Automate secure VM deployments by adding encryption to Azure Resource Manager templates

  • 5 minutes

Suppose your company is deploying several servers as part of their cloud transition. Virtual machine (VM) disks must be encrypted during the deployment, so there's no time when the disks are vulnerable. You want to automate this process, and have to modify the Azure Resource Manager templates to automatically enable encryption.

Here, you look at how to use an Azure Resource Manager template to automatically enable encryption for new Windows VMs.

What are Azure Resource Manager templates?

Resource Manager templates are JSON files used to define a set of resources to deploy to Azure. You can write them from scratch, and for some Azure resources (including VMs), you can use the Azure portal to generate them. You need to complete the required information for a manual VM deployment, but instead of deploying the VM to Azure, you save the template. You can then reuse the template to create that specific VM configuration.

To automate all sorts of administrative tasks, there are example templates available. In fact, the VM encryption that you did manually in the last exericse can be done with one of these templates.

Screenshot showing the Azure templates.

Use GitHub templates

The actual template source is stored in GitHub. You can browse to a template in GitHub and deploy right to Azure from the page.

Screenshot showing GitHub template with the Deploy to Azure button highlighted.

When the template is deployed, Azure displays a list of required input fields.

Screenshot showing template in Azure portal.

You can then execute the template to create, modify, or remove resources.

Run templates in Azure portal

If you already know the template you want to use or you saved templates in your Azure account, you can use the Create a resource > Template Deployment resource to locate and run defined templates in the portal. You can search through templates by name, edit a template to change the parameters or behavior, and execute the template right from the GUI.

Run templates from command line

Given a template's URL, you can execute it with Azure PowerShell. For example, you could run the disk encryption template with the following PowerShell command:

New-AzResourceGroupDeployment `
    -Name encrypt-disk `
    -ResourceGroupName <resource-group-name> `
    -TemplateUri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/201-encrypt-running-windows-vm-without-aad/azuredeploy.json

Or, if you prefer the Azure CLI, run the az deployment group create command.

az deployment group create --resource-group <my-resource-group> --name <my-deployment-name> \ 
    --template-uri https://raw.githubusercontent.com/azure/azure-quickstart-templates/master/201-encrypt-running-windows-vm-without-aad/azuredeploy.json