output should return the configuration information available for the new compute instance: 

{
	"created_on": "2025-10-02T12:30:43.855643+0000",
	"enable_node_public_ip": true,
	"enable_os_patching": false,
	"enable_root_access": true,
	"enable_sso": true,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-ml-project5-workspace/computes/ml-approved-instance01",
	"last_operation": {
		"operation_name": "Create",
		"operation_status": "Succeeded",
		"operation_time": "2025-10-02T12:30:51.837Z",
		"operation_trigger": "User"
	},
	"location": "westeurope",
	"name": "ml-approved-instance01",
	"network_settings": {
		"private_ip_address": "10.0.0.4",
		"public_ip_address": "xxx.xxx.xxx.xxx"
	},
	"os_image_metadata": {
		"current_image_version": "25.07.12",
		"is_latest_os_image_version": true,
		"latest_image_version": "25.07.12"
	},
	"provisioning_state": "Succeeded",
	"release_quota_on_stop": false,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"services": [
		{
			"display_name": "Jupyter",
			"endpoint_uri": "https://ml-approved-instance01.westeurope.instances.azureml.ms/tree/"
		},
		{
			"display_name": "Jupyter Lab",
			"endpoint_uri": "https://ml-approved-instance01.westeurope.instances.azureml.ms/lab"
		}
	],
	"size": "Standard_DS3_v2",
	"ssh_public_access_enabled": false,
	"ssh_settings": {
		"admin_username": "azureuser",
		"ssh_port": "50000"
	},
	"state": "Running",
	"type": "computeinstance"
}

08 (Optional) To remove the non-compliant compute instance from your Azure Machine Learning workspace, run ml compute delete command (Windows/macOS/Linux) to delete the specified compute instance (the command does not produce an output): 

az ml compute delete
	--name project5-ml-instance01
	--workspace-name tm-ml-project5-workspace
	--resource-group cloud-shell-storage-westeurope
	--yes

References

Publication date Oct 29, 2025

Related MachineLearning rules