使用搭配虛擬機器擴展集擴充功能排序的 Azure 磁碟加密

Azure 磁碟加密等擴充功能可以依指定的順序新增至 Azure 虛擬機器擴展集。 若要執行此作業，請使用擴充功能排序。

一般而言，加密應該套用至磁碟：

• 在準備磁碟或磁碟區的擴充功能或自訂指令碼之後。
• 在存取或使用加密磁碟或磁碟區上資料的擴充功能或自訂指令碼之前。

在任一情況下，provisionAfterExtensions 屬性都會指定稍後應在順序中新增的擴充功能。

範例 Azure 範本

如果您想要在另一個擴充功能之後套用 Azure 磁碟加密，請將 provisionAfterExtensions 屬性放在 AzureDiskEncryption 擴充功能區塊中。

以下是使用 "CustomScriptExtension" 的範例，這個 PowerShell 指令碼會初始化並格式化 Windows 磁碟，後面接著 "AzureDiskEncryption"：

"virtualMachineProfile": {
  "extensionProfile": {
    "extensions": [
      {
        "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
        "name": "CustomScriptExtension",
        "location": "[resourceGroup().location]",
        "properties": {
          "publisher": "Microsoft.Compute",
          "type": "CustomScriptExtension",
          "typeHandlerVersion": "1.9",
          "autoUpgradeMinorVersion": true,
          "forceUpdateTag": "[parameters('forceUpdateTag')]",
          "settings": {
            "fileUris": [
              "https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/ade-vmss/FormatMBRDisk.ps1"
            ]
          },
          "protectedSettings": {
           "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File FormatMBRDisk.ps1"
          }
        }
      },
      {
        "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
        "name": "AzureDiskEncryption",
        "location": "[resourceGroup().location]",
        "properties": {
          "provisionAfterExtensions": [
            "CustomScriptExtension"
          ],
          "publisher": "Microsoft.Azure.Security",
          "type": "AzureDiskEncryption",
          "typeHandlerVersion": "2.2",
          "autoUpgradeMinorVersion": true,
          "forceUpdateTag": "[parameters('forceUpdateTag')]",
          "settings": {
            "EncryptionOperation": "EnableEncryption",
            "KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2018-02-14-preview').vaultUri]",
            "KeyVaultResourceId": "[variables('keyVaultResourceID')]",
            "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
            "KekVaultResourceId": "[variables('keyVaultResourceID')]",
            "KeyEncryptionAlgorithm": "[parameters('keyEncryptionAlgorithm')]",
            "VolumeType": "[parameters('volumeType')]",
            "SequenceVersion": "[parameters('sequenceVersion')]"
          }
        }
      },
    ]
  }
}

如果您想要在另一個擴充功能之前套用 Azure 磁碟加密，請將 provisionAfterExtensions 屬性放在擴充功能區塊中以在加密後執行。

以下範例示範如何使用 "AzureDiskEncryption"，其後接著 "VMDiagnosticsSettings"，這個擴充功能可以監視和診斷以 Windows 為基礎的 Azure VM 功能：

"virtualMachineProfile": {
  "extensionProfile": {
    "extensions": [
      {
        "name": "AzureDiskEncryption",
        "type": "Microsoft.Compute/virtualMachineScaleSets/extensions",
        "location": "[resourceGroup().location]",
        "properties": {
          "publisher": "Microsoft.Azure.Security",
          "type": "AzureDiskEncryption",
          "typeHandlerVersion": "2.2",
          "autoUpgradeMinorVersion": true,
          "forceUpdateTag": "[parameters('forceUpdateTag')]",
          "settings": {
            "EncryptionOperation": "EnableEncryption",
            "KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2018-02-14-preview').vaultUri]",
            "KeyVaultResourceId": "[variables('keyVaultResourceID')]",
            "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
            "KekVaultResourceId": "[variables('keyVaultResourceID')]",
            "KeyEncryptionAlgorithm": "[parameters('keyEncryptionAlgorithm')]",
            "VolumeType": "[parameters('volumeType')]",
            "SequenceVersion": "[parameters('sequenceVersion')]"
          }
        }
      },
      { 
        "name": "Microsoft.Insights.VMDiagnosticsSettings", 
        "type": "extensions", 
        "location": "[resourceGroup().location]", 
        "apiVersion": "2016-03-30", 
        "dependsOn": [ 
          "[concat('Microsoft.Compute/virtualMachines/myVM', copyindex())]" 
        ], 
        "properties": { 
          "provisionAfterExtensions": [
            "AzureDiskEncryption"
          ],
        "publisher": "Microsoft.Azure.Diagnostics", 
          "type": "IaaSDiagnostics", 
          "typeHandlerVersion": "1.5", 
          "autoUpgradeMinorVersion": true, 
          "settings": { 
            "xmlCfg": "[base64(concat(variables('wadcfgxstart'), 
            variables('wadmetricsresourceid'), 
            concat('myVM', copyindex()),
            variables('wadcfgxend')))]", 
            "storageAccount": "[variables('storageName')]" 
          }, 
          "protectedSettings": { 
            "storageAccountName": "[variables('storageName')]", 
            "storageAccountKey": "[listkeys(variables('accountid'), 
              '2015-06-15').key1]", 
            "storageAccountEndPoint": "https://core.windows.net" 
          } 
        } 
      },
    ]
  }
}

如需更深入的範本，請參閱：

• 在格式化磁碟 (Linux) 的自訂 shell 指令碼之後套用 Azure 磁碟加密擴充功能：deploy-extseq-linux-ADE-after-customscript.json

下一步

• 深入了解擴充功能排序：排序虛擬機器擴展集中的擴充功能佈建。
• 深入了解 provisionAfterExtensions 屬性：Microsoft.Compute virtualMachineScaleSets/extensions 範本參考。
• 適用於虛擬機器擴展集的 Azure 磁碟加密
• 使用 Azure CLI 將虛擬機器擴展集加密
• 使用 Azure PowerShell 將虛擬機器擴展集加密
• 針對 Azure 磁碟加密建立及設定金鑰保存庫