Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure

Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

In my previous blog post, I have explained what is Server-Side Encryption (SSE) for Azure Managed Disks. If you didn’t read it yet, please go ahead and read it using this link. In there I have created a new virtual machine with encrypted managed disks. But sometimes we may have to do the same for the existing Azure Managed Disks. In this blog post, I am going to demonstrate how we can encrypt an existing data disk (Azure Managed Disk) using SSE and CMK.

Prerequisite

Before we go ahead with configuration, we need to make sure the following prerequisites are in place.

Azure Key Vault with DisKEncryptionSet – I have covered the configuration steps for this in my previous blog post https://www.rebeladmin.com/2021/01/encrypt-azure-managed-disks-using-server-side-encryption-sse-and-customer-managed-keys-cmk/. Please go ahead and configure the Azure Key Vault before we proceed further.

Azure PowerShell – For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Verify Existing Windows VM Configuration

For the demo, I have created a new Windows VM called REBEL01 in East US Azure region. It is running windows server 2019 data center edition. It is using Standard_DS1_v2 VM size. This VM has two disks. REBEL01_OSDisk is OS disk and REBEL01DataDisk1 is Data Disk.

Virtual Machine Disk Encryption with Platform managed keys

As we can see above, the data disk is encrypted using platform managed keys. This is the default setup for Azure managed disks. My plan is to encrypt this disk with Customer Managed Key (CMK). We can’t encrypt the existing OS disk using the same method.

Detach Managed Disk

We can’t change the encryption of a disk that is attached to a running VM. So, we need to detach the disk first. To do that we can use the following commands,

$VM = Get-AzVM -ResourceGroupName “REBELRG1” -Name “REBEL01”
Remove-AzVMDataDisk -VM $VM -Name “REBEL01DataDisk1”

Detach Azure Managed Disk

Then we need to update the VM config using

Update-AzVM -ResourceGroupName “REBELRG1” -VM $VM

Update Azure Virtual Machine Configuration [Read more…] about Encrypt existing Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

Disk encryption is a basic data protection method for physical & virtual hard disks. It falls under physical data security and it prevents data breaches from stolen hard disks (physical & virtual). By using Azure Disk Encryption, we can encrypt disks within the guest VM. If the guest VM is running Windows OS, Azure Disk Encryption will use BitLocker. If the guest VM is running Linux, it will be depending on DM-Crypt to encrypt virtual disks. But with Server-Side Encryption (SSE) we can encrypt any OS disk/data disk at the storage service level.

By default, Azure Managed disks are encrypted using 256-bit AES encryption. It is FIPS 140-2 compliant. For this, the system uses platform-managed encryption keys. But for compliance requirements, the organization may want to manage its own encryption keys. These keys are called Customer Managed Keys (CMK). In here, instead of the platform, it is the customer’s responsibility to create, import, delete encryption keys. We can use CMK to encrypt managed disk using Azure Disk Encryption or Server-Side Encryption (SSE). In both methods, we have to use the Azure Key Vault to store the encryption keys. A Key vault admin can either import their own RSA keys or generate new RSA keys in the key vault to use with encryption.

When we using Customer Managed Keys (CMK) we need to consider the following,

1. If the CMK feature is enabled for a disk, it can’t be disabled. If you need you can copy data to a new disk without CMK.
2. Only supported Software and HSM RSA keys with 2048 bit, 3072 bit, and 4096-bit sizes.
3. Managed disk created from custom image or snapshot which is encrypted using SSE & CMK must use same CMK to encrypt.
4. All resources related to CMK such as Azure key vault, DisKEncryptionSet, VMs, Managed Disks must use the same subscription and region.
5. Managed disks currently or previously encrypted using Azure Disk Encryption cannot be encrypted using CMK.

Source: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys

Before we go ahead with configurations let’s see how Server-Side Encryption (SSE) works with Customer Managed Keys (CMK).

