为 Windows 中的 Azure Service Fabric 群集节点启用磁盘加密Enable disk encryption for Azure Service Fabric cluster nodes in Windows

本教程介绍如何对 Windows 中的 Service Fabric 群集节点启用磁盘加密。In this tutorial, you'll learn how to enable disk encryption on Service Fabric cluster nodes in Windows. 对于每个节点类型和虚拟机规模集,需要执行以下步骤。You'll need to follow these steps for each of the node types and virtual machine scale sets. 为了加密节点,我们将使用虚拟机规模集上的 Azure 磁盘加密功能。For encrypting the nodes, we'll use the Azure Disk Encryption capability on virtual machine scale sets.

本指南涵盖以下主题:The guide covers the following topics:

  • 对 Windows 中的 Service Fabric 群集虚拟机规模集启用磁盘加密时要注意的重要概念。Key concepts to be aware of when enabling disk encryption on Service Fabric cluster virtual machine scale sets in Windows.
  • 对 Windows 中的 Service Fabric 群集节点启用磁盘加密之前所要遵循的步骤。Steps to be followed before enabling disk encryption on Service Fabric cluster nodes in Windows.
  • 对 Windows 中的 Service Fabric 群集节点启用磁盘加密所要遵循的步骤。Steps to be followed to enable disk encryption on Service Fabric cluster nodes in Windows.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

必备条件Prerequisites

自我注册Self-registration

针对虚拟机规模集的磁盘加密预览版需要自我注册。The disk encryption preview for the virtual machine scale set requires self-registration. 请使用以下步骤:Use the following steps:

  1. 首先运行以下命令:First, run the following command:
    Register-AzProviderFeature -ProviderNamespace Microsoft.Compute -FeatureName "UnifiedDiskEncryption"
    
  2. 等待大约 10 分钟,直到状态显示为“已注册”。 Wait about 10 minutes until the status reads Registered. 可通过运行以下命令来检查状态。You can check the status by running the following command:
    Get-AzProviderFeature -ProviderNamespace "Microsoft.Compute" -FeatureName "UnifiedDiskEncryption"
    Register-AzResourceProvider -ProviderNamespace Microsoft.Compute
    

Azure Key VaultAzure Key Vault

  1. 在规模集所在的同一订阅和区域中创建 Key Vault,然后在该 Key Vault 中使用相应的 PowerShell cmdlet 选择“EnabledForDiskEncryption”访问策略。 Create a key vault in the same subscription and region as the scale set, then select the EnabledForDiskEncryption access policy on the key vault by using its PowerShell cmdlet. 也可以运行以下命令,在 Azure 门户中使用 Azure Key Vault UI 设置策略。You can also set the policy by using the Key Vault UI in the Azure portal with the following command:

    Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -EnabledForDiskEncryption
    
  2. 安装最新版本的 Azure CLI,其中包含新的加密命令。Install the latest version of the Azure CLI, which has the new encryption commands.

  3. 安装最新版本的 Azure PowerShell 中的 Azure SDKInstall the latest version of the Azure SDK from Azure PowerShell release. 以下是在规模集实例上启用 (Set) 加密、检索 (Get) 加密状态以及删除 (disable) 加密所需的虚拟机规模集 Azure 磁盘加密 cmdlet。Following are the virtual machine scale set Azure Disk Encryption cmdlets to enable (set) encryption, retrieve (get) encryption status, and remove (disable) encryption on the scale set instance.

    CommandCommand 版本Version Source
    Get-AzVmssDiskEncryptionStatusGet-AzVmssDiskEncryptionStatus 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute
    Get-AzVmssVMDiskEncryptionStatusGet-AzVmssVMDiskEncryptionStatus 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute
    Disable-AzVmssDiskEncryptionDisable-AzVmssDiskEncryption 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute
    Get-AzVmssDiskEncryptionGet-AzVmssDiskEncryption 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute
    Get-AzVmssVMDiskEncryptionGet-AzVmssVMDiskEncryption 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute
    Set-AzVmssDiskEncryptionExtensionSet-AzVmssDiskEncryptionExtension 1.0.0 或更高版本1.0.0 or later Az.ComputeAz.Compute

受支持的磁盘加密方案Supported scenarios for disk encryption

  • 只有使用托管磁盘创建的规模集才支持虚拟机规模集加密,Encryption for virtual machine scale sets is supported only for scale sets created with managed disks. 本机(或非托管)磁盘规模集则不支持。It's not supported for native (or unmanaged) disk scale sets.
  • Windows 虚拟机规模集中的 OS 和数据卷支持加密。Encryption is supported for OS and data volumes in virtual machine scale sets in Windows. Windows 虚拟机规模集中的 OS 和数据卷还支持禁用加密。Disable encryption is also supported for OS and data volumes for virtual machine scale sets in Windows.
  • 当前预览版不支持对虚拟机规模集执行虚拟机重置映像和升级操作。Virtual machine reimage and upgrade operations for virtual machine scale sets aren't supported in the current preview.

新建群集并启用磁盘加密Create a new cluster and enable disk encryption

可使用以下命令通过 Azure 资源管理器模板和自签名证书来创建群集并启用磁盘加密。Use the following commands to create a cluster and enable disk encryption by using an Azure Resource Manager template and a self-signed certificate.

