Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CLI - Gen2+TLVM As Default - New Az VM OS Disk

See original GitHub issue

Related command

Resource Provider

Microsoft.Compute/disks

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

As part of making compute layer secure for customers to deploy workloads, request is to make Trusted Launch (GA Date: November 2021) as default deployment option in CLI. Following changes will need to be made for same:

NOTE: Below scenarios are applicable only for OS Disks, i.e., if command is used to create Data Disk, below scenarios and change requests do not apply.

Scenario 1 - User creates empty OS disk using az disk create --size-gb 10 --os-type

Present Behavior Updated Behavior post change
New disk with create option empty:
  1. User runs command az disk create -n diskname -g diskrgname --size-gb 120 --os-type Linux
  2. Empty OS Disk with Premium_LRS SKU is created.
 Updated default parameters and sequence:
  1. User runs command az disk create -n diskname -g diskrgname --size-gb 120 --os-type Linux
  2. Following parameters should be set by default:
    • –hyper-v-generation with value V2
    • –security-type with value TrustedLaunch

Scenario 2 - User creates OS disk from PIR image using az disk create --image-reference

Present Behavior Updated Behavior post change
New disk with create option FromImage:
  1. User runs command az disk create -n diskname -g diskrgname --image-reference 'urnofPIRimage'
  2. OS Disk with image reference and Premium_LRS SKU is created.
 Updated default parameters and sequence:
  1. User runs command az disk create -n diskname -g diskrgname --image-reference 'urnofPIRimage'
  2. CLI queries image capabilities using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported
  3. Conditions:
    • If PIR image supports hyperVGeneration = v2 and SecurityType = TrustedLaunchSupported, enable following parameters by default:
      • –hyper-v-generation with value V2
      • –security-type with value TrustedLaunch
    • If PIR image supports hyperVGeneration = v2 and not TrustedLaunch, enable following parameters by default:
      • –hyper-v-generation with value V2
    • Catch All Disk will get deployed as Generation 1 OS Disk along with Notification message should be printed for user. Notification Message: Consider upgrading security for your workloads using Azure Trusted Launch VMs. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 3 - User creates OS disk from PIR image using az disk create --gallery-image-reference

Similar to Scenario 2 described above, image capabilities can be queried using az sig image-version show.

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

NOTE: Please review limitations Trusted Launch VM Limitations to assess any impact for CLI users.

Minimum API Version Required

2021-12-01

Swagger PR link

Disk RP Swagger 2021-12-01

Request Example

Create disk with Trusted Launch Security Type

Target Date

2022-10-10

Additional context

  • Target date for implementing notification for user is to match ignite event scheduled for 2022-10-12
  • My understanding is before change is implemented, user will need to be provided with notification, hence target date for implementation of the changes is Build event 2023 (May 2023)
  • Multiple Trusted Launch VM limitations will be tentatively addressed before actual implementation date of May 2023.
  • Image capability to support Gen2 or Trusted Launch VM can be queried using API Virtual Machines Images GET API
    • For Gen2, use property hyperVGeneration with value of V2
    • For Trusted Launch, use features -> SecurityType with value TrustedLaunchSupported
  • TLVM-as-default implementation in Azure Portal is planned for December 2022.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
AjKundnanicommented, Sep 20, 2022

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Hello @AjKundnani, since the time of next build conference has not been determined, can the notification be modified to look like this? Starting next breaking window (sprint for 2023 Build Event) az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

@yanzhudd - Is it ok from CLI perspective to call-out breaking change window for end users? Or if we can simplify perhaps, like Starting Build 2023 event, az disk create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch, thoughts?

2reactions
AjKundnanicommented, Sep 12, 2022

Hello @AjKundnani, could you please help to confirm below details in this issue?

  • what is the difference between creating OS disk and data disk in terms of user passing parameters?
  • in the scenario 1, is the condition of setting the default value met when the value of DiskCreateOption is passed as empty?
  • in the scenario 3, it seems that az sig image-version show does not contain the information of hyperVGeneration and Trusted Launch, since the command az sig image-version show use the api of Gallery Image Versions GET.

Thanks

@yanzhudd

  1. Disk will be OS disk if:
    • If the CreateOption is set to FromImage
    • If the CreateOption is Import, Upload or Empty and --os-type parameter is provided.
  2. Correct, when CreateOption is set to Empty
  3. It should be az sig image-definition show
Read more comments on GitHub >

github_iconTop Results From Across the Web

CLI - Gen2+TLVM As Default - New VM from existing disk or ...
New VM with existing managed disk: User runs command az vm create -g MyResourceGroup -n MyVm --attach-os-disk MyOsDisk --os-type linux --size ...
Read more >
az vm disk - Microsoft Learn
Azure Virtual Machines use disks as a place to store an operating system, applications, ... Attach a new default sized (1023 GB) managed...
Read more >
Create an Azure VM with a non-Premium SSD as OS disk with ...
I must use the CLI. I did not find a parameter for az vm create where I could specify the SKU of the...
Read more >
Add and size disks in Azure virtual machines | by C.J. Shields
In this case you would choose YOUR resource group to attach your new VHD Now we need to add the disk using the...
Read more >
Resizing a Linux VM system disk in Microsoft Azure
The default system disk size Linux VMs in Microsoft Azure is ~30GB. It's easy to attach new or existing disks in Azure Portal...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[OperationalInsights] Workspaces eTag is invalid name, should be renamed -> etag

Next page

App Registration - App-Roles not updated when array with single app role is provided.