(预览版)在现有虚拟机规模集上启用受信任启动
适用于:✔️ Linux VM ✔️ Windows VM ✔️ 虚拟机规模集统一
Azure 虚拟机规模集支持通过升级到“受信任启动”安全类型,在现有统一规模集 VM 上启用受信任的启动。
受信任启动会在 Azure 第 2 代虚拟机和规模集上启用基础计算安全性,帮助它们防范高级和持久性攻击技术,例如启动工具包和根工具包。 它通过组合规模集上的安全启动、vTPM 和启动完整性监视等基础结构技术来完成此目标。
限制
目前不支持在现有虚拟机规模集上启用具有附加数据磁盘的受信任启动。
- 若要验证规模集是否配置了数据磁盘,请导航到规模集 -设置 菜单下的>磁盘 -> 在标题数据磁盘下进行检查
目前不支持在现有虚拟机规模集 Flex 上启用受信任启动。
目前不支持在现有 Service Fabric 群集和 Service Fabric 托管群集上启用受信任的启动。
先决条件
- 在规模集订阅的
Microsoft.Compute
命名空间下注册预览功能ImageSkuGenUpdateWithVMSS
。 有关详细信息,请参阅“在 Azure 订阅中设置预览功能” - 规模集不依赖于受信任启动当前不支持的功能。
- 规模集应配置受信任启动支持的大小系列
注意
- 虚拟机大小可以随受信任启动升级一起更改。 确保新 VM 大小的配额已到位,以避免升级失败。 请参阅检查 vCPU 配额。
- 虚拟机大小的更改将重新创建具有新大小的虚拟机实例,并且需要单个虚拟机实例的停机时间。 它可以以滚动升级方式完成,以避免规模集停机。
- 规模集应配置受信任启动支持的 OS 映像。 对于 Azure 计算库 OS 映像,请确保映像定义标记为 TrustedLaunchSupported
在现有规模集统一上启用受信任启动
本部分介绍如何使用 ARM 模板在现有虚拟机规模集上启用受信任启动的步骤。
对现有 ARM 模板部署代码进行以下修改。 有关完整的模板,请参阅“快速入门受信任启动规模集 ARM 模板”。
重要
受信任的启动安全类型适用于规模集 apiVersion
2020-12-01
或更高版本。 确保在升级之前正确设置 API 版本。
OS 映像:更新对 Gen2 受信任启动支持的 OS 映像的 OS 映像引用。 如果使用 Azure Compute Gallery OS 映像,请确保源 Gen2 映像具有
TrustedLaunchSupported
安全类型。"storageProfile": { "osDisk": { "createOption": "FromImage", "caching": "ReadWrite" }, "imageReference": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "2022-datacenter-azure-edition", "version": "latest" } }
(可选)规模集大小:如果受信任启动安全配置不支持当前大小系列,请修改规模集大小。
"sku": { "name": "Standard_D2s_v3", "tier": "Standard", "capacity": "[parameters('instanceCount')]" }
安全配置文件:在
virtualMachineProfile
下添加securityProfile
块以启用受信任启动安全配置。注意
建议的设置:
vTPM
:true
和secureBoot
:如果操作系统上使用任何未签名的自定义驱动程序或内核,则应将true
secureBoot
设置为false
。"securityProfile": { "securityType": "TrustedLaunch", "uefiSettings": { "secureBootEnabled": true, "vTpmEnabled": true } }
(建议)来宾证明扩展:为规模集资源添加来宾证明 (GA) 扩展,从而为规模集启用启动完整性监视。
重要
来宾证明扩展需要将
secureBoot
vTPM
设置为true
。{ "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "apiVersion": "2022-03-01", "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Security.WindowsAttestation", "type": "GuestAttestation", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "AttestationConfig": { "MaaSettings": { "maaEndpoint": "[substring('emptystring', 0, 0)]", "maaTenantName": "GuestAttestation" } } } }, "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" ] }
扩展发布者的名称:
OS 类型 扩展发布者名称 Windows Microsoft.Azure.Security.WindowsAttestation Linux Microsoft.Azure.Security.LinuxAttestation 查看对模板所做的更改。
展开以查看完整的 ARM 模板示例,该模板支持将现有规模集升级到受信任启动和回滚(如果需要)。
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmSku": { "type": "string", "defaultValue": "Standard_D2s_v3", "metadata": { "description": "Size of VMs in the VM Scale Set." } }, "sku": { "type": "string", "defaultValue": "2022-datacenter-azure-edition", "allowedValues": [ "2022-datacenter-azure-edition" ], "metadata": { "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version." } }, "vmssName": { "type": "string", "maxLength": 61, "metadata": { "description": "String used as a base for naming resources. Must be 3-61 characters in length and globally unique across Azure. A hash is prepended to this string for some resources, and resource-specific information is appended." } }, "instanceCount": { "type": "int", "defaultValue": 2, "maxValue": 100, "minValue": 1, "metadata": { "description": "Number of VM instances (100 or less)." } }, "adminUsername": { "type": "string", "metadata": { "description": "Admin username on all VMs." } }, "adminPassword": { "type": "securestring", "metadata": { "description": "Admin password on all VMs." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } }, "publicIpName": { "type": "string", "defaultValue": "myPublicIP", "metadata": { "description": "Name for the Public IP used to access the virtual machine Scale set." } }, "publicIPAllocationMethod": { "type": "string", "defaultValue": "Static", "allowedValues": [ "Dynamic", "Static" ], "metadata": { "description": "Allocation method for the Public IP used to access the virtual machine set." } }, "publicIpSku": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Basic", "Standard" ], "metadata": { "description": "SKU for the Public IP used to access the virtual machine Scale