将 Azure 磁盘加密与虚拟机规模集扩展序列化配合使用
Azure 磁盘加密等扩展可以按指定顺序添加到 Azure 虚拟机规模集。 为此,请使用扩展排序。
通常,应将加密应用到磁盘:
- 在准备磁盘或卷的扩展或自定义脚本之后。
- 在访问或使用加密磁盘或卷上的数据的扩展或自定义脚本之前。
在上述任一情况下,provisionAfterExtensions
属性都指定在序列中稍后应添加哪个扩展。
示例 Azure 模板
如果希望在另一个扩展之后应用 Azure 磁盘加密,请将 provisionAfterExtensions
属性放在 AzureDiskEncryption 扩展块中。
下面是一个使用“CustomScriptExtension”的例子,这是一个初始化和格式化 Windows 磁盘的 PowerShell 脚本,后跟“AzureDiskEncryption”:
"virtualMachineProfile": {
"extensionProfile": {
"extensions": [
{
"type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
"name": "CustomScriptExtension",
"location": "[resourceGroup().location]",
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.9",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('forceUpdateTag')]",
"settings": {
"fileUris": [
"https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/ade-vmss/FormatMBRDisk.ps1"
]
},
"protectedSettings": {
"commandToExecute": "powershell -ExecutionPolicy Unrestricted -File FormatMBRDisk.ps1"
}
}
},
{
"type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
"name": "AzureDiskEncryption",
"location": "[resourceGroup().location]",
"properties": {
"provisionAfterExtensions": [
"CustomScriptExtension"
],
"publisher": "Microsoft.Azure.Security",
"type": "AzureDiskEncryption",
"typeHandlerVersion": "2.2",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('forceUpdateTag')]",
"settings": {
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2018-02-14-preview').vaultUri]",
"KeyVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
"KekVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionAlgorithm": "[parameters('keyEncryptionAlgorithm')]",
"VolumeType": "[parameters('volumeType')]",
"SequenceVersion": "[parameters('sequenceVersion')]"
}
}
},
]
}
}
如果希望在另一个扩展之前应用 Azure 磁盘加密,请将 provisionAfterExtensions
属性放在后面跟着的扩展块中。
下面是一个使用“AzureDiskEncryption”(后跟“VMDiagnosticsSettings”,这是一个在基于 Windows 的 Azure VM 上提供监视和诊断功能的扩展)的例子:
"virtualMachineProfile": {
"extensionProfile": {
"extensions": [
{
"name": "AzureDiskEncryption",
"type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
"location": "[resourceGroup().location]",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "AzureDiskEncryption",
"typeHandlerVersion": "2.2",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('forceUpdateTag')]",
"settings": {
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2018-02-14-preview').vaultUri]",
"KeyVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
"KekVaultResourceId": "[variables('keyVaultResourceID')]",
"KeyEncryptionAlgorithm": "[parameters('keyEncryptionAlgorithm')]",
"VolumeType": "[parameters('volumeType')]",
"SequenceVersion": "[parameters('sequenceVersion')]"
}
}
},
{
"name": "Microsoft.Insights.VMDiagnosticsSettings",
"type": "extensions",
"location": "[resourceGroup().location]",
"apiVersion": "2016-03-30",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/myVM', copyindex())]"
],
"properties": {
"provisionAfterExtensions": [
"AzureDiskEncryption"
],
"publisher": "Microsoft.Azure.Diagnostics",
"type": "IaaSDiagnostics",
"typeHandlerVersion": "1.5",
"autoUpgradeMinorVersion": true,
"settings": {
"xmlCfg": "[base64(concat(variables('wadcfgxstart'),
variables('wadmetricsresourceid'),
concat('myVM', copyindex()),
variables('wadcfgxend')))]",
"storageAccount": "[variables('storageName')]"
},
"protectedSettings": {
"storageAccountName": "[variables('storageName')]",
"storageAccountKey": "[listkeys(variables('accountid'),
'2015-06-15').key1]",
"storageAccountEndPoint": "https://core.chinacloudapi.cn"
}
}
},
]
}
}
有关更深入的模板,请参阅:
- 在一个用于格式化磁盘 (Linux) 的自定义 shell 脚本之后应用 Azure 磁盘加密扩展:deploy-extseq-linux-ADE-after-customscript.json
后续步骤
- 详细了解扩展序列化:虚拟机规模集中的序列扩展预配。
- 详细了解
provisionAfterExtensions
属性:Microsoft.Compute virtualMachineScaleSets/extensions 模板参考。 - 适用于虚拟机规模集的 Azure 磁盘加密
- 使用 Azure CLI 加密虚拟机规模集
- 使用 Azure PowerShell 加密虚拟机规模集