Confidential Compute CLI Change Request - VM / VMSS Create
See original GitHub issueIs your feature request related to a problem? Please describe
No, feature request to add new parameters and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:
Feature request is to support customer with:
- creation of Confidential VM as single instance and VMSS.
- flexibility to define encryption type for managed OS disk and choose between Platform-managed keys or customer-managed keys.
Describe the solution you’d like
Customer to use az vm create
command with parameter –security-type to set VM security type. For confidential VM, accepted security type should be ConfidentialVM
Customer to use az vmss create
command with parameter –security-type to set VMSS security type. For confidential VM, additional accepted security type should be ConfidentialVM
Existing Parameters
–security-type
Currently –security-type supports value of TrustedLaunch. Post change, following values will be accepted:
Security-Type |
---|
TrustedLaunch |
ConfidentialVM |
New Parameters
Request to include below new parameters into commands az vm create
and az vmss create
–os-disk-security-encryption-type
New Parameter –os-disk-security-encryption-type:
- Allows customer to provide encryption type details for Confidential VM:
- Platform Managed Key (PMK)
- Customer Managed Key (CMK)
- VM Guest State Only with PMK (VMGS Only PMK)
- This parameter will be mandatory if –security-type is set to ConfidentialVM.
- List of Allowed values with description below
os-disk-security-encryption-type | Description |
---|---|
VMGuestStateOnly | Encryption Type VM Guest State Only with PMK (VMGS Only PMK) |
DiskwithVMGuestState | Encryption Type Platform Managed Key (PMK) |
–os-disk-secure-vm-disk-encryption-set
New Parameter –os-disk-secure-vm-disk-encryption-set:
- Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
- New parameter –os-disk-security-encryption-type value should be DiskwithVMGuestState.
End to End Usage
Scenario 1 - Create New VM
-
Store Subnet ID in variable:
subnetId=$(az network vnet subnet show -g $rgName -n MySubnet --vnet-name $vNetName --query [id] -o tsv)
-
Store Disk Encryption Set ID in variable:
diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
-
Create Virtual Machine with ConfidentialVM Security Type
az vm create -n $vmName -g $rgName -l $location \ --size "Standard_DC2as_v5" --admin-username MyUserName --admin-password MyPassword \ --subnet $subnetId --security-type ConfidentialVM \ --os-disk-security-encryption-type DiskwithVMGuestState \ --os-disk-secure-vm-disk-encryption-set $diskEncryptionSetId \ --image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-smalldisk-g2:latest" \ --enable-vtpm true --enable-secure-boot true
Scenario 2 - Create new VMSS
-
Store Subnet ID in variable:
subnetId=$(az network vnet subnet show -g $rgName -n MySubnet --vnet-name $vNetName --query [id] -o tsv)
-
Store Disk Encryption Set ID in variable:
diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)
-
Create Virtual Machine Scale Set with ConfidentialVM Security Type
az vmss create -n $vmssName -g $rgName -l $location \ --vm-sku "Standard_DC2as_v5" --admin-username MyUserName --admin-password MyPassword \ --subnet $subnetId --security-type ConfidentialVM \ --os-disk-security-encryption-type DiskwithVMGuestState \ --os-disk-secure-vm-disk-encryption-set $diskEncryptionSetId \ --image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-smalldisk-g2:latest" \ --enable-vtpm true --enable-secure-boot true
Describe alternatives you’ve considered
Not Applicable, new product feature request.
Additional context
Request for Confidential VM - Planned GA by end of June CY22
- Link to Disk RP API Swagger Spec
- Link to Compute RP Swagger Spec
- Confidential VM with Customer Managed Keys ARM JSON
- Confidential VM with Platform Managed Keys ARM JSON
- Confidential VM GA Request Powershell change on Set-AzVmSecurityProfile cmdlet
Additional Checks
When –security-type is set to ConfidentialVM:
- Confidential VMs are supported with specific VM SKUs, when –security-type is set to ConfidentialVM, the VM SKU should be one of the following:
Supported VM Family StandardDCasv5 / DCadsv5 Standard ECasv5 / ECadsv5
Contacts
Role | Contact |
---|---|
Main developer contacts (emails + github aliases) | Abhishek Verma (AZURE) Abhishek.Verma@microsoft.com, Anshul Solanki Anshul.Solanki@microsoft.com |
PM contact (email + github alias) | Ajay Kundnani ajay.kundnani@microsoft.com |
Other people who should attend a design review (email) | Run Cai run.cai@microsoft.com, Deepak J V J.Deepak@microsoft.com |
Issue Analytics
- State:
- Created a year ago
- Reactions:1
- Comments:18 (8 by maintainers)
Top GitHub Comments
@zhoxing-ms - It is in line with expectations, yes. As these capabilities will be enabled in near future. We will have to document in such way that end user knows for VMSS what the available deployment options are.
@AjKundnani In this case, the user can only pass in the ID, and we cannot support the name from different resource group
--os-disk-encryption-set
parameter is this logic, the new parameter can be consistent with it