set." } }, "dnsLabelPrefix": { "type": "string", "defaultValue": "[toLower(format('{0}-{1}', parameters('vmssName'), uniqueString(resourceGroup().id)))]", "metadata": { "description": "Unique DNS Name for the Public IP used to access the virtual machine Scale set." } }, "healthExtensionProtocol": { "type": "string", "defaultValue": "TCP", "allowedValues": [ "TCP", "HTTP", "HTTPS" ] }, "healthExtensionPort": { "type": "int", "defaultValue": 3389 }, "healthExtensionRequestPath": { "type": "string", "defaultValue": "/" }, "overprovision": { "type": "bool", "defaultValue": false }, "upgradePolicy": { "type": "string", "defaultValue": "Manual", "allowedValues": [ "Manual", "Rolling", "Automatic" ] }, "maxBatchInstancePercent": { "type": "int", "defaultValue": 20 }, "maxUnhealthyInstancePercent": { "type": "int", "defaultValue": 20 }, "maxUnhealthyUpgradedInstancePercent": { "type": "int", "defaultValue": 20 }, "pauseTimeBetweenBatches": { "type": "string", "defaultValue": "PT5S" }, "securityType": { "type": "string", "defaultValue": "TrustedLaunch", "allowedValues": [ "Standard", "TrustedLaunch" ], "metadata": { "description": "Security Type of the Virtual Machine." } }, "encryptionAtHost": { "type": "bool", "defaultValue": false, "metadata": { "description": "This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine Scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource." } } }, "variables": { "namingInfix": "[toLower(substring(format('{0}{1}', parameters('vmssName'), uniqueString(resourceGroup().id)), 0, 9))]", "addressPrefix": "10.0.0.0/16", "subnetPrefix": "10.0.0.0/24", "virtualNetworkName": "[format('{0}vnet', variables('namingInfix'))]", "subnetName": "[format('{0}subnet', variables('namingInfix'))]", "loadBalancerName": "[format('{0}lb', variables('namingInfix'))]", "natPoolName": "[format('{0}natpool', variables('namingInfix'))]", "bePoolName": "[format('{0}bepool', variables('namingInfix'))]", "natStartPort": 50000, "natEndPort": 50119, "natBackendPort": 3389, "nicName": "[format('{0}nic', variables('namingInfix'))]", "ipConfigName": "[format('{0}ipconfig', variables('namingInfix'))]", "imageReference": { "2022-datacenter-azure-edition": { "publisher": "MicrosoftWindowsServer", "offer": "WindowsServer", "sku": "[parameters('sku')]", "version": "latest" } }, "extensionName": "GuestAttestation", "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation", "extensionVersion": "1.0", "maaTenantName": "GuestAttestation", "maaEndpoint": "[substring('emptyString', 0, 0)]", "uefiSettingsJson": { "secureBootEnabled": true, "vTpmEnabled": true }, "rollingUpgradeJson": { "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]", "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]", "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]", "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]" } }, "resources": [ { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2022-05-01", "name": "[variables('virtualNetworkName')]", "location": "[parameters('location')]", "properties": { "addressSpace": { "addressPrefixes": [ "[variables('addressPrefix')]" ] }, "subnets": [ { "name": "[variables('subnetName')]", "properties": { "addressPrefix": "[variables('subnetPrefix')]" } } ] } }, { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2022-05-01", "name": "[parameters('publicIpName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('publicIpSku')]" }, "properties": { "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", "dnsSettings": { "domainNameLabel": "[parameters('dnsLabelPrefix')]" } } }, { "type": "Microsoft.Network/loadBalancers", "apiVersion": "2022-05-01", "name": "[variables('loadBalancerName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('publicIpSku')]", "tier": "Regional" }, "properties": { "frontendIPConfigurations": [ { "name": "LoadBalancerFrontEnd", "properties": { "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]" } } } ], "backendAddressPools": [ { "name": "[variables('bePoolName')]" } ], "inboundNatPools": [ { "name": "[variables('natPoolName')]", "properties": { "frontendIPConfiguration": { "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('loadBalancerName'), 