Cloud lab specifications
Cloud labs provide preconfigured browser-based environments that will provision real, temporary cloud platform user accounts, lasting 60 minutes.
They’re intended to be used for educational purposes only. We monitor for suspicious or malicious behavior, including any misuse of a lab beyond its stated educational purpose or activities.
AWS cloud labs & sandbox
Dive into a real, safe environment to get hands-on practice with AWS. We’re actively adding more services to give you the most options as possible to build new skills and explore.
Supported services and tools
- API Gateway V1
- API Gateway V2
- Application Autoscaling
- Athena
- Cloud Map
- CloudFormation
- CloudWatch Logs
- CodeArtifact
- CodeBuild
- CodeCommit
- CodeDeploy
- CodeGuru Profiler and Reviewer
- CodePipeline
- CloudWatch EventBridge
- Cognito Identity
- Cognito User Pools
- Cognito IDP
- Cognito Sync
- Comprehend
- DynamoDB
- Elastic Compute Cloud (EC2)
- EC2 Autoscaling
- EC2 ImageBuilder
- Elastic File System (EFS)
- Elastic Kubernetes Service (EKS)
- Elastic Block Storage
- Elastic Container Registry (ECR)
- Elastic Container Service (ECS)
- Elastic Load Balancing V2 (ELB)
- ElastiCache
- Elastic Beanstalk
- ElasticSearch Service
- EventBridge
- Glue
- Identity and Access Manager (IAM) - limited
- IAM Access Analyzer
- Key Management Service (KMS)
- Kinesis
- Kinesis Analytics
- Kinesis Video
- Lambda
- Lightsail
- Relational Database Service (RDS)
- RDS Aurora
- Rekognition
- Route 53
- Secrets Manager
- Simple Storage Service (S3)
- Simple Email Service (SES)
- Signer
- Simple Notification Service (SNS)
- Security Token Service (STS)
- Simple Queue Service (SQS)
- Step Functions
- Simple Systems Manager (SSM)
- Systems Manager
- Textract
- Tiros
- Transcribe
- Web Application Firewall (WAF)
- X-Ray
Note: If a service or action isn’t explicitly stated in this list, it isn’t currently supported.
Allowed regions
- us-east-1 and us-west-2
Limitations
We strive to provide the most access as possible to support your learning, but unfortunately, there are some limitations to what we can offer. You’ll receive an alert in the account if access isn’t allowed. Some of the limitations include:
Unavailable across services
- Billing or account settings
- Root user access
- Organizations
- AWS support
EC2 limits
- Allowed instance types: t2.nano, t2.micro, t2.small, t3.nano, t3.micro, t3.small, t4g.nano, t4g.micro, t4g.small, and m3.medium
- Denied actions:
- PurchaseReservedInstancesOffering
S3 limits
- Can only be launched in us-east-1 and us-west-2 regions
- Denied actions:
- BypassGovernanceRetention
- PutBucketObjectLockConfiguration
- PutObjectLegalHold
- PutObjectRetention
IAM limits
- IAM users provisioned in the lab can’t be edited or removed.
- IAM default inline policy with timestamp can’t be edited or deleted (SCP DenyInlinePolicyEdits).
RDS limits
- Allowed instance types:
- Burstable classes: db.t2.micro, db.t3.micro, db.t3.small, db.t3.medium, db.tg4.micro, db.tg4.small, db.t4g.medium
- Memory optimized classes: db.r5d.large
- Standard classes: db.m5d.large
- Storage size limit: ≤ 250GB
Cloud labs misuse and abuse
Cloud labs are to be used for educational purposes only and within the scope of the lab instruction. We monitor for suspicious activity.
