แก้ไข

แชร์ผ่าน


(Preview) Enable Trusted launch on existing Virtual machine Scale set

Applies to: ✔️ Linux VM ✔️ Windows VM ✔️ Virtual Machine Scale Sets Uniform

Azure Virtual machine Scale sets supports enabling Trusted launch on existing Uniform Scale sets VMs by upgrading to Trusted launch security type.

Trusted launch enables foundational compute security on Azure Generation 2 virtual machines & scale sets and protects them against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, vTPM, and Boot Integrity Monitoring on your Scale set.

Limitations

Prerequisites

Enable Trusted launch on existing Scale set Uniform

This section documents steps for using an ARM template to enable Trusted launch on existing Virtual machine Scale set uniform.

Make the following modifications to your existing ARM template deployment code. For complete template, refer to Quickstart Trusted launch Scale set ARM template.

Important

Trusted launch security type is available with Scale set apiVersion 2020-12-01 or higher. Ensure API version is set correctly prior to upgrade.

  1. OS Image: Update the OS Image reference to Gen2-Trusted launch supported OS image. Make sure the source Gen2 image has TrustedLaunchSupported security type if using Azure Compute Gallery OS image.

    "storageProfile": { 
            "osDisk": { 
                "createOption": "FromImage", 
                "caching": "ReadWrite" 
            }, 
            "imageReference": { 
                "publisher": "MicrosoftWindowsServer", 
                "offer": "WindowsServer", 
                "sku": "2022-datacenter-azure-edition", 
                "version": "latest" 
            } 
    }
    
  2. (Optional) Scale set Size: Modify the Scale set size if current size family is not supported with Trusted launch security configuration.

        "sku": { 
            "name": "Standard_D2s_v3", 
            "tier": "Standard", 
            "capacity": "[parameters('instanceCount')]" 
        } 
    
  3. Security Profile: Add securityProfile block under virtualMachineProfile to enable Trusted Launch security configuration.

    Note

    Recommended settings: vTPM: true and secureBoot: true secureBoot should be set to false if you are using any un-signed custom driver or kernel on OS.

    "securityProfile": { 
        "securityType": "TrustedLaunch", 
        "uefiSettings": { 
          "secureBootEnabled": true, 
          "vTpmEnabled": true
        } 
    }
    
  4. (Recommended) Guest Attestation Extension: Add Guest Attestation (GA) extension for Scale set resource, which enables Boot integrity monitoring for Scale set.

    Important

    Guest attestation extension requires secureBoot and vTPM set to true.

    { 
        "condition": "[and(parameters('vTPM'), parameters('secureBoot'))]", 
        "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", 
        "apiVersion": "2022-03-01", 
        "name": "[format('{0}/{1}', parameters('vmssName'), GuestAttestation)]", 
        "location": "[parameters('location')]", 
        "properties": { 
          "publisher": "Microsoft.Azure.Security.WindowsAttestation", 
          "type": "GuestAttestation", 
          "typeHandlerVersion": "1.0", 
          "autoUpgradeMinorVersion": true, 
          "enableAutomaticUpgrade": true, 
          "settings": { 
            "AttestationConfig": { 
              "MaaSettings": { 
                "maaEndpoint": "[substring('emptystring', 0, 0)]", 
                "maaTenantName": "GuestAttestation" 
              } 
            } 
          } 
        }, 
        "dependsOn": [ 
          "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]" 
        ] 
    } 
    

    Name of extension publisher:

    OS Type Extension publisher name
    Windows Microsoft.Azure.Security.WindowsAttestation
    Linux Microsoft.Azure.Security.LinuxAttestation
  5. Review the changes made to template.

    Expand to view the complete sample ARM template, which supports upgrade of existing scale set to Trusted launch and roll-back (if needed).
    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "vmSku": {
          "type": "string",
          "defaultValue": "Standard_D2s_v3",
          "metadata": {
            "description": "Size of VMs in the VM Scale Set."
          }
        },
        "sku": {
          "type": "string",
          "defaultValue": "2022-datacenter-azure-edition",
          "allowedValues": [
            "2022-datacenter-azure-edition"
          ],
          "metadata": {
            "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version."
          }
        },
        "vmssName": {
          "type": "string",
          "maxLength": 61,
          "metadata": {
            "description": "String used as a base for naming resources. Must be 3-61 characters in length and globally unique across Azure. A hash is prepended to this string for some resources, and resource-specific information is appended."
          }
        },
        "instanceCount": {
          "type": "int",
          "defaultValue": 2,
          "maxValue": 100,
          "minValue": 1,
          "metadata": {
            "description": "Number of VM instances (100 or less)."
          }
        },
        "adminUsername": {
          "type": "string",
          "metadata": {
            "description": "Admin username on all VMs."
          }
        },
        "adminPassword": {
          "type": "securestring",
          "metadata": {
            "description": "Admin password on all VMs."
          }
        },
        "location": {
          "type": "string",
          "defaultValue": "[resourceGroup().location]",
          "metadata": {
            "description": "Location for all resources."
          }
        },
        "publicIpName": {
          "type": "string",
          "defaultValue": "myPublicIP",
          "metadata": {
            "description": "Name for the Public IP used to access the virtual machine Scale set."
          }
        },
        "publicIPAllocationMethod": {
          "type": "string",
          "defaultValue": "Static",
          "allowedValues": [
            "Dynamic",
            "Static"
          ],
          "metadata": {
            "description": "Allocation method for the Public IP used to access the virtual machine set."
          }
        },
        "publicIpSku": {
          "type": "string",
          "defaultValue": "Standard",
          "allowedValues": [
            "Basic",
            "Standard"
          ],
          "metadata": {
            "description": "SKU for the Public IP used to access the virtual machine Scale set."
          }
        },
        "dnsLabelPrefix": {
          "type": "string",
          "defaultValue": "[toLower(format('{0}-{1}', parameters('vmssName'), uniqueString(resourceGroup().id)))]",
          "metadata": {
            "description": "Unique DNS Name for the Public IP used to access the virtual machine Scale set."
          }
        },
        "healthExtensionProtocol": {
          "type": "string",
          "defaultValue": "TCP",
          "allowedValues": [
            "TCP",
            "HTTP",
            "HTTPS"
          ]
        },
        "healthExtensionPort": {
          "type": "int",
          "defaultValue": 3389
        },
        "healthExtensionRequestPath": {
          "type": "string",
          "defaultValue": "/"
        },
        "overprovision": {
          "type": "bool",
          "defaultValue": false
        },
        "upgradePolicy": {
          "type": "string",
          "defaultValue": "Manual",
          "allowedValues": [
            "Manual",
            "Rolling",
            "Automatic"
          ]
        },
        "maxBatchInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "maxUnhealthyInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "maxUnhealthyUpgradedInstancePercent": {
          "type": "int",
          "defaultValue": 20
        },
        "pauseTimeBetweenBatches": {
          "type": "string",
          "defaultValue": "PT5S"
        },
        "securityType": {
          "type": "string",
          "defaultValue": "TrustedLaunch",
          "allowedValues": [
            "Standard",
            "TrustedLaunch"
          ],
          "metadata": {
            "description": "Security Type of the Virtual Machine."
          }
        },
        "encryptionAtHost": {
            "type": "bool",
            "defaultValue": false,
            "metadata": {
                "description": "This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine or virtual machine Scale set. This will enable the encryption for all the disks including Resource/Temp disk at host itself. The default behavior is: The Encryption at host will be disabled unless this property is set to true for the resource."
            }
        }
      },
      "variables": {
        "namingInfix": "[toLower(substring(format('{0}{1}', parameters('vmssName'), uniqueString(resourceGroup().id)), 0, 9))]",
        "addressPrefix": "10.0.0.0/16",
        "subnetPrefix": "10.0.0.0/24",
        "virtualNetworkName": "[format('{0}vnet', variables('namingInfix'))]",
        "subnetName": "[format('{0}subnet', variables('namingInfix'))]",
        "loadBalancerName": "[format('{0}lb', variables('namingInfix'))]",
        "natPoolName": "[format('{0}natpool', variables('namingInfix'))]",
        "bePoolName": "[format('{0}bepool', variables('namingInfix'))]",
        "natStartPort": 50000,
        "natEndPort": 50119,
        "natBackendPort": 3389,
        "nicName": "[format('{0}nic', variables('namingInfix'))]",
        "ipConfigName": "[format('{0}ipconfig', variables('namingInfix'))]",
        "imageReference": {
          "2022-datacenter-azure-edition": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "[parameters('sku')]",
            "version": "latest"
          }
        },
        "extensionName": "GuestAttestation",
        "extensionPublisher": "Microsoft.Azure.Security.WindowsAttestation",
        "extensionVersion": "1.0",
        "maaTenantName": "GuestAttestation",
        "maaEndpoint": "[substring('emptyString', 0, 0)]",
        "uefiSettingsJson": {
            "secureBootEnabled": true,
            "vTpmEnabled": true
        },
        "rollingUpgradeJson": {
          "maxBatchInstancePercent": "[parameters('maxBatchInstancePercent')]",
          "maxUnhealthyInstancePercent": "[parameters('maxUnhealthyInstancePercent')]",
          "maxUnhealthyUpgradedInstancePercent": "[parameters('maxUnhealthyUpgradedInstancePercent')]",
          "pauseTimeBetweenBatches": "[parameters('pauseTimeBetweenBatches')]"
        }
      },
      "resources": [
        {
          "type": "Microsoft.Network/virtualNetworks",
          "apiVersion": "2022-05-01",
          "name": "[variables('virtualNetworkName')]",
          "location": "[parameters('location')]",
          "properties": {
            "addressSpace": {
              "addressPrefixes": [
                "[variables('addressPrefix')]"
              ]
            },
            "subnets": [
              {
                "name": "[variables('subnetName')]",
                "properties": {
                  "addressPrefix": "[variables('subnetPrefix')]"
                }
              }
            ]
          }
        },
        {
          "type": "Microsoft.Network/publicIPAddresses",
          "apiVersion": "2022-05-01",
          "name": "[parameters('publicIpName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('publicIpSku')]"
          },
          "properties": {
            "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]",
            "dnsSettings": {
              "domainNameLabel": "[parameters('dnsLabelPrefix')]"
            }
          }
        },
        {
          "type": "Microsoft.Network/loadBalancers",
          "apiVersion": "2022-05-01",
          "name": "[variables('loadBalancerName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('publicIpSku')]",
            "tier": "Regional"
          },
          "properties": {
            "frontendIPConfigurations": [
              {
                "name": "LoadBalancerFrontEnd",
                "properties": {
                  "publicIPAddress": {
                    "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
                  }
                }
              }
            ],
            "backendAddressPools": [
              {
                "name": "[variables('bePoolName')]"
              }
            ],
            "inboundNatPools": [
              {
                "name": "[variables('natPoolName')]",
                "properties": {
                  "frontendIPConfiguration": {
                    "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', variables('loadBalancerName'), 'loadBalancerFrontEnd')]"
                  },
                  "protocol": "Tcp",
                  "frontendPortRangeStart": "[variables('natStartPort')]",
                  "frontendPortRangeEnd": "[variables('natEndPort')]",
                  "backendPort": "[variables('natBackendPort')]"
                }
              }
            ]
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
          ]
        },
        {
          "type": "Microsoft.Compute/virtualMachineScaleSets",
          "apiVersion": "2022-03-01",
          "name": "[parameters('vmssName')]",
          "location": "[parameters('location')]",
          "sku": {
            "name": "[parameters('vmSku')]",
            "tier": "Standard",
            "capacity": "[parameters('instanceCount')]"
          },
          "properties": {
            "virtualMachineProfile": {
              "storageProfile": {
                "osDisk": {
                  "createOption": "FromImage",
                  "caching": "ReadWrite"
                },
                "imageReference": "[variables('imageReference')[parameters('sku')]]"
              },
              "osProfile": {
                "computerNamePrefix": "[variables('namingInfix')]",
                "adminUsername": "[parameters('adminUsername')]",
                "adminPassword": "[parameters('adminPassword')]"
              },
              "securityProfile": {
                  "encryptionAtHost": "[parameters('encryptionAtHost')]",
                  "securityType": "[parameters('securityType')]",
                  "uefiSettings": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('uefiSettingsJson'), null())]"
                  
