Set-AzVmssSecurityProfile
Cette applet de commande permet aux utilisateurs de définir l’énumération SecurityType pour Machines Virtuelles groupes identiques.
Syntax
Set-AzVmssSecurityProfile
[-VirtualMachineScaleSet] <PSVirtualMachineScaleSet>
[[-SecurityType] <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Définit le type de sécurité des VMSS
Exemples
Exemple 1
$VMSS = Get-AzVmss -ResourceGroupName "ResourceGroup11" -VMScaleSetName "ContosoVM07"
$VMSS = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $VMSS -SecurityType "TrustedLaunch"
La première commande obtient le groupe de machines virtuelles identiques nommé ContosoVM07 à l’aide de Get-AzVmss. La commande la stocke dans la variable $VMSS. La deuxième commande définit l’énumération SecurityType sur « TrustedLaunch ».
Exemple 2 : Créez une ressource Vmss confidentielle avec le type de chiffrement VMGuestStateOnly.
# Common Variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -Name $rgname -Location $loc -Force
$vmssSize = "Standard_DC2as_v5"
$PublisherName = "MicrosoftWindowsServer"
$Offer = "WindowsServer"
$SKU = '2022-datacenter-smalldisk-g2'
$version = "latest"
$securityType = "ConfidentialVM"
$securityEncryptionType = "VMGuestStateOnly"
$secureboot = $true
$vtpm = $true
# NRP
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24"
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet
$vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname
$subnetId = $vnet.Subnets[0].Id
# New VMSS Parameters
$vmssName = 'vmss' + $rgname
$adminUsername = <User Name>
$adminPassword = <Password> | ConvertTo-SecureString -AsPlainText -Force
$imgRef = New-Object -TypeName 'Microsoft.Azure.Commands.Compute.Models.PSVirtualMachineImage'
$imgRef.PublisherName = $PublisherName
$imgRef.Offer = $Offer
$imgRef.Skus = $SKU
$imgRef.Version = $version
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$computerNamePrefix = <Name Prefix>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' `
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssOsProfile -ComputerNamePrefix $computerNamePrefix -AdminUsername $adminUsername -AdminPassword $adminPassword `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType `
-ImageReferenceOffer $imgRef.Offer -ImageReferenceSku $imgRef.Skus -ImageReferenceVersion $imgRef.Version `
-ImageReferencePublisher $imgRef.PublisherName
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $securityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# SecurityType value can be seen at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType
Exemple 3 : Créez une ressource vmss confidentielle avec le type de chiffrement DiskWithVMGuestState et image de référence Disk Encryption défini sur EncryptedWithPmk.
# Common variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force
$secureBoot = $true
$vtpm = $true
$vmssName = "vmss" + $rgname
# VM variables
$vmName = <VM Name>
$vmSize = "Standard_DC2as_v5"
$vmssSize = "Standard_DC2as_v5"
$password = <Password>
$securePassword = $password | ConvertTo-SecureString -AsPlainText -Force
$username = <User Name>
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$imageVersion = "latest"
$osDiskSecurityType = "DiskwithVMGuestState"
$vmSecurityType = "ConfidentialVM"
# Network variables
$NetworkName = [system.string]::concat($vmName, '-vnet')
$NICName = [system.string]::concat($vmName, '-nic')
$SubnetName = [system.string]::concat($vmName, '-subnet')
$SubnetAddressPrefix = "10.0.0.0/24"
$VnetAddressPrefix = "10.0.0.0/16"
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id
# Setup CVM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -StorageAccountType "StandardSSD_LRS" `
-CreateOption "FromImage" -SecurityEncryptionType $osDiskSecurityType
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName
# Image Gallery variables
$galleryName = "rg" + $rgname
$definitionName = "def"+$rgname
$publisherName = "cvm01"
$versionName = "1.0.0"
# Platform Managed Key encryption
$cvmEncryptionType = "EncryptedWithPmk"
$replicaCount = 1
$storageAccountType = "Standard_LRS"
$osState = "Specialized"
$osType = "Windows"
$sourceImageId = $cvm.Id
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$vmSecurityType = "ConfidentialVM"
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'}
$features = @($SecurityTypeTable)
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2'
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType}
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption}
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption}
$targetRegions = @($region)
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName
# NRP for vmss setup. This is not required if you want to reuse the previous NRP setup.
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix $SubnetAddressPrefix
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet
$subnetId = $vnet.Subnets[0].Id
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
# Vmss setup
$securityEncryptionType = "DiskWithVMGuestState"
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# Verify the Vmss SecurityType at $vmssGet.VirtualMAchineProfile.SecurityProfile.SecurityType
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId
# Verify the SecurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionType
Exemple 4 : Créez une ressource vmss confidentielle avec le type de chiffrement DiskWithVMGuestState et image de référence Disk Encryption défini sur EncryptedWithCmk.
# Common Variables
$rgname = <Resource Group Name>;
$loc = "northeurope";
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force;
$secureBoot = $true;
$vtpm = $true;
$vmssName = "vmss" + $rgname;
# VM variables
$vmName = "v" + $rgname;
$vmSize = "Standard_DC2as_v5";
$vmssSize = "Standard_DC2as_v5";
$password = <Password>;
$securePassword = $password | ConvertTo-SecureString -AsPlainText -Force;
$username = <Username>;
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword);
$imagePublisher = "MicrosoftWindowsServer";
$imageOffer = "windowsserver";
$imageSku = "2022-datacenter-smalldisk-g2";
$imageVersion = "latest";
$osDiskSecurityType = "DiskwithVMGuestState";
$vmSecurityType = "ConfidentialVM";
$deployCMK = $true;
$storageType = "StandardSSD_LRS";
# Network variables
$NetworkName = $vmname + "-vnet";
$NICName = $vmName + "-nic";
$SubnetName = $vmName + "-subnet";
$SubnetAddressPrefix = "10.0.0.0/24";
$VnetAddressPrefix = "10.0.0.0/16";
# Key Vault setup
$keyVaultName = "kv" + $rgname;
$keyName = "k" + $rgname;
$desName = "des" + $rgname;
$cvmAgent = Get-AzADServicePrincipal -ApplicationId "bf7b6499-ff71-4aa2-97a4-f372087be7f0";
$kv = New-AzKeyVault -Name $keyVaultName -ResourceGroupName $rgName -Location $loc -Sku "Premium" -EnablePurgeProtection -SoftDeleteRetentionInDays 7;
Set-AzKeyVaultAccessPolicy -ObjectId $cvmAgent.Id -VaultName $keyVaultName -ResourceGroupName $rgName -PermissionsToKeys "get","release";
Start-BitsTransfer -Source https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json -Destination ".\skr-policy.json";
$desKey = Add-AzKeyVaultKey -Name $keyName -VaultName $keyVaultName -KeyOps "wrapKey","unwrapKey" -KeyType "RSA-HSM" -Size 3072 `
-Exportable -ReleasePolicyPath ".\skr-policy.json" -Destination "HSM";
$desConfig = New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $desKey.Id -SourceVaultId $kv.ResourceId -IdentityType "SystemAssigned" `
-EncryptionType "ConfidentialVmEncryptedWithCustomerKey";
$des = New-AzDiskEncryptionSet -DiskEncryptionSet $desConfig -DiskEncryptionSetName $desName -ResourceGroupName $rgName;
$desIdentity = Get-AzADServicePrincipal -ObjectId $des.Identity.PrincipalId -ErrorAction 'SilentlyContinue';
Set-AzKeyVaultAccessPolicy -ObjectId $des.Identity.PrincipalId -ResourceGroupName $rgName -VaultName $keyVaultName -PermissionsToKeys "wrapKey","unwrapKey","get";
$des = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $desName;
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix;
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id;
# Setup Confidential VM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize;
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate;
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id;
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion;
$paramSetAzVmOsDisk = @{
VM = $virtualMachine
StorageAccountType = $storageType
CreateOption = "FromImage"
SecurityEncryptionType = $osDiskSecurityType
ErrorAction = 'Stop'
SecureVMDiskEncryptionSet = $des.Id
};
$VirtualMachine = Set-AzVMOSDisk @paramSetAzVmOsDisk;
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;
# Create CVM to be used as Image reference
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine;
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName;
# Image Gallery variables
$galleryName = "gal" + $rgname;
$definitionName = "def"+$rgname;
$publisherName = <Publisher Name>;
$versionName = "1.0.0";
# Customer Managed Key encryption
$cvmEncryptionType = "EncryptedWithCmk"
$replicaCount = 1;
$storageAccountType = "Standard_LRS";
$osState = "Specialized";
$osType = "Windows";
$sourceImageId = $cvm.Id;
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc;
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'};
$features = @($SecurityTypeTable);
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2';
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName;
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType; };
$cvmOsDiskEncryption.Add('CVMDiskEncryptionSetID', $des.Id);
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption};
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption};
$targetRegions = @($region);
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360;
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions;
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName;
$securityEncryptionType = "DiskWithVMGuestState";
# NRP Vmss setup
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet2' + $rgname) -AddressPrefix $SubnetAddressPrefix;
$vnet = New-AzVirtualNetwork -Force -Name ('vnet2' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ('vnet2' + $rgname) -ResourceGroupName $rgname;
$subnetId = $vnet.Subnets[0].Id;
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId;
# Vmss setup
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType -SecureVMDiskEncryptionSet $des.Id;
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType;
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss;
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName;
# Verify Vmss SecurityType at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType;
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName;
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId;
# Verify the SEcurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionType;
# Verify the Gallery Version encyrption at $galVersion.PublishingProfile.TargetRegions.Encryption.OSDiskImage.SecurityProfile.ConfidentialVMEncryptionType $cvmEncryptionType;
Paramètres
-DefaultProfile
Informations d’identification, compte, locataire et abonnement utilisés pour la communication avec Azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
valeur par défaut: | None |
Obligatoire: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SecurityType
Paramètre permettant de définir SecurityType sur les machines virtuelles du groupe identique.
Type: | String |
Position: | 1 |
valeur par défaut: | None |
Obligatoire: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-VirtualMachineScaleSet
Profil du groupe de machines virtuelles identiques.
Type: | PSVirtualMachineScaleSet |
Position: | 0 |
valeur par défaut: | None |
Obligatoire: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Entrées
Sorties
Commentaires
https://aka.ms/ContentUserFeedback.
Bientôt disponible : Tout au long de 2024, nous allons supprimer progressivement GitHub Issues comme mécanisme de commentaires pour le contenu et le remplacer par un nouveau système de commentaires. Pour plus d’informations, consultezEnvoyer et afficher des commentaires pour