你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
Set-AzVmssSecurityProfile
This cmdlet allows users to set the SecurityType enum for Virtual Machines scale sets.
Syntax
Set-AzVmssSecurityProfile
[-VirtualMachineScaleSet] <PSVirtualMachineScaleSet>
[[-SecurityType] <String>]
[-DefaultProfile <IAzureContextContainer>]
[<CommonParameters>]
Description
Sets the Security Type of the VMSS
Examples
Example 1
$VMSS = Get-AzVmss -ResourceGroupName "ResourceGroup11" -VMScaleSetName "ContosoVM07"
$VMSS = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $VMSS -SecurityType "TrustedLaunch"
The first command gets the virtual machine scale set named ContosoVM07 by using Get-AzVmss. The command stores it in the $VMSS variable. The second command sets the SecurityType enum to "TrustedLaunch".
Example 2: Create a Confidential Vmss resource with encryption type VMGuestStateOnly.
# Common Variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -Name $rgname -Location $loc -Force
$vmssSize = "Standard_DC2as_v5"
$PublisherName = "MicrosoftWindowsServer"
$Offer = "WindowsServer"
$SKU = '2022-datacenter-smalldisk-g2'
$version = "latest"
$securityType = "ConfidentialVM"
$securityEncryptionType = "VMGuestStateOnly"
$secureboot = $true
$vtpm = $true
# NRP
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix "10.0.0.0/24"
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet
$vnet = Get-AzVirtualNetwork -Name ('vnet' + $rgname) -ResourceGroupName $rgname
$subnetId = $vnet.Subnets[0].Id
# New VMSS Parameters
$vmssName = 'vmss' + $rgname
$adminUsername = <User Name>
$adminPassword = ConvertTo-SecureString -String "****" -AsPlainText -Force
$imgRef = New-Object -TypeName 'Microsoft.Azure.Commands.Compute.Models.PSVirtualMachineImage'
$imgRef.PublisherName = $PublisherName
$imgRef.Offer = $Offer
$imgRef.Skus = $SKU
$imgRef.Version = $version
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$computerNamePrefix = <Name Prefix>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' `
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssOsProfile -ComputerNamePrefix $computerNamePrefix -AdminUsername $adminUsername -AdminPassword $adminPassword `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType `
-ImageReferenceOffer $imgRef.Offer -ImageReferenceSku $imgRef.Skus -ImageReferenceVersion $imgRef.Version `
-ImageReferencePublisher $imgRef.PublisherName
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $securityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# SecurityType value can be seen at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType
Example 3: Create a Confidential Vmss resource with encryption type DiskWithVMGuestState and Image reference Disk Encryption set to EncryptedWithPmk.
# Common variables
$rgname = <Resource Group Name>
$loc = "northeurope"
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force
$secureBoot = $true
$vtpm = $true
$vmssName = "vmss" + $rgname
# VM variables
$vmName = <VM Name>
$vmSize = "Standard_DC2as_v5"
$vmssSize = "Standard_DC2as_v5"
$securePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force
$username = <User Name>
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$imageVersion = "latest"
$osDiskSecurityType = "DiskwithVMGuestState"
$vmSecurityType = "ConfidentialVM"
# Network variables
$NetworkName = [system.string]::concat($vmName, '-vnet')
$NICName = [system.string]::concat($vmName, '-nic')
$SubnetName = [system.string]::concat($vmName, '-subnet')
$SubnetAddressPrefix = "10.0.0.0/24"
$VnetAddressPrefix = "10.0.0.0/16"
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id
# Setup CVM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -StorageAccountType "StandardSSD_LRS" `
-CreateOption "FromImage" -SecurityEncryptionType $osDiskSecurityType
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName
# Image Gallery variables
$galleryName = "rg" + $rgname
$definitionName = "def"+$rgname
$publisherName = "cvm01"
$versionName = "1.0.0"
# Platform Managed Key encryption
$cvmEncryptionType = "EncryptedWithPmk"
$replicaCount = 1
$storageAccountType = "Standard_LRS"
$osState = "Specialized"
$osType = "Windows"
$sourceImageId = $cvm.Id
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc
$imagePublisher = "MicrosoftWindowsServer"
$imageOffer = "windowsserver"
$imageSku = "2022-datacenter-smalldisk-g2"
$vmSecurityType = "ConfidentialVM"
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'}
$features = @($SecurityTypeTable)
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2'
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType}
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption}
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption}
$targetRegions = @($region)
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName
# NRP for vmss setup. This is not required if you want to reuse the previous NRP setup.
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet' + $rgname) -AddressPrefix $SubnetAddressPrefix
$vnet = New-AzVirtualNetwork -Force -Name ('vnet' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet
$subnetId = $vnet.Subnets[0].Id
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId
# Vmss setup
$securityEncryptionType = "DiskWithVMGuestState"
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName
# Verify the Vmss SecurityType at $vmssGet.VirtualMAchineProfile.SecurityProfile.SecurityType
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId
# Verify the SecurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionType
Example 4: Create a Confidential Vmss resource with encryption type DiskWithVMGuestState and Image reference Disk Encryption set to EncryptedWithCmk.