Azure cloud labs & sandbox
Supported
- Microsoft.Authorization/policyDefinitions/read
- Microsoft.Authorization/policyDefinitions/write
- Microsoft.Cdn
- Microsoft.CognitiveServices
- Microsoft.Compute
- Microsoft.ContainerInstance
- Microsoft.ContainerRegistry
- Microsoft.ContainerService
- Microsoft.Databricks
- Microsoft.DevTestLab
- Microsoft.DocumentDB
- Microsoft.EventHub
- Microsoft.HDInsight
- Microsoft.KeyVault
- Microsoft.ManagedIdentity
- Microsoft.Network
- Microsoft.OperationalInsights
- Microsoft.OperationsManagement
- Microsoft.PolicyInsights
- Microsoft.ServiceBus
- Microsoft.Sql
- Microsoft.Storage
- Microsoft.Synapse
- Microsoft.Web
Note: If the resource provider isn’t explicitly stated in this list, it isn’t currently supported. See Azure’s documentation matching resource providers to services for more information.
Locations
- Allowed locations: westus and eastus
App service plan
- Allowed free and shared, basic, and standard services plans (docs)
- SKU names: F1, D1, B1, B2, B3, S1, S2, S3
Virtual machines
- Allowed general-purpose VMs with vCPU ≤ 8 and memoryGB ≤ 32 (docs)
- Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5
Cognitive services
- Allowed SKUs: F0, S0, S1, S2
Databricks
- Allowed standard workspaces
Elasticpools
- Allowed basic, standard tiers
Microsoft SQL
- Allowed SKUs (requestedServiceObjectiveName): Free, Basic, S0, S1, S2, S3, S4, S6, S7, S9, S12, DW100c, DW200c
Synapse Big Data Pools
- Allowed nodesizes: small and medium
Virtual machine scale sets
- Allowed general-purpose VMs with vCPU ≤ 8 and memoryGB ≤ 32 (docs)
- Sizes: B, Dsv3, Dv3, Dasv4, Dav4, DSv2, Dv2, Av2, DC, DCv2, Dv4, Dsv4, Ddv4, Ddsv4, Dv5, Dsv5, Ddv5, Ddsv5, Dasv5, Dadsv5
Cloud labs misuse and abuse
Cloud labs are to be used for educational purposes only and within the scope of the lab instruction. We monitor for suspicious activity.
Google Cloud sandbox
Supported services
- App Engine
- API Keys
- Artifact Registry
- Batch
- BigQuery
- Cloud Armor
- Cloud Bigtable
- Cloud Build
- Cloud Compute
- Cloud Composer
- Cloud Data Fusion
- Cloud Data Loss Prevention
- Cloud Dataflow Fault Tolerance
- Cloud Datastore
- Cloud Deploy
- Cloud Deployment Manager
- Cloud DNS
- Cloud Functions
- Cloud GPUs
- Cloud Key Management Service (KMS)
- Cloud Logging
- Cloud Monitoring
- Cloud Memorystore
- Cloud NAT
- Cloud Profiler
- Cloud Run
- Cloud Spanner
- Cloud Scheduler
- Cloud SDK
- Cloud Shell
- Cloud Spanner
- Cloud Speech-to-Text
- Cloud SQL
- Cloud Storage
- Cloud Tensor Processing Units (TPUs)
- Cloud Trace
- Cloud Vision AI
- Cloud VPCs
- Compute Engine
- Config Connector
- Data Catalog
- Dataflow
- Dataflow Runner
- Dataproc
- Dataproc Metastore
- Eventarc
- Firebase Rules
- Firestore
- Google Cloud Translation
- IAM
- Kubernetes GKE
- Looker Studio
- Natural Language AI
- Operations Suite - Error Reporting
- Pub/Sub
- Recommender
- Resource Manager
- Resource Settings API
- Secret Manager
- Security Command Center
- Service Directory
- Service Networking API
- Storage Transfer Service
- Vertex AI
Service limitations
We strive to provide the most access possible to support your learning, but unfortunately, there are some limitations to what we can offer. You’ll receive an error in the account if access isn’t allowed.
Unavailable in account
- Set up cloud projects and accounts
- Apply organizational policies to a resource hierarchy
- Manage users and groups in Cloud Identity
- Manage billing configuration
- Configuring CLI and Cloud SDK
- Use service accounts across projects
- Cloud DNS domain registration
- Service usage quota adjustments
- Reserved capacity commitments
Environment limitations
- Users can’t create any capacity commitments or make any reservations.
- Users can’t create or manage projects or folders.
- Users can’t create or manage billing accounts.
- Users can’t create or manage organizations.
- Users can’t update quotas.