              },
              "networkProfile": {
                "networkInterfaceConfigurations": [
                  {
                    "name": "[variables('nicName')]",
                    "properties": {
                      "primary": true,
                      "ipConfigurations": [
                        {
                          "name": "[variables('ipConfigName')]",
                          "properties": {
                            "subnet": {
                              "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]"
                            },
                            "loadBalancerBackendAddressPools": [
                              {
                                "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('bePoolName'))]"
                              }
                            ],
                            "loadBalancerInboundNatPools": [
                              {
                                "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('natPoolName'))]"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "extensionProfile": {
                "extensions": [
                  {
                    "name": "HealthExtension",
                    "properties": {
                      "publisher": "Microsoft.ManagedServices",
                      "type": "ApplicationHealthWindows",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": false,
                      "settings": {
                        "protocol": "[parameters('healthExtensionProtocol')]",
                        "port": "[parameters('healthExtensionPort')]",
                        "requestPath": "[if(equals(parameters('healthExtensionProtocol'), 'TCP'), null(), parameters('healthExtensionRequestPath'))]"
                      }
                    }
                  }
                ]
              },
              "diagnosticsProfile": {
                "bootDiagnostics": {
                  "enabled": true
                }
              }
            },
            "orchestrationMode": "Uniform",
            "overprovision": "[parameters('overprovision')]",
            "upgradePolicy": {
              "mode": "[parameters('upgradePolicy')]",
              "rollingUpgradePolicy": "[if(equals(parameters('upgradePolicy'), 'Rolling'), variables('rollingUpgradeJson'), null())]",
              "automaticOSUpgradePolicy": {
                "enableAutomaticOSUpgrade": true
              }
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]",
            "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
          ]
        },
        {
          "condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('uefiSettingsJson').secureBootEnabled, true()), equals(variables('uefiSettingsJson').vTpmEnabled, true())))]",
          "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
          "apiVersion": "2022-03-01",
          "name": "[format('{0}/{1}', parameters('vmssName'), variables('extensionName'))]",
          "location": "[parameters('location')]",
          "properties": {
            "publisher": "[variables('extensionPublisher')]",
            "type": "[variables('extensionName')]",
            "typeHandlerVersion": "[variables('extensionVersion')]",
            "autoUpgradeMinorVersion": true,
            "enableAutomaticUpgrade": true,
            "settings": {
              "AttestationConfig": {
                "MaaSettings": {
                  "maaEndpoint": "[variables('maaEndpoint')]",
                  "maaTenantName": "[variables('maaTenantName')]"
                }
              }
            }
          },
          "dependsOn": [
            "[resourceId('Microsoft.Compute/virtualMachineScaleSets', parameters('vmssName'))]"
          ]
        }
      ]
    }
    
