This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 18%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
I have 2 very simple questions, but I don't know them.
1.- How do I know which version (v1 or v2) of application gateway I have configured? It just says: SKU: Standard
2.- AKS uses "encryption at-rest with a platform-managed key" by default, but this is based on a symmetric or asymmetric algorithm and uses some encryption algorithm (DES, 3DES, AES....)
Thank you very much.
Hello @Sebastian Pacheco ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Please find the answers to your queries below:
How do I know which version (v1 or v2) of application gateway I have configured? It just says: SKU: Standard
Standard/WAF is v1 SKU App gateway. Standard v2/WAF v2 is v2 SKU App gateway.
You can see the same while creating an Application gateway as below:
AKS uses "encryption at-rest with a platform-managed key" by default, but this is based on a symmetric or asymmetric algorithm and uses some encryption algorithm (DES, 3DES, AES....)
The Encryption at Rest designs in Azure uses symmetric encryption to encrypt and decrypt large amounts of data. Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
For more information on encryption at-rest with a platform-managed key, please refer the below docs:
https://learn.microsoft.com/en-us/azure/aks/enable-host-encryption
https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @GitaraniSharma-MSFT , thanks!
then... the information of the O.S of the "AKS NODES" are activated with 256-bit AES algorithms. --->Is this by default or do you have to activate something? In the link it indicates something about registering EncryptionAtHost
I had read that Azure Storage was with 256-bit AES, but I had not found anything regarding the O.S of the aks nodes
Thanks!
1.-
This appears on my portal:
Tier: WAF V2
is that Standard v2?
2.-
then... the information of the O.S of the aks nodes are activated with 256-bit AES algorithms.
Is this by default or do you have to activate something? In the link it indicates something about registering EncryptionAtHost
I had read that Azure Storage was with 256-bit AES, but I had not found anything regarding the O.S of the aks nodes
Hello @Sebastian Pacheco ,
1) WAF V2 is Application gateway V2 SKU with Web Application Firewall (WAF).
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/overview-v2
2) As mentioned in this doc, with host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks. By default, when using AKS, OS and data disks are encrypted at rest with platform-managed keys, meaning that the caches for these disks are also by default encrypted at rest with platform-managed keys.
You can confirm the same in Azure portal while creating a AKS cluster as below:
The registration mentioned in the doc is regarding first time registration of the feature, if not done already. If not done, you will not be able to see the default encryption option in Azure portal as shown above.
It is a one-time registration only. Once done, you don't have to do it again and I believe you should already have this feature registered. You can confirm the same by going to the screen shown in the above screenshot in your Azure portal.
1.- ok, thanks!
2.-
When I create the AKS cluster I select the "encryption at-rest with a platform-managed key" option, but then when I read the document you indicate, I don't see anywhere that the "EncryptionAtHost" feature is registered on my platform.
I wanted to make sure that when selecting the option ("encryption at-rest with a platform-managed key") the disks of the NODES are automatically encrypted and I don't have to do anything else... I can't find the "EncryptionAtHost" feature
sorry, it's a bit confusing.
Hello @Sebastian Pacheco ,
If you see "encryption at-rest with a platform-managed key" option, while creating an AKS cluster in your Azure account, it means the "EncryptionAtHost" feature is already registered on your platform. You do not have to do anything else. Just selecting the "encryption at-rest with a platform-managed key" option while creating an AKS cluster will by default enable the the encryption and the disks of your nodes will be automatically encrypted.
You can run the below PowerShell or CLI commands in your Azure CloudShell to confirm that the feature is already registered in your account or not:
PowerShell command : Get-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
CLI command : az feature show --name "EncryptionAtHost" --namespace "Microsoft.Compute"
How to run Azure Cloudshell in Azure portal : https://learn.microsoft.com/en-us/azure/cloud-shell/quickstart-powershell
Only if it shows as "Unregistered" in your account, you will have to run a register command as below:
Azure PowerShell : Register-AzProviderFeature -FeatureName "EncryptionAtHost" -ProviderNamespace "Microsoft.Compute"
Azure CLI : az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
Regards,
Gita
When I installed AKS I selected the option, but it didn't have the option
"status": "Registering"
then run the command you say and it worked
Azure CLI : az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
Once the feature 'EncryptionAtHost' is registered, invoking 'az provider register -n Microsoft.Compute' is required to get the change propagated
Azure CLI : az provider register -n Microsoft.Compute
why if I select at the beginning of the cluster the option "encryption at-rest with a platform-managed key" was not the encryption correctly?
Hello @Sebastian Pacheco ,
Thank you for the update.
As I mentioned earlier, the registration explained in the doc is regarding first time registration of the feature, if not done already. It is a one-time registration only. Once done, you don't have to do it again.
Looks like the feature was not registered on your account. But now that you have registered this feature, you don't have to do it again.
The next time you create an AKS cluster and select the default "encryption at-rest with a platform-managed key" option, it will be enabled and the disks of your nodes will be automatically encrypted.
Regards,
Gita
Ok @GitaraniSharma-MSFT thank you very much for all !
Regards,
Sebastián.