隔离网络上的 Azure 磁盘加密Azure Disk Encryption on an isolated network

如果连接受到防火墙、代理要求或网络安全组 (NSG) 设置的限制,扩展执行所需任务的能力可能会受到干扰。When connectivity is restricted by a firewall, proxy requirement, or network security group (NSG) settings, the ability of the extension to perform needed tasks might be disrupted. 此干扰可能会导致出现类似于“VM 上未提供扩展状态”的状态消息。This disruption can result in status messages such as "Extension status not available on the VM."

包管理Package management

Azure 磁盘加密取决于多个组件,这些组件通常在启用 ADE 的过程中安装(如果这些组件尚不存在)。Azure Disk Encryption depends on a number of components, which are typically installed as part of ADE enablement if not already present. 位于防火墙之后或在其他情况下与 Internet 隔离时,这些包必须预先安装或在本地提供。When behind a firewall or otherwise isolated from the Internet, these packages must be pre-installed or available locally.

下面是每次发行所需的包。Here are the packages necessary for each distribution. 有关支持的发行版和卷类型的完整列表,请参阅支持的 VM 和操作系统For a full list of supported distros and volume types, see supported VMs and operating systems.

  • Ubuntu 14.04、16.04、18.04:lsscsi、psmisc、at、cryptsetup-bin、python-parted、python-six、procps、grub-pc-binUbuntu 14.04, 16.04, 18.04: lsscsi, psmisc, at, cryptsetup-bin, python-parted, python-six, procps, grub-pc-bin

  • CentOS 7.2 - 7.7:lsscsi、psmisc、lvm2、uuid、at、patch、cryptsetup、cryptsetup-reencrypt、pyparted、procps-ng、util-linuxCentOS 7.2 - 7.7: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, pyparted, procps-ng, util-linux

  • CentOS 6.8:lsscsi、psmisc、lvm2、uuid、at、cryptsetup-reencrypt、pyparted、python-sixCentOS 6.8: lsscsi, psmisc, lvm2, uuid, at, cryptsetup-reencrypt, pyparted, python-six

  • openSUSE 42.3、SLES 12-SP4、12-SP3:lsscsi、cryptsetupopenSUSE 42.3, SLES 12-SP4, 12-SP3: lsscsi, cryptsetup

手动安装包时,还必须在发布新版本时手动升级包。When packages are installed manually, they must also be manually upgraded as new versions are released.

网络安全组Network security groups

应用的任何网络安全组设置仍必须允许终结点满足所述的与磁盘加密相关的网络配置先决条件。Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption. 请参阅 Azure 磁盘加密:网络要求See Azure Disk Encryption: Networking requirements

使用 Azure AD 执行 Azure 磁盘加密(以前版本)Azure Disk Encryption with Azure AD (previous version)

如果对 Azure AD(以前的版本)使用 Azure 磁盘加密,则除了适用于此发行版的包(如上面所列)外,还需为所有发行版手动安装 Azure Active Directory 库If using Azure Disk Encryption with Azure AD (previous version), the Azure Active Directory Library will need to be installed manually for all distros (in addition to the packages appropriate for the distro, as listed above).

使用 Azure AD 凭据启用加密时,目标 VM 必须允许连接到 Azure Active Directory 终结点和密钥保管库终结点。When encryption is being enabled with Azure AD credentials, the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints. 当前 Azure Active Directory 身份验证终结点在 Microsoft 365 URL 和 IP 地址范围文档中的第 56 和 59 节中进行维护。Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges documentation. 在有关如何访问防火墙保护下的 Azure 密钥保管库的文档中提供了密钥保管库说明。Key Vault instructions are provided in the documentation on how to Access Azure Key Vault behind a firewall.

Azure 实例元数据服务Azure Instance Metadata Service

虚拟机必须能够访问这样的 Azure 实例元数据服务终结点:该终结点使用只能从 VM 内访问的已知不可路由 IP 地址 (169.254.169.254)。The virtual machine must be able to access the Azure Instance Metadata service endpoint, which uses a well-known non-routable IP address (169.254.169.254) that can be accessed only from within the VM. 不支持将本地 HTTP 流量更改为此地址的代理配置(例如,添加 X-Forwarded-For 标头)。Proxy configurations that alter local HTTP traffic to this address (for example, adding an X-Forwarded-For header) are not supported.

后续步骤Next steps