1. Admin creates DisKEncryptionSet resource with Azure Key Vault ID and a key URL. This will also create a system-assigned managed identity in Azure Active Directory.
2. Then Azure Key Vault Admin grant permission to this managed identity to perform activities in the relevant key vault.
3. As the next step, VM user can create or associate existing managed disks with DisKEncryptionSet and enable Server-Side Encryption (SSE)
4. Managed disks use system-assigned managed identity in Azure Active Directory to access Key vault
5. Managed disks send a request to Key vault to encrypt or decrypt Data Encryption Key (DEK) to use it with data encryption or decryption.

Let’s go ahead and see how we can use SSE and CMK for managed disk encryption.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Azure Resource Group

The first step of the configuration is to create a new resource group.

To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRG1 -Location “East US”

Create New Azure Resource Group

In the above, REBELRG1 is the resource group name and East US is the resource group location.

Setup Azure Key Vault

Next, we need to create a new key vault and encryption key.

As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,

Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”

Enable Azure Key Vault Provider

Then, let’s go ahead with Azure Vault setup,

$rkv = New-AzKeyVault -VaultName REBELVMKV1 -Location “East US” -ResourceGroupName REBELRG1 -EnablePurgeProtection

In the above, REBELVMKV1 is the key vault name and it is created under REBELRG1 resource group. –EnablePurgeProtection parameter is used to ensure a deleted key from the vault cannot be permanently deleted until it passes the retention period. This option adds extra protection to keys used inside the vault. This must be enabled otherwise the encryption will fail.

As the next step, we need to create an access policy so currently logged-in user can create encryption keys.

Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV1 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru

Setup Access Policy

In the above -Objectid value should replace with the actual objectid value of the currently logged in the global admin account. Here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.

Next, we need a new encryption key to use with disk encryption.

$vk1 = Add-AzKeyVaultKey -VaultName REBELVMKV1 -Name “REBELVMKey” -Destination “Software”

Create Encryption Key

In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost. [Read more…] about Encrypt Azure Managed Disks using Server-Side Encryption (SSE) and Customer Managed Keys (CMK)

How to Share disk between Azure Virtual Machines? (PowerShell Guide)

If you worked with an application that is based on Windows Server Failover Cluster (WSFC), you may already know that sometimes we have to share virtual disks between servers. Scale-Out File Servers (SoFS), SAP, Remote Desktop Server User Profile Disk, Failover cluster instance (FCI) with SQL Server are some of the examples. If virtual machines are running on VMware, we can do this by enabling Multi-Writer Mode on virtual disks. If it is a Hyper-V environment, we can do the same using Shared disk or VHD Sets features.

Azure managed disks also can share between multiple virtual machines. This help organization to move or deploy applications depending on cluster services and shared disks to Azure. In this demo, I am going to demonstrate how we can share a disk between two Azure VM.

Limitations

• Certain limitations apply to Azure shared disks.
• Share disk feature only available for ultra disks and premium SSDs
• Can only be enabled in data disks, not operating system disks
• Can’t use with Azure Backup or Azure Site Recovery (yet)
• If you are using proximity placement groups, all virtual machines and shared disks must use the same PPG.
maxShares value of the disk defines how many VMs can share the disk simultaneously. For ultra disks, maxShares value is 5.
• For Premium SSDs, the maximum value for maxShares is depending on the disk size. It can be varying from 2-10.

Let’s go ahead and see how we can configure Azure shared disk.

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create a Resource Group

As the first part of the configuration, I am going to create a new resource group. To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name EUSRG1 -Location “East US”

Create Azure Resource Group

In the above, EUSRG1 is the resource group name, and its created-in East US Azure region.

