diff --git a/_data/toc.yaml b/_data/toc.yaml
index 21ddedae9b..f4f3007a48 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1141,6 +1141,8 @@ toc:
           title: Store logs in an external system
         - path: /datacenter/ucp/2.1/guides/admin/configure/only-allow-running-signed-images/
           title: Only allow running signed images
+        - path: /datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes/
+          title: Restrict services to worker nodes
         - path: /datacenter/ucp/2.1/guides/admin/configure/use-domain-names-to-access-services/
           title: Use domain names to access services
         - path: /datacenter/ucp/2.1/guides/admin/configure/external-auth/
diff --git a/datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes.md b/datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes.md
index 2239d263a2..07acdf0133 100644
--- a/datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes.md
+++ b/datacenter/ucp/2.1/guides/admin/configure/add-labels-to-cluster-nodes.md
@@ -22,7 +22,7 @@ service to be scheduled on nodes that have an SSD storage.
 
 ## Apply labels to a node
 
-Log in with administrator credentials in the UCP web UI, navigate to the
+Log in with administrator credentials in the **UCP web UI**, navigate to the
 **Nodes** page, and choose the node you want to apply labels to.
 
 Click the **Add label** button, and add one or more labels to the node.
diff --git a/datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes.md b/datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes.md
new file mode 100644
index 0000000000..3e3320aba4
--- /dev/null
+++ b/datacenter/ucp/2.1/guides/admin/configure/restrict-services-to-worker-nodes.md
@@ -0,0 +1,26 @@
+---
+title: Restrict services to worker nodes
+description: Learn how to configure Universal Control Plane to only allow running services in worker nodes.
+keywords: docker, ucp, configuration, worker
+---
+
+You can configure UCP to only allow users to deploy and run services in
+worker nodes. This ensures all cluster management functionality stays
+performant, and makes the cluster more secure.
+
+If a user deploys a malicious service that can affect the node where it
+is running, they won't be able to affect other nodes in the cluster, or
+any cluster management functionality.
+
+To restrict users from deploying to manager nodes, log in with adminstrator
+credentials to the **UCP web UI**, navigate to the **Admin Settings**
+page, and choose **Scheduler**.
+
+![](../../images/restrict-services-to-worker-nodes-1.png){: .with-border}
+
+You can then choose if user services should be allowed to run on manager nodes
+or not.
+
+## Where to go next
+
+* [Use domain names to access your services](use-domain-names-to-access-services.md)
diff --git a/datacenter/ucp/2.1/guides/images/restrict-services-to-worker-nodes-1.png b/datacenter/ucp/2.1/guides/images/restrict-services-to-worker-nodes-1.png
new file mode 100644
index 0000000000..9fd63a0209
Binary files /dev/null and b/datacenter/ucp/2.1/guides/images/restrict-services-to-worker-nodes-1.png differ