快速入门:使用 Azure CLI 创建和加密 Windows VMQuickstart: Create and encrypt a Windows VM with the Azure CLI

Azure CLI 用于从命令行或脚本创建和管理 Azure 资源。The Azure CLI is used to create and manage Azure resources from the command line or in scripts. 本快速入门演示如何使用 Azure CLI 创建和加密 Windows Server 2016 虚拟机 (VM)。This quickstart shows you how to use the Azure CLI to create and encrypt a Windows Server 2016 virtual machine (VM).

如果没有 Azure 试用版订阅,请在开始前创建一个试用版订阅If you don't have an Azure trail subscription, create a trial subscription before you begin.

先决条件Prerequisites

  • 如果需要,请安装 Azure CLI 来运行 CLI 参考命令。If you prefer, install the Azure CLI to run CLI reference commands.
    • 如果使用的是本地安装,请使用 az login 命令登录到 Azure CLI。If you're using a local installation, sign in to the Azure CLI by using the az login command. 若要完成身份验证过程,请遵循终端中显示的步骤。To finish the authentication process, follow the steps displayed in your terminal. 有关其他登录选项,请参阅登录 Azure CLIFor additional sign-in options, see Sign in with the Azure CLI.
    • 出现提示时,请在首次使用时安装 Azure CLI 扩展。When you're prompted, install Azure CLI extensions on first use. 有关扩展详细信息,请参阅使用 Azure CLI 的扩展For more information about extensions, see Use extensions with the Azure CLI.
    • 运行 az version 以查找安装的版本和依赖库。Run az version to find the version and dependent libraries that are installed. 若要升级到最新版本,请运行 az upgradeTo upgrade to the latest version, run az upgrade.
  • 本文需要 Azure CLI 版本 2.0.30 或更高版本。This article requires version 2.0.30 or later of the Azure CLI.

备注

请先运行 az cloud set -n AzureChinaCloud 更改云环境,然后才能在 Azure 中国中使用 Azure CLI。Before you can use Azure CLI in Azure China , please run az cloud set -n AzureChinaCloud first to change the cloud environment. 若要切换回 Azure 公有云,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.

创建资源组Create a resource group

使用 az group create 命令创建资源组。Create a resource group with the az group create command. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed. 以下示例在“chinaeast”位置创建名为“myResourceGroup”的资源组:The following example creates a resource group named myResourceGroup in the chinaeast location:

az group create --name myResourceGroup --location chinaeast

创建虚拟机Create a virtual machine

使用 az vm create 创建 VM。Create a VM with az vm create. 以下示例创建一个名为 myVM 的 VM。The following example creates a VM named myVM. 此示例使用 azureuser 作为管理用户名,使用 myPassword12 作为密码。This example uses azureuser for an administrative user name and myPassword12 as the password.

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image win2016datacenter \
    --admin-username azureuser \
    --admin-password myPassword12

创建 VM 和支持资源需要几分钟时间。It takes a few minutes to create the VM and supporting resources. 以下示例输出表明 VM 创建操作已成功。The following example output shows the VM create operation was successful.

{
  "fqdns": "",
  "id": "/subscriptions/<guid>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",
  "location": "chinaeast",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "52.174.34.95",
  "resourceGroup": "myResourceGroup"
}

创建为加密密钥配置的密钥保管库Create a Key Vault configured for encryption keys

Azure 磁盘加密将其加密密钥存储在 Azure 密钥保管库中。Azure disk encryption stores its encryption key in an Azure Key Vault. 使用 az keyvault create 创建密钥保管库。Create a Key Vault with az keyvault create. 要使密钥保管库能够存储加密密钥,请使用 --enabled-for-disk-encryption 参数。To enable the Key Vault to store encryption keys, use the --enabled-for-disk-encryption parameter.

重要

每个密钥保管库必须具有唯一的名称。Each Key Vault must have a unique name. 以下示例创建名为“myKV”的密钥保管库,但你必须将其命名为不同的名称。The following example creates a Key Vault named myKV, but you must name yours something different.

az keyvault create --name "myKV" --resource-group "myResourceGroup" --location chinaeast --enabled-for-disk-encryption

加密虚拟机Encrypt the virtual machine

使用 az vm encryption 加密 VM,为 --disk-encryption-keyvault 参数提供唯一的密钥保管库名称。Encrypt your VM with az vm encryption, providing your unique Key Vault name to the --disk-encryption-keyvault parameter.

az vm encryption enable -g MyResourceGroup --name MyVM --disk-encryption-keyvault myKV

可以使用 az vm show 验证 VM 是否已启用加密You can verify that encryption is enabled on your VM with az vm show

az vm encryption show --name MyVM -g MyResourceGroup

将在返回的输出中看到以下内容:You will see the following in the returned output:

"EncryptionOperation": "EnableEncryption"

清理资源Clean up resources

如果不再需要资源组、VM 和密钥保管库,可以使用 az group delete 命令将其删除。When no longer needed, you can use the az group delete command to remove the resource group, VM, and Key Vault.

az group delete --name myResourceGroup

后续步骤Next steps

在本快速入门中,你创建了一个虚拟机,创建了一个启用加密密钥的密钥保管库,并对 VM 进行了加密。In this quickstart, you created a virtual machine, created a Key Vault that was enable for encryption keys, and encrypted the VM. 请继续学习下一篇文章,详细了解 IaaS VM 的 Azure 磁盘加密先决条件。Advance to the next article to learn more about Azure Disk Encryption prerequisites for IaaS VMs.