@Khaleel Mohamed, Fazle Kareem
- Does disk Snapshot support all type of Encryption? (SSE Encryption and Azure Disk Encryption)
By default, managed disks use platform-managed encryption keys. All managed disks, snapshots, images, and data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys. Platform-managed keys are managed by Microsoft.
Yes, disk snapshots in Azure support both Server-Side Encryption (SSE) and Azure Disk Encryption (ADE).
When you create a disk snapshot in Azure, you can choose to use SSE to encrypt the snapshot. SSE is a feature that allows you to encrypt your data at rest in Azure, using either Microsoft-managed keys or customer-managed keys stored in Azure Key Vault. When you create a disk snapshot with SSE, the snapshot is encrypted using the specified encryption key, and the encryption is performed on the server side, which helps to protect your data from unauthorized access.
In addition to SSE, you can also use ADE to encrypt the disk snapshot. ADE is a feature that allows you to encrypt the OS and data disks of Azure virtual machines (VMs), using either Microsoft-managed keys or customer-managed keys stored in Azure Key Vault. When you create a disk snapshot with ADE, the snapshot is encrypted using the specified encryption key, and the encryption is performed on the client side, which helps to protect your data from unauthorized access.
It's worth noting that when you create a disk snapshot with ADE, the snapshot is encrypted using the same encryption key that was used to encrypt the original disk. This means that if you want to use a different encryption key for the snapshot, you need to first decrypt the original disk and then create a new disk with the desired encryption key, before creating the snapshot.
All disk types support some form of snapshot. For Ultra Disks and Premium SSD v2 disks, they only support incremental snapshots and have some limitations. For details, see Create an incremental snapshot for managed disks. The other disk types support both types of snapshots for all their disk sizes.
For more detailed information, you can refer to the following Azure documentation:
- Does disk snapshot creation or updating support immutability?
Yes, disk snapshot creation and updating in Azure supports immutability. Immutability is a feature that allows you to protect your data from accidental or malicious deletion, modification, or ransomware attacks by making the data read-only for a specified period of time. When you create a disk snapshot in Azure, you can enable the immutability feature by setting the "ImmutabilityPolicy" property of the snapshot. This property allows you to specify the number of days that the snapshot should be immutable, as well as the retention period for the snapshot. Once the immutability policy is set, the snapshot becomes read-only for the specified period of time, and cannot be deleted or modified during that time. This helps to protect your data from accidental or malicious deletion, modification, or ransomware attacks. It's worth noting that immutability is not enabled by default when you create a disk snapshot in Azure. You need to explicitly enable it by setting the "ImmutabilityPolicy" property of the snapshot. Additionally, immutability is only available for certain types of storage accounts in Azure, such as Blob storage accounts and Azure Data Lake Storage Gen2 accounts. For further details, you can explore the Azure documentation on the following topics:
- Any limits on simultaneous creation of disks from a snapshot for disk types standard HDD, standard SSD and premium SSD? I know the limit is 5 for premium SSD V2 and Ultra Disk. But for other three disk types, its not documented.
I will look into the article , If any update is required we make the necessary changes.
- Is concurrent creation of disk snapshots supported?
Concurrent creation of disk snapshots is not supported in Azure. Snapshots in Azure are designed to capture the state of a single disk and do not have the capability to coordinate with other snapshots, which would be necessary for concurrent snapshot creation, especially in scenarios that involve multiple disks, such as striping. This limitation is due to the fact that snapshots are not aware of any other disks except the one they contain. For more information, you can refer to the Azure documentation on Managed disk snapshots and Consistent snapshots for unmanaged disks. https://learn.microsoft.com/en-us/answers/questions/1275872/what-happens-to-simultaneous-writes-to-disk-when-d
If there is any limitation with disk snapshot, please share the details as well.
Yes, disk snapshots in Azure support both Server-Side Encryption (SSE) and Azure Disk Encryption (ADE).
When you create a disk snapshot in Azure, you can choose to use SSE to encrypt the snapshot. SSE is a feature that allows you to encrypt your data at rest in Azure, using either Microsoft-managed keys or customer-managed keys stored in Azure Key Vault. When you create a disk snapshot with SSE, the snapshot is encrypted using the specified encryption key, and the encryption is performed on the server side, which helps to protect your data from unauthorized access.
In addition to SSE, you can also use ADE to encrypt the disk snapshot. ADE is a feature that allows you to encrypt the OS and data disks of Azure virtual machines (VMs), using either Microsoft-managed keys or customer-managed keys stored in Azure Key Vault. When you create a disk snapshot with ADE, the snapshot is encrypted using the specified encryption key, and the encryption is performed on the client side, which helps to protect your data from unauthorized access.
It's worth noting that when you create a disk snapshot with ADE, the snapshot is encrypted using the same encryption key that was used to encrypt the original disk. This means that if you want to use a different encryption key for the snapshot, you need to first decrypt the original disk and then create a new disk with the desired encryption key, before creating the snapshot.
FAQs for Azure Disks : https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/azure-iaas-vm-disks-managed-unmanaged
Frequently asked questions about Azure IaaS VM disks and managed and unmanaged premium disks : https://learn.microsoft.com/en-us/azure/virtual-machines/faq-for-disks?tabs=azure-portal#snapshots
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.