'loadBalancerFrontEnd')]" }, "protocol": "Tcp", "frontendPortRangeStart": "[variables('natStartPort')]", "frontendPortRangeEnd": "[variables('natEndPort')]", "backendPort": "[variables('natBackendPort')]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]" ] }, { "type": "Microsoft.Compute/virtualMachineScaleSets", "apiVersion": "2022-03-01", "name": "[parameters('vmssName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('vmSku')]", "tier": "Standard", "capacity": "[parameters('instanceCount')]" }, "properties": { "virtualMachineProfile": { "storageProfile": { "osDisk": { "createOption": "FromImage", "caching": "ReadWrite" }, "imageReference": "[variables('imageReference')[parameters('sku')]]" }, "osProfile": { "computerNamePrefix": "[variables('namingInfix')]", "adminUsername": "[parameters('adminUsername')]", "adminPassword": "[parameters('adminPassword')]" }, "securityProfile": { "encryptionAtHost": "[parameters('encryptionAtHost')]", "securityType": "[parameters('securityType')]", "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('uefiSettingsJson'), null())]" }, "networkProfile": { "networkInterfaceConfigurations": [ { "name": "[variables('nicName')]", "properties": { "primary": true, "ipConfigurations": [ { "name": "[variables('ipConfigName')]", "properties": { "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]" }, "loadBalancerBackendAddressPools": [ { "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('bePoolName'))]" } ], "loadBalancerInboundNatPools": [ { "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('natPoolName'))]" } ] } } ] } } ] }, "extensionProfile": { "extensions": [ { "name": "HealthExtension", "properties": { "publisher": "Microsoft.ManagedServices", "type": "ApplicationHealthWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": false, "settings": { "protocol": "[parameters('healthExtensionProtocol')]", "port": "[parameters('healthExtensionPort')]", "requestPath": "[if(equals(parameters('healthExtensionProtocol'), 'TCP'), null(), parameters('healthExtensionRequestPath'))]" } } } ] }, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true } } }, "orchestrationMode": "Uniform", "overprovision": "[parameters('overprovision')]", "upgradePolicy": { "mode": "[parameters('upgradePolicy')]", "rollingUpgradePolicy": "[if(equals(parameters('upgradePolicy'), 'Rolling'), variables('rollingUpgradeJson'), null())]", "automaticOSUpgradePolicy": { "enableAutomaticOSUpgrade": true } } }, "dependsOn": [ "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]", "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]" ] }, { "condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('uefiSettingsJson').secureBootEnabled, true()), equals(variables('uefiSettingsJson').vTpmEnabled, true())))]", "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", "apiVersion": "2022-03-01", "name": "[format('{0}/{1}', parameters('vmssName'), variables('extensionName'))]", "location": "[parameters('location')]", "properties": { "publisher": "[variables('extensionPublisher')]", "type": "[variables('extensionName')]", "typeHandlerVersion": "[variables('extensionVersion')]", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "AttestationConfig": { "MaaSettings": { "maaEndpoint": "[variables('maaEndpoint')]", "maaTenantName": "[variables('maaTenantName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" ] } ] }
执行 ARM 模板部署。
$resourceGroupName = "myResourceGroup" $parameterFile = "folderPathToFile\parameters.json" $templateFile = "folderPathToFile\template.json" New-AzResourceGroupDeployment ` -ResourceGroupName $resourceGroupName ` -TemplateFile $templateFile -TemplateParameterFile $parameterFile
验证部署是否成功。 使用 Azure 门户检查规模集统一的安全类型和 UEFI 设置。 查看“概述”页中的“安全类型”部分。
如果规模集统一升级模式设置为
Manual
,请手动更新 VM 实例。$resourceGroupName = "myResourceGroup" $vmssName = "VMScaleSet001" Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"
回滚
若要将“受信任启动”的更改回滚到以前的已知良好配置,需要将规模集的 securityType
设置为“标准”。
若要将“受信任启动”的更改回滚到以前的已知良好配置,请将 securityProfile
设置为“标准”,如下所示。 (可选)还可以还原其他参数更改 - OS 映像、VM 大小,并重复在现有规模集上启用受信任启动所述的步骤 5-8
"securityProfile": {
"securityType": "Standard",
"uefiSettings": "[null()]"
}
后续步骤
(推荐)升级后启用启动完整性监视,以使用 Microsoft Defender for Cloud 监视 VM 的运行状况。