Create Azure VNet

The next step is to create a new virtual network under EUSRG1 resource group. We can create it using,

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. [Read more…] about How to Share disk between Azure Virtual Machines? (PowerShell Guide)

How to Deploy an Azure VM to Availability Zone? (PowerShell Guide)

Azure Availability Zones offers high availability for data and applications. In an Azure region, there can be one or more data centers. Azure Availability Zone is made out of one or more datacentres in the same Azure region, which have independent power, hardware, networking, and cooling. All Zone redundant service will replicate data and application across Availability Zone for high resilience. Each Azure region contains a minimum of three Azure Availability Zones.
More Information about Azure Availability Zones are available on https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

We also can deploy Azure Virtual Machines into Azure Availability Zone for high availability. In this demo, I am going to demonstrate how we can deploy Azure Windows Virtual Machine to Azure Availability Zone by using Azure PowerShell.
Before we start, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create Resource Groups

As the first part of the configuration, I am going to create a new resource group. To do that,

Launch PowerShell console and connect to Azure using Connect-AzAccount

Then create a new resource group using,

New-AzResourceGroup -Name REBELRGEUS -Location “East US”

Setup Azure Resource Group

In the above, I am creating a resource group called REBELRGEUS in East US Azure region.

Create Azure VNet

The next step is to create a new virtual network under REBELRGEUS resource group.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.0.2.0/24”
New-AzVirtualNetwork -Name REBELVN1 -ResourceGroupName REBELRGEUS -Location “East US” -AddressPrefix “10.0.0.0/16” -Subnet $vmsubnet

Create Azure Virtual Network

In the above, REBELVN1 is the new virtual network name. It has 10.0.0.0/16 address space. It also has a new subnet 10.0.2.0/24 (vmsubnet) for virtual machines. [Read more…] about How to Deploy an Azure VM to Availability Zone? (PowerShell Guide)

Step-by-Step Guide: How to use Azure Bastion with VNet Peering? (Using Azure Portal)

In my previous blog post, I demonstrate how to setup Azure Bastion with Global VNet peering. This blog post can access using this link. In there I used Azure PowerShell for the configuration. Some of the readers asked if it’s possible to set up similar using Azure Portal. Therefore, I am writing this blog post to demonstrate how we can set up Azure Bastion with VNet peering by using the Azure Portal. The only difference in here is, instead of Global VNet peering, I am using VNet peering (with in Azure Region). This will also confirm that Azure Bastion works with Global VNet peering as well as VNet peering.
Demo Environment

The following diagram explains what we going to set up in this demo.

Demo Setup

Here we are going to create three resource groups in the same Azure region. Each resource group will have its own Azure virtual network. For the connectivity, we will be using the hub-and-spoke network model. EUSVnet1 & EUSVnet2 will be Spoke virtual networks and BASVnet1 will be the Hub virtual network. Both Spoke virtual networks will have VNet peering with Hub virtual network. We will enable Azure Bastion service on hub virtual network (BASVnet1) and try to connect to virtual machines hosted in Spoke virtual networks. I have summarized virtual network configuration as follows,

Resource Group Azure Virtual Network Address Space Azure Region
EUSRG1 EUSVnet1 10.15.0.0/16 East US
EUSRG2 EUSVnet2 10.75.0.0/16 East US
BASRG1 BASVnet1 10.2.0.0/16 East US

Create Resource Groups

As the first part of the configuration, I am going to create three new resource groups. To do that,

1. Log in to Azure Portal (https://portal.azure.com) as Global Administrator
2. Search for the Resource groups using the search function

Search for Azure Resource Groups

3. Then click on + Add

Add new Azure Resource Group Option

4. It will open up a new window. In the form type name for Resource group and select East US as Azure region. Then click on Review + create

Azure Resource Group Settings

5. Once the validation is completed, click on Create to complete the resource group setup.

Validate Azure Resource Group Configuration

6. Follow the same method and create EUSRG2 & BASRG1 Resource Groups.

Create Additional Azure Resource Groups [Read more…] about Step-by-Step Guide: How to use Azure Bastion with VNet Peering? (Using Azure Portal)