Edit

Deploy Admin Virtual Machine (VM) from the service catalog into a workload

The Admin VM template creates a VM on the management subnet so you can access the enclave resources securely. This type of VM is also called a jumpbox because it allows you to jump into the isolated network.

In this article, you:

  • Deploy a service catalog template for an Admin VM into an existing workload from the Portal.

Note

This sample deployment is just for demonstration purposes and doesn't represent all the best practices for network, systems, or applications administration.

Deploy Options

The Admin VM template can be deployed in multiple configurations:

  1. Virtual Machine (~10 min)
  2. Virtual Machine domain-joined (~12 min)

Before you begin

Prerequisites

There are guardrail requirements on the enclaves to ensure enclave resources are using Customer-Managed Keys (CMK) encryption. This requires a key and identity to access the key to be accessible in the enclave. Create the CMK (optional Key Vault) and Managed Identity in the Common Dependencies service catalog template

  1. Subnet for Private Endpoints: You had the option to create subnets during enclave creation or you can create new subnets after enclave creation. The private endpoint subnet should have no subnet delegation for the private endpoints to work properly.
  2. Quickly create these Private DNS Zones based on what you create next:
    • Key Vault required when creating a Key Vault from this template or the more customizable Key Vault template.
    • Storage File, Storage Queue, Storage Blob, and Storage Table are required when making a Storage Account from this template or the more customizable Storage Account template.
  3. A Key Vault, Customer Managed Key (CMK), and Managed Identity are required for this template. Create a Key Vault, CMK, and Managed Identity in the Common Dependencies service catalog quickstart or create your own.
    • These resources should be created inside a workload resource group.
    • After creating the User Managed Identity, ensure it has access to the CMK key
      • Assign the Key Vault Crypto Service Encryption User RBAC role to the managed identity scoped to the key vault with these instructions. This role allows you to then assign the managed identity to another resource, like a Virtual Machine, and that Virtual Machine can encrypt the operating system disk with the CMK in the key vault with least privilege.
  4. (optional) An existing domain to join if the Admin VM will be domain joined.

Deploy the template

  1. Navigate to the workload for the intended deployment.
  2. Select +Add an Azure Service button.
  3. Select the Admin VM service template from the service catalog list dropdown. Confirm the version you need (default: latest) and then select Next.

Screenshot showing the service catalog Admin VM selected from the list.

  1. Enter all the required parameters on each of the tabs.
  2. For OS Disk Encryption Name and OS Disk Encryption Resource Group Name, enter the names used in the prerequisites section.
  3. Adjust the prepopulated parameters as needed.
  4. Select Review + Create, if all validations passed, select Create

Validate the deployment

Go to the specified resource group to confirm the intended resources were created. Including: VM, OS Disk, NIC.

Connect to the Virtual Machine

Via the Admin VM: The Admin VM is used for administrator access the resources within the enclave boundary from outside the boundary. The Admin VM might also be called a "jumpbox."

  1. Sign in to a desktop session on the Admin VM.
  2. From the start menu, type RDP, and open the RDP window
  3. Enter the Virtual Machine IP address as the destination IP address for the RDP connection.
  4. Enter Virtual Machine credentials and select Accept/Yes to warnings about a new connection.
  5. From the Virtual Machine desktop, validate any VM settings set during the deployment or complete any custom configuration.
  6. Assign a security group assignment to give users access to your Virtual Machine. Otherwise, start using the Virtual Machine.

Delete the deployment

If you don't plan on keeping these resources, clean up unnecessary resources to avoid Azure charges. If no other deployments exist in the resource group, the whole resource group can be deleted.

Recommendations

  • Session host or VM Sizing
  • Add tags to service catalog deployments to track important information for that resource such as:
    • Owner: <main POC>
    • Deployer: <yourName>
    • Purpose: <enclave administration>
    • Service Catalog Name: <Admin VM>
    • Service Catalog Version: <version you deployed>
  • Consider adding an Azure Policy to enforce and inherit tags
  • Collect Custom Logs from applications