diff --git a/pkg/api/handlers.go b/pkg/api/handlers.go
index 09b97e1..02e8410 100644
--- a/pkg/api/handlers.go
+++ b/pkg/api/handlers.go
@@ -84,6 +84,10 @@ func handleCreateVM(cfg config.Config, svc Services) http.HandlerFunc {
 			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
 			return
 		}
+		if err := validators.CheckStoragePoolsVM(spec.Disks, cfg); err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
 		if err := svc.Store.SaveVM(spec); err != nil {
 			writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
 			return
@@ -203,6 +207,10 @@ func handleCreateCT(cfg config.Config, svc Services) http.HandlerFunc {
 			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
 			return
 		}
+		if err := validators.CheckStoragePoolsCT(spec, cfg); err != nil {
+			writeJSON(w, http.StatusBadRequest, map[string]string{"error": err.Error()})
+			return
+		}
 		if err := svc.Store.SaveCT(spec); err != nil {
 			writeJSON(w, http.StatusInternalServerError, map[string]string{"error": err.Error()})
 			return
@@ -410,3 +418,14 @@ func authMiddleware(token string) func(http.Handler) http.Handler {
 		})
 	}
 }
+
+func validateVM(spec libvirt.VMSpec, cfg config.Config) error {
+	if spec.CPU <= 0 {
+		return errors.New("cpu must be > 0")
+	}
+	if spec.MemoryMB <= 0 {
+		return errors.New("memory_mb must be > 0")
+	}
+	// storage pools validated elsewhere
+	return nil
+}
diff --git a/pkg/validators/validators.go b/pkg/validators/validators.go
index c48a54f..3a55571 100644
--- a/pkg/validators/validators.go
+++ b/pkg/validators/validators.go
@@ -3,6 +3,10 @@ package validators
 import (
 	"fmt"
 	"os/exec"
+
+	"jagacloud/node-agent/pkg/compute/libvirt"
+	"jagacloud/node-agent/pkg/config"
+	"jagacloud/node-agent/pkg/containers/lxc"
 )
 
 // CheckBridge returns nil if the bridge exists on the host.
@@ -44,3 +48,33 @@ func CheckStoragePool(name string) error {
 	// TODO: query configured pools
 	return nil
 }
+
+// CheckStoragePoolsVM ensures all disks reference known pools from config.
+func CheckStoragePoolsVM(disks []libvirt.DiskSpec, cfg config.Config) error {
+	for _, d := range disks {
+		if d.Pool == "" {
+			continue
+		}
+		if !poolExists(cfg, d.Pool) {
+			return fmt.Errorf("storage pool %s not configured", d.Pool)
+		}
+	}
+	return nil
+}
+
+// CheckStoragePoolsCT ensures rootfs pool exists.
+func CheckStoragePoolsCT(spec lxc.Spec, cfg config.Config) error {
+	if spec.RootfsPool != "" && !poolExists(cfg, spec.RootfsPool) {
+		return fmt.Errorf("storage pool %s not configured", spec.RootfsPool)
+	}
+	return nil
+}
+
+func poolExists(cfg config.Config, name string) bool {
+	for _, p := range cfg.StoragePools {
+		if p.Name == name {
+			return true
+		}
+	}
+	return false
+}