登录 AzureSign in to Azure

使用以下命令登录:Sign in with the following commands:

Connect-AzAccount -Environment AzureChinaCloud
Set-AzContext -SubscriptionId <guid>


azure login -e AzureChinaCloud
az account set --subscription $subscriptionId

使用现有的自定义模板Use the custom template that you already have

如果需要根据需求编写自定义模板,我们强烈建议从 Azure Service Fabric 群集创建模板示例页中提供的某个模板着手。If you need to author a custom template to suit your needs, we highly recommend that you start with one of the templates that are available on the Azure Service Fabric cluster creation template samples page. 若要自定义群集模板,请参阅以下指导。To customize your cluster template section, see the following guidance.

如果已有一个自定义模板,请仔细检查模板中的所有三个证书相关参数以及参数文件已按如下所示命名且如下所示的值为 null:If you already have a custom template, double-check that all three certificate-related parameters in the template and the parameter file are named as follows and that values are null as follows:

"certificateThumbprint": {
  "value": ""
},
"sourceVaultValue": {
  "value": ""
},
"certificateUrlValue": {
  "value": ""
},
$resourceGroupLocation="chinanorth"
$resourceGroupName="mycluster"
$CertSubjectName="mycluster.chinanorth.cloudapp.chinacloudapi.cn"
$certPassword="Password!1" | ConvertTo-SecureString -AsPlainText -Force 
$certOutputFolder="c:\certificates"

$parameterFilePath="c:\templates\templateparam.json"
$templateFilePath="c:\templates\template.json"

New-AzServiceFabricCluster -ResourceGroupName $resourceGroupName -CertificateOutputFolder $certOutputFolder -CertificatePassword $certpassword -CertificateSubjectName $CertSubjectName -TemplateFile $templateFilePath -ParameterFile $parameterFilePath 


declare certPassword=""
declare resourceGroupLocation="chinanorth"
declare resourceGroupName="mywindows"
declare certSubjectName="mywindowssecure.chinanorth.cloudapp.chinacloudapi.cn"
declare parameterFilePath="c:\mytemplates\windowstemplateparm.json"
declare templateFilePath="c:\mytemplates\windowstemplate.json"
declare certOutputFolder="c:\certificates"

az sf cluster create --resource-group $resourceGroupName --location $resourceGroupLocation  \
    --certificate-output-folder $certOutputFolder --certificate-password $certPassword  \
    --certificate-subject-name $certSubjectName \
    --template-file $templateFilePath --parameter-file $parametersFilePath

将应用程序部署到 Windows 中的 Service Fabric 群集Deploy an application to a Service Fabric cluster in Windows

若要将应用程序部署到群集,请遵循使用 PowerShell 部署和删除应用程序中的步骤和指导。To deploy an application to your cluster, follow the steps and guidance at Deploy and remove applications using PowerShell.

为前面创建的虚拟机规模集启用磁盘加密Enable disk encryption for the virtual machine scale sets created previously

若要为通过上述步骤创建的虚拟机规模集启用磁盘加密,请运行以下命令:To enable disk encryption for the virtual machine scale sets you created through the previous steps, run the following commands:


$VmssName = "nt1vm"
$vaultName = "mykeyvault"
$resourceGroupName = "mycluster"
$KeyVault = Get-AzKeyVault -VaultName $vaultName -ResourceGroupName $rgName
$DiskEncryptionKeyVaultUrl = $KeyVault.VaultUri
$KeyVaultResourceId = $KeyVault.ResourceId

Set-AzVmssDiskEncryptionExtension -ResourceGroupName $resourceGroupName -VMScaleSetName $VmssName -DiskEncryptionKeyVaultUrl $DiskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -VolumeType All


az vmss encryption enable -g <resourceGroupName> -n <VMSS name> --disk-encryption-keyvault <KeyVaultResourceId>

验证是否为 Windows 中的虚拟机规模集启用了磁盘加密Validate if disk encryption is enabled for a virtual machine scale set in Windows

运行以下命令,获取整个虚拟机规模集或规模集中任意实例的状态。Get the status of an entire virtual machine scale set or any instance in a scale set by running the following commands.


$VmssName = "nt1vm"
$resourceGroupName = "mycluster"
Get-AzVmssDiskEncryption -ResourceGroupName $resourceGroupName -VMScaleSetName $VmssName

Get-AzVmssVMDiskEncryption -ResourceGroupName $resourceGroupName -VMScaleSetName $VmssName -InstanceId "0"


az vmss encryption show -g <resourceGroupName> -n <VMSS name>

此外,可以登录到虚拟机规模集,并确保驱动器已加密。Additionally, you can sign in to the virtual machine scale set and make sure the drives are encrypted.

为 Service Fabric 群集中的虚拟机规模集禁用磁盘加密Disable disk encryption for a virtual machine scale set in a Service Fabric cluster

运行以下命令,为虚拟机规模集禁用磁盘加密。Disable disk encryption for a virtual machine scale set by running the following commands. 请注意,禁用磁盘加密适用于整个虚拟机规模集,而不适用于单个实例。Note that disabling disk encryption applies to the entire virtual machine scale set and not an individual instance.


$VmssName = "nt1vm"
$resourceGroupName = "mycluster"
Disable-AzVmssDiskEncryption -ResourceGroupName $rgName -VMScaleSetName $VmssName


az vmss encryption disable -g <resourceGroupName> -n <VMSS name>

后续步骤Next steps

现在,你应已获得一个安全群集,并知道了如何为 Service Fabric 群集节点与虚拟机规模集启用和禁用磁盘加密。At this point, you should have a secure cluster and know how to enable and disable disk encryption for Service Fabric cluster nodes and virtual machine scale sets. 有关适用于 Linux 中 Service Fabric 群集节点的类似指导,请参阅适用于 Linux 的磁盘加密For similar guidance on Service Fabric cluster nodes in Linux, see Disk Encryption for Linux.