In my previous post, I have explained how we can replicate Azure VM to a secondary Azure region, But what if we need to replicate an encrypted Azure VM? Azure VM encryption uses the Azure Key Vault to store encryption keys and secrets. If we are replicating encrypted Azure VM, we also need to copy encryption keys to the target region. In this demo, I am going to demonstrate how we can replicate encrypted Azure VM (Windows) to a secondary Azure Region
For the configuration process, I will be using PowerShell as well as GUI. Therefore, please make sure you have an Azure PowerShell module installed. More info about it available on this link.
As the first part of the configuration, I am going to create a new Azure VM and encrypt it using BitLocker.
Setup Azure Resource Group
The first step of the configuration is to create a new resource group.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create a new resource group using,
New-AzResourceGroup -Name REBELRG1 -Location “East US”
In the above, REBELRG1 is the resource group name and East US is the resource group location.
Configure Azure Key Vault
Next, we need to create a new key vault and encryption key.
1. As the first step, let’s go ahead and enable Azure Key Vault provider within the subscription by using,
Register-AzResourceProvider -ProviderNamespace “Microsoft.KeyVault”
2. Then, let’s go ahead with Azure Vault setup,
New-AzKeyVault -Location “East US” -ResourceGroupName REBELRG1 -VaultName REBELVMKV2 -EnabledForDiskEncryption
In the above, REBELVMKV2 is the key vault name and it is created under REBELRG1 resource group. -EnabledForDiskEncryption parameter is used to prepare the key vault to use with disk encryption.
3. As the next step, we need to create an access policy so currently logged in user can create encryption keys.
Set-AzKeyVaultAccessPolicy -VaultName REBELVMKV2 -ObjectId xxxxxxxxxxxxxxxx -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru
In above -Objectid value should replace with the actual objectid value of the currently logged in global admin account. In here -PermissionsToKeys define the permissions allocated for keys and -PermissionsToSecrets defines the permissions allocated for secrets.
4. Next, we need a new encryption key to use with disk encryption.
Add-AzKeyVaultKey -VaultName REBELVMKV2 -Name “REBELVMKey” -Destination “Software”
In the above, REBELVMKey is the key name. -Destination is defined as Software as we creating the standard encryption key. If required it can be set to Hardware Security Model (HSM) but it comes with additional cost. [Read more…] about How to replicate encrypted Azure VM to a secondary Azure Region?