# Common Variables
$rgname = <Resource Group Name>;
$loc = "northeurope";
New-AzResourceGroup -ResourceGroupName $rgName -Location $loc -Force;
$secureBoot = $true;
$vtpm = $true;
$vmssName = "vmss" + $rgname;
# VM variables
$vmName = "v" + $rgname;
$vmSize = "Standard_DC2as_v5";
$vmssSize = "Standard_DC2as_v5";
$securePassword = ConvertTo-SecureString -String "****" -AsPlainText -Force;
$username = <Username>;
$vmCred = New-Object System.Management.Automation.PSCredential ($username, $securePassword);
$imagePublisher = "MicrosoftWindowsServer";
$imageOffer = "windowsserver";
$imageSku = "2022-datacenter-smalldisk-g2";
$imageVersion = "latest";
$osDiskSecurityType = "DiskwithVMGuestState";
$vmSecurityType = "ConfidentialVM";
$deployCMK = $true;
$storageType = "StandardSSD_LRS";
# Network variables
$NetworkName = $vmname + "-vnet";
$NICName = $vmName + "-nic";
$SubnetName = $vmName + "-subnet";
$SubnetAddressPrefix = "10.0.0.0/24";
$VnetAddressPrefix = "10.0.0.0/16";
# Key Vault setup
$keyVaultName = "kv" + $rgname;
$keyName = "k" + $rgname;
$desName = "des" + $rgname;
$cvmAgent = Get-AzADServicePrincipal -ApplicationId "00001111-aaaa-2222-bbbb-3333cccc4444";
$kv = New-AzKeyVault -Name $keyVaultName -ResourceGroupName $rgName -Location $loc -Sku "Premium" -EnablePurgeProtection -SoftDeleteRetentionInDays 7;
Set-AzKeyVaultAccessPolicy -ObjectId $cvmAgent.Id -VaultName $keyVaultName -ResourceGroupName $rgName -PermissionsToKeys "get","release";
Start-BitsTransfer -Source https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json -Destination ".\skr-policy.json";
$desKey = Add-AzKeyVaultKey -Name $keyName -VaultName $keyVaultName -KeyOps "wrapKey","unwrapKey" -KeyType "RSA-HSM" -Size 3072 `
-Exportable -ReleasePolicyPath ".\skr-policy.json" -Destination "HSM";
$desConfig = New-AzDiskEncryptionSetConfig -Location $loc -KeyUrl $desKey.Id -SourceVaultId $kv.ResourceId -IdentityType "SystemAssigned" `
-EncryptionType "ConfidentialVmEncryptedWithCustomerKey";
$des = New-AzDiskEncryptionSet -DiskEncryptionSet $desConfig -DiskEncryptionSetName $desName -ResourceGroupName $rgName;
$desIdentity = Get-AzADServicePrincipal -ObjectId $des.Identity.PrincipalId -ErrorAction 'SilentlyContinue';
Set-AzKeyVaultAccessPolicy -ObjectId $des.Identity.PrincipalId -ResourceGroupName $rgName -VaultName $keyVaultName -PermissionsToKeys "wrapKey","unwrapKey","get";
$des = Get-AzDiskEncryptionSet -ResourceGroupName $rgname -Name $desName;
# Setup Network
$SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix;
$Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $rgName `
-Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet
$NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $rgName `
-Location $loc -SubnetId $Vnet.Subnets[0].Id;
# Setup Confidential VM
$virtualMachine = New-AzVMConfig -VMName $vmName -VMSize $vmSize;
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $vmName `
-Credential $vmCred -ProvisionVMAgent -EnableAutoUpdate;
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id;
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $imagePublisher `
-Offer $imageOffer -Skus $imageSku -Version $imageVersion;
$paramSetAzVmOsDisk = @{
VM = $virtualMachine
StorageAccountType = $storageType
CreateOption = "FromImage"
SecurityEncryptionType = $osDiskSecurityType
ErrorAction = 'Stop'
SecureVMDiskEncryptionSet = $des.Id
};
$VirtualMachine = Set-AzVMOSDisk @paramSetAzVmOsDisk;
$VirtualMachine = Set-AzVMSecurityProfile -VM $VirtualMachine -SecurityType $vmSecurityType;
$VirtualMachine = Set-AzVMUefi -VM $VirtualMachine -EnableVtpm $true -EnableSecureBoot $true;
# Create CVM to be used as Image reference
New-AzVM -ResourceGroupName $rgName -Location $loc -VM $VirtualMachine;
$cvm = Get-AzVM -VMName $vmName -ResourceGroupName $rgName;
# Image Gallery variables
$galleryName = "gal" + $rgname;
$definitionName = "def"+$rgname;
$publisherName = <Publisher Name>;
$versionName = "1.0.0";
# Customer Managed Key encryption
$cvmEncryptionType = "EncryptedWithCmk"
$replicaCount = 1;
