Enable disk encryption for Service Fabric managed cluster nodes
Service Fabric managed clusters support two disk encryption options to help safeguard your data to meet your organizational security and compliance commitments. The recommended option is Encryption at host, but also supports Azure Disk Encryption. Review the disk encryption options and make sure the selected option meets your needs.
Enable encryption at host
This encryption method improves on Azure Disk Encryption by supporting all OS types and images, including custom images, for your VMs by encrypting data in the Azure Storage service. This method does not use your VMs CPU nor does it impact your VMs performance enabling workloads to use all of the available VMs SKU resources.
Note
You can not enable on existing node types. You must provision a new node type and migrate your workload.
Note
Azure Security Center disk encryption status will show as Unhealthy at this time when using Encryption at Host
Follow these steps and reference this sample template to deploy a new Service Fabric managed cluster with host encryption enabled.
Review the following restrictions to validate they meet your requirements.
Set up the required prerequisites before cluster deployment.
Configure the
enableEncryptionAtHost
property in the managed cluster template for each node type disk encryption is required. The sample is pre-configured.- The Service Fabric managed cluster resource apiVersion must be 2021-11-01-preview or later.
{ "apiVersion": "[variables('sfApiVersion')]", "type": "Microsoft.ServiceFabric/managedclusters/nodetypes", "name": "[concat(parameters('clusterName'), '/', parameters('nodeTypeName'))]", "location": "[resourcegroup().location]", "properties": { "enableEncryptionAtHost": true ... } }
Deploy and verify
Deploy your managed cluster configured with Host Encryption enabled.
$clusterName = "<clustername>" $resourceGroupName = "<rg-name>" New-AzResourceGroupDeployment -Name $resourceGroupName -ResourceGroupName $resourceGroupName -TemplateFile .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json -Debug -Verbose
You can check disk encryption status on a node type's underlying scale set using the
Get-AzVmss
command. First you'll need to find the name of your managed cluster's supporting resource group (containing the underlying virtual network, load balancer, public IP, NSG, scale set(s), and storage accounts). Be sure to modifyNodeTypeNAme
to whatever cluster node type name you wish to check (as specified in your deployment template).$NodeTypeName = "NT2" $clustername = <clustername> $resourceGroupName = "<rg-name>" $supportResourceGroupName = "SFC_" + (Get-AzServiceFabricManagedCluster -ResourceGroupName $resourceGroupName -Name $clustername).ClusterId $VMSS = Get-AzVmss -ResourceGroupName $supportResourceGroupName -Name $NodeTypeName $VMSS.VirtualMachineProfile.SecurityProfile.EncryptionAtHost
The return output should appear similar to this:
$VMSS.VirtualMachineProfile.SecurityProfile.EncryptionAtHost True
Enable Azure Disk Encryption
Azure Disk Encryption provides volume encryption for the OS and data disks of Azure virtual machines (VMs) by using the DM-Crypt feature in Linux or the BitLocker feature of Windows. ADE is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
In this guide, you'll learn how to enable disk encryption on Service Fabric managed cluster nodes in Windows using the Azure Disk Encryption capability for virtual machine scale sets through Azure Resource Manager (ARM) templates.
Register for Azure Disk Encryption
The disk encryption preview for the virtual machine scale set requires self-registration. Run the following command:
Register-AzProviderFeature -FeatureName "UnifiedDiskEncryption" -ProviderNamespace "Microsoft.Compute"
Check status of the registration by running:
Get-AzProviderFeature -ProviderNamespace "Microsoft.Compute" -FeatureName "UnifiedDiskEncryption"
Once the status changes to Registered, you're ready to proceed.
Provision a Key Vault for disk encryption
Azure Disk Encryption requires an Azure Key Vault to control and manage disk encryption keys and secrets. Your Key Vault and Service Fabric managed cluster must reside in the same Azure region and subscription. As long as these requirements are met, you can use either a new or existing Key Vault by enabling it for disk encryption.
