There are two types of encryption keys to consider.
BEK – Bit Locker Encryption Key
KEK – Key Encryption Key
The encryption service uses Key Vault to manage the secrets, to do this we need an application in Azure AD that has permissions (Set by a Key Vault Access Policy) to operate inside of Key Vault.
This is used if you are just using BEK or setting up KEK for Azure Backup support.
For KEK a Key must be imported or created in the Key Vault. You reference this key when running the commands.
Finally, the Backup Management Service needs permissions to access the Key Vault and the keys.
Image 1: Example of Secrets inside of Key Vault
Please note: You will need a Key Vault before you can complete this procedure. The Key Vault must be in the same region as the VM that will be encrypted.
1. Set up an Azure AD Application
In Azure Active Directory, select App registrations and create a new app registration. Enter a Name, select Web app / API and assign a sign-on URL (you will not use this so a default entry is adequate).
Image 2: App Registration in Azure Active Directory
Make a note of the Application ID and create and take note of the application Key. Please note that the Key will only be available to you after it is saved and only once on the page. After that it will be hidden.
2. Configure the permissions in the Key Vault for the new Azure AD Application
In the Key Vault set up an Access Policy for the new application.
Image 3: Setting up permissions in the Key Vault (an Access Policy)
Key Permissions need to be set to Wrap Key, Secret permissions to Set.
Image 4: Setting the Key Vault Access Policy for the Azure AD Application
3. Create a Key in Key Vault
This will be the key used to wrap the BEK, also known as the KEK
Image 5: Creating the KEK
4. Set permissions for the Backup Management Service
Select Access Policies and from the template select Azure Backup. The principal will be Backup Management Service.
Image 6: Creating the Access Policy for the Backup Management Service
5. Check the Advanced access policies to enable access to Azure Disk Encryption for volume encryption.
Image 7: Setting the Advanced Access policies for Disk Encryption
If you are not running a jump host in your environment I find from time to time that I need to add a Public IP to a NIC and connect to my virtual machine.
PowerShell is by far the easiest way to complete this task. The small script below outlines how to do this.
# New-AzurePublicRmIAddress creates the new IP - Run this first.
new-azurermpublicIPAddress -Name testip -ResourceGroupName wpbackup -AllocationMethod Static -Location "Southeast Asia"
# Set the variables but getting the properties you need
$nic = Get-AzurermNetworkInterface -ResourceGroupName Nameof ResourceGroup -Name NameofNIC
$pip = Get-AzurermPublicIPAddress -ResourceGroupName wpbackup -Name testip
# Finally set the IP address against the NIC
Set-AzureRmNetworkInterface -NetworkInterface $nic
Disclaimer: Please note although I work for Microsoft the information provided here does not represent an official Microsoft position and is provided as is.
I was recently asked to quickly audit a customer’s environment for all running VMs. I quickly reached for my PowerShell toolbox and put together the following script.
In the example below I have used the table grid views available. It would be just as easy to push all this info to a csv file. For swiftness this was my approach, I’d be very interested to hear from the gurus out there to see what your preference is and how you would do this.
Remember there is always a better way, just don’t keep that to yourself!
I have a number of customers implementing HUB benefit for their IaaS VMs in Azure. In all cases to date this is a rebuild or new build as part of a migration. It works very well, if licensed, you should definitely be looking at this option to drive down costs.
This script created a new network but in most instances a network will already exist and although you will create a new NIC you will want to place this VM into an existing subnet.
The extract below can be used to create a new NIC but add this to a named vNet and Subnet.
When you define the VM configuration you would use this to be the NIC.
Finally make sure this (if the first NIC) is set as -Primary
Tagging in Azure is a massively useful feature. I have customers who are interested in identifying resources for billing but they are also a very useful tool for control. Resources can be grouped by tag and then a script can be used to apply a function to all machines or services with the same tag.
In the example below I call a variable that looks for Azure resources where the type is identified as a Microsoft virtual machine. Calling this function enables me to extract a range of information. (I fact this script then goes on and uses the ResourceId too)
As referenced in Using tags to organize your Azure resources tags are updated as a whole so if you want to add additional tags you first have to call the existing tags. In the example below I am adding the new tag to my existing tags.
Finally we are looping this for each vm and applying via a set command.