$storageAccountType = "Standard_LRS";
$osState = "Specialized";
$osType = "Windows";
$sourceImageId = $cvm.Id;
# Setup Image Gallery
New-AzGallery -ResourceGroupName $rgName -Name $galleryName -location $loc;
# Setup Image Definition
$SecurityTypeTable = @{Name='SecurityType';Value='ConfidentialVM'};
$features = @($SecurityTypeTable);
New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $definitionName `
-Feature $features -Publisher $imagePublisher -Offer $imageOffer -Sku $imageSku -location $loc `
-OsState $osState -OsType $osType -HyperVGeneration 'V2';
$galDefinition = Get-AzGalleryImageDefinition -ResourceGroupName $rgname -GalleryName $galleryName -Name $definitionName;
# Setup Image Version
$cvmOsDiskEncryption = @{CVMEncryptionType=$cvmEncryptionType; };
$cvmOsDiskEncryption.Add('CVMDiskEncryptionSetID', $des.Id);
$cvmEncryption = @{OSDiskImage = $cvmOsDiskEncryption};
$region = @{Name = $loc; ReplicaCount = $replicaCount; StorageAccountType = $storageAccountType; Encryption = $cvmEncryption};
$targetRegions = @($region);
# Pause the script to ensure the referenced VM is in the Succeeded state. The amount of time can vary and this just a precaution.
Start-Sleep -Seconds 360;
New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $definitionName `
-Name $versionName -Location $loc -SourceImageId $sourceImageId -ReplicaCount $replicaCount `
-StorageAccountType $storageAccountType -TargetRegion $targetRegions;
$galVersion = Get-AzGalleryImageVersion -ResourceGroupName $rgname -GalleryName $galleryName -GalleryImageDefinitionName $definitionName;
$securityEncryptionType = "DiskWithVMGuestState";
# NRP Vmss setup
$subnet = New-AzVirtualNetworkSubnetConfig -Name ('subnet2' + $rgname) -AddressPrefix $SubnetAddressPrefix;
$vnet = New-AzVirtualNetwork -Force -Name ('vnet2' + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix $VnetAddressPrefix -Subnet $subnet;
$vnet = Get-AzVirtualNetwork -Name ('vnet2' + $rgname) -ResourceGroupName $rgname;
$subnetId = $vnet.Subnets[0].Id;
$vmssIPName = <IP Name>
$vmssNICName = <NIC Name>
$ipCfg = New-AzVmssIpConfig -Name $vmssIPName -SubnetId $subnetId;
# Vmss setup
$vmss = New-AzVmssConfig -Location $loc -SkuCapacity 2 -SkuName $vmssSize -UpgradePolicyMode 'Manual' -ImageReferenceId $galDefinition.Id`
| Add-AzVmssNetworkInterfaceConfiguration -Name $vmssNICName -Primary $true -IPConfiguration $ipCfg `
| Set-AzVmssStorageProfile -OsDiskCreateOption 'FromImage' -OsDiskCaching 'ReadOnly' -SecurityEncryptionType $securityEncryptionType -SecureVMDiskEncryptionSet $des.Id;
# Confidential Vmss required parameters
$vmss = Set-AzVmssSecurityProfile -VirtualMachineScaleSet $vmss -SecurityType $vmSecurityType;
$vmss = Set-AzVmssUefi -VirtualMachineScaleSet $VMSS -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
# Create Vmss
$result = New-AzVmss -ResourceGroupName $rgname -Name $vmssName -VirtualMachineScaleSet $vmss;
# Validate
$vmssGet = Get-AzVmss -ResourceGroupName $rgname -Name $vmssName;
# Verify Vmss SecurityType at $vmssGet.VirtualMachineProfile.SecurityProfile.SecurityType;
$vmssvms = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName;
$vmssvm = Get-AzVmssVM -ResourceGroupName $rgname -VMScaleSetName $vmssName -InstanceId $vmssvms[0].InstanceId;
# Verify the SEcurityEncryptionType at $vmssvm.StorageProfile.OsDIsk.ManagedDisk.SecurityProfile.SecurityEncryptionType;
# Verify the Gallery Version encyrption at $galVersion.PublishingProfile.TargetRegions.Encryption.OSDiskImage.SecurityProfile.ConfidentialVMEncryptionType $cvmEncryptionType;
Parameters
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Type: | IAzureContextContainer |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SecurityType
Parameter to set the SecurityType on the VMs of the scale set.
Type: | String |
Position: | 1 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-VirtualMachineScaleSet
The virtual machine scale set profile.
Type: | PSVirtualMachineScaleSet |
Position: | 0 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |