Azure Disk Encryption on an isolated network
Caution
This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Please consider your use and plan accordingly. For more information, see the CentOS End Of Life guidance.
Applies to: ✔️ Linux VMs ✔️ Flexible scale sets.
When connectivity is restricted by a firewall, proxy requirement, or network security group (NSG) settings, the ability of the extension to perform needed tasks might be disrupted. This disruption can result in status messages such as "Extension status not available on the VM."
Package management
Azure Disk Encryption depends on many components, which are typically installed as part of ADE enablement if not already present. When behind a firewall or otherwise isolated from the Internet, these packages must be pre-installed or available locally.
Here are the packages necessary for each distribution. For a full list of supported distros and volume types, see supported VMs and operating systems.
Ubuntu 14.04, 16.04, 18.04: lsscsi, psmisc, at, cryptsetup-bin, python-parted, python-six, procps, grub-pc-bin
CentOS 7.2 - 7.9, 8.1, 8.2: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, pyparted, procps-ng, util-linux
CentOS 6.8: lsscsi, psmisc, lvm2, uuid, at, cryptsetup-reencrypt, parted, python-six
openSUSE 42.3, SLES 12-SP4, 12-SP3: lsscsi, cryptsetup
When packages are installed manually, they must also be manually upgraded as new versions are released.
Network security groups
Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption. See Azure Disk Encryption: Networking requirements
Azure Disk Encryption with Microsoft Entra ID (previous version)
If using Azure Disk Encryption with Microsoft Entra ID (previous version), the Microsoft Authentication Library will need to be installed manually for all distros (in addition to the packages appropriate for the distro).
When encryption is being enabled with Microsoft Entra credentials, the target VM must allow connectivity to both Microsoft Entra endpoints and Key Vault endpoints. Current Microsoft Entra authentication endpoints are maintained in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges documentation. Key Vault instructions are provided in the documentation on how to Access Azure Key Vault behind a firewall.
Azure Instance Metadata Service
The virtual machine must be able to access the Azure Instance Metadata service endpoint, which uses a well-known non-routable IP address (169.254.169.254
) that can be accessed only from within the VM. Proxy configurations that alter local HTTP traffic to this address (for example, adding an X-Forwarded-For header) aren't supported.
Next steps
- See more steps for Azure disk encryption troubleshooting
- Azure data encryption at rest