Create Key Vault with disk encryption enabled
Run the following commands to create a new Key Vault for disk encryption. Make sure the region for your Key Vault is in the same region as your cluster.
$resourceGroupName = "<rg-name>" $keyvaultName = "<kv-name>" New-AzResourceGroup -Name $resourceGroupName -Location chinaeast2 New-AzKeyVault -ResourceGroupName $resourceGroupName -Name $keyvaultName -Location chinaeast2 -EnabledForDiskEncryption
Update existing Key Vault to enable disk encryption
Run the following commands to enable disk encryption for an existing Key Vault.
Set-AzKeyVaultAccessPolicy -ResourceGroupName $resourceGroupName -VaultName $keyvaultName -EnabledForDiskEncryption
Update the template and parameters files for disk encryption
The following step will walk you through the required template changes to enable disk encryption on an existing managed cluster. Alternately, you can deploy a new Service Fabric managed cluster with disk encryption enabled with this template: https://github.com/Azure-Samples/service-fabric-cluster-templates/tree/master/SF-Managed-Standard-SKU-1-NT-DiskEncryption
Add the following parameters to the template, substituting your own subscription, resource group name, and vault name under
keyVaultResourceId
:"parameters": { "keyVaultResourceId": { "type": "string", "defaultValue": "/subscriptions/########-####-####-####-############/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<kv-name>", "metadata": { "description": "Full resource id of the Key Vault used for disk encryption." } }, "volumeType": { "type": "string", "defaultValue": "All", "metadata": { "description": "Type of the volume OS or Data to perform encryption operation" } } },
Next, add the
AzureDiskEncryption
VM extension to the managed cluster node types in the template:"properties": { "vmExtensions": [ { "name": "AzureDiskEncryption", "properties": { "publisher": "Microsoft.Azure.Security", "type": "AzureDiskEncryption", "typeHandlerVersion": "2.2", "autoUpgradeMinorVersion": true, "settings": { "EncryptionOperation": "EnableEncryption", "KeyVaultURL": "[reference(parameters('keyVaultResourceId'),'2016-10-01').vaultUri]", "KeyVaultResourceId": "[parameters('keyVaultResourceID')]", "VolumeType": "[parameters('volumeType')]" } } } ] }
Finally, update the parameters file, substituting your own subscription, resource group, and key vault name in keyVaultResourceId:
"parameters": { ... "keyVaultResourceId": { "value": "/subscriptions/########-####-####-####-############/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<kv-name>" }, "volumeType": { "value": "All" } }
Deploy and verify the changes
Once you're ready, deploy the changes to enable disk encryption on your managed cluster.
$clusterName = "<clustername>" New-AzResourceGroupDeployment -Name $resourceGroupName -ResourceGroupName $resourceGroupName .\azuredeploy.json -TemplateParameterFile .\azuredeploy.parameters.json -Debug -Verbose
You can check disk encryption status on a node type's underlying scale set using the
Get-AzVmssDiskEncryption
command. First you'll need to find the name of your managed cluster's supporting resource group (containing the underlying virtual network, load balancer, public IP, NSG, scale set(s) and storage accounts). Be sure to modifyVmssName
to whatever cluster node type name you wish to check (as specified in your deployment template).$VmssName = "NT1" $clustername = <clustername> $supportResourceGroupName = "SFC_" + (Get-AzServiceFabricManagedCluster -ResourceGroupName $resourceGroupName -Name $clustername).ClusterId Get-AzVmssDiskEncryption -ResourceGroupName $supportResourceGroupName -VMScaleSetName $VmssName
The output should appear similar to this:
ResourceGroupName : SFC_########-####-####-####-############ VmScaleSetName : NT1 EncryptionEnabled : True EncryptionExtensionInstalled : True
Next steps
Sample: Standard SKU Service Fabric managed cluster, one node type with disk encryption enabled
Azure Disk Encryption for Windows VMs
Encrypt virtual machine scale sets with Azure Resource Manager