  6. Execute the ARM template deployment.

    $resourceGroupName = "myResourceGroup"
    $parameterFile = "folderPathToFile\parameters.json"
    $templateFile = "folderPathToFile\template.json"
    
    New-AzResourceGroupDeployment `
        -ResourceGroupName $resourceGroupName `
        -TemplateFile $templateFile -TemplateParameterFile $parameterFile
    
  7. Verify that the deployment is successful. Check for the security type and UEFI settings of the Scale set uniform using Azure portal. Check the Security type section in the Overview page.

    Screenshot of the Trusted launch properties of the Scale set.

  8. Update the VM instances manually if Scale set uniform upgrade mode is set to Manual.

    $resourceGroupName = "myResourceGroup"
    $vmssName = "VMScaleSet001"
    Update-AzVmssInstance -ResourceGroupName $resourceGroupName -VMScaleSetName $vmssName -InstanceId "0"
    

Roll-back

To roll-back changes from Trusted launch to previous known good configuration, you need to set securityType of Scale set to Standard.

To roll-back changes from Trusted launch to previous known good configuration, set securityProfile to Standard as shown. Optionally, you can also revert other parameter changes - OS image, VM size, and repeat steps 5-8 described with Enable Trusted launch on existing scale set

"securityProfile": {
    "securityType": "Standard",
    "uefiSettings": "[null()]"
}

Next steps

(Recommended) Post-Upgrades enable Boot integrity monitoring to monitor the health of the VM using Microsoft Defender for Cloud.

Learn more about Trusted launch and review frequently asked questions.