Confidential Compute CLI Change Request - VM / VMSS Create

[AjKundnani]

Is your feature request related to a problem? Please describe

No, feature request to add new parameters and add values into existing parameters for following commands to support Confidential VM - Planned GA by end of June CY22:

• az vm create
• az vmss create

Feature request is to support customer with:

• creation of Confidential VM as single instance and VMSS.
• flexibility to define encryption type for managed OS disk and choose between Platform-managed keys or customer-managed keys.

Describe the solution you'd like

Customer to use az vm create command with parameter --security-type to set VM security type. For confidential VM, accepted security type should be ConfidentialVM

Customer to use az vmss create command with parameter --security-type to set VMSS security type. For confidential VM, additional accepted security type should be ConfidentialVM

Existing Parameters

--security-type

Currently --security-type supports value of TrustedLaunch. Post change, following values will be accepted:

Security-Type
TrustedLaunch
ConfidentialVM

New Parameters

Request to include below new parameters into commands az vm create and az vmss create

--os-disk-security-encryption-type

New Parameter --os-disk-security-encryption-type:

• Allows customer to provide encryption type details for Confidential VM:
  • Platform Managed Key (PMK)
  • Customer Managed Key (CMK)
  • VM Guest State Only with PMK (VMGS Only PMK)
• This parameter will be mandatory if --security-type is set to ConfidentialVM.
• List of Allowed values with description below

os-disk-security-encryption-type	Description
VMGuestStateOnly	Encryption Type VM Guest State Only with PMK (VMGS Only PMK)
DiskwithVMGuestState	Encryption Type Platform Managed Key (PMK)

--os-disk-secure-vm-disk-encryption-set

New Parameter --os-disk-secure-vm-disk-encryption-set:

• Allows customer to provide ARM ID for Disk Encryption Set created with ConfidentialVmEncryptedWithCustomerKey encryption type. This will allow customer to use Customer Managed Key (CMK) encryption.
• New parameter --os-disk-security-encryption-type value should be DiskwithVMGuestState.

End to End Usage

Scenario 1 - Create New VM

1. Store Subnet ID in variable:

   subnetId=$(az network vnet subnet show -g $rgName -n MySubnet --vnet-name $vNetName --query [id] -o tsv)

2. Store Disk Encryption Set ID in variable:

   diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

3. Create Virtual Machine with ConfidentialVM Security Type

   az vm create -n $vmName -g $rgName -l $location \
       --size "Standard_DC2as_v5" --admin-username MyUserName --admin-password MyPassword \
       --subnet $subnetId --security-type ConfidentialVM \
       --os-disk-security-encryption-type DiskwithVMGuestState \
       --os-disk-secure-vm-disk-encryption-set $diskEncryptionSetId \
       --image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-smalldisk-g2:latest" \
       --enable-vtpm true --enable-secure-boot true
   

Scenario 2 - Create new VMSS

1. Store Subnet ID in variable:

   subnetId=$(az network vnet subnet show -g $rgName -n MySubnet --vnet-name $vNetName --query [id] -o tsv)

2. Store Disk Encryption Set ID in variable:

   diskEncryptionSetId=$(az disk-encryption-set show -n $diskEncryptionSetName -g $rgName --query [id] -o tsv)

3. Create Virtual Machine Scale Set with ConfidentialVM Security Type

   az vmss create -n $vmssName -g $rgName -l $location \
       --vm-sku "Standard_DC2as_v5" --admin-username MyUserName --admin-password MyPassword \
       --subnet $subnetId --security-type ConfidentialVM \
       --os-disk-security-encryption-type DiskwithVMGuestState \
       --os-disk-secure-vm-disk-encryption-set $diskEncryptionSetId \
       --image "MicrosoftWindowsServer:WindowsServer:2022-datacenter-smalldisk-g2:latest" \
       --enable-vtpm true --enable-secure-boot true
   

Describe alternatives you've considered

Not Applicable, new product feature request.

Additional context

Request for Confidential VM - Planned GA by end of June CY22

• Link to Disk RP API Swagger Spec
• Link to Compute RP Swagger Spec
• Confidential VM with Customer Managed Keys ARM JSON
• Confidential VM with Platform Managed Keys ARM JSON
• Confidential VM GA Request Powershell change on Set-AzVmSecurityProfile cmdlet

Additional Checks

When --security-type is set to ConfidentialVM:

• Confidential VMs are supported with specific VM SKUs, when --security-type is set to ConfidentialVM, the VM SKU should be one of the following:

  Supported VM Family
  StandardDCasv5 / DCadsv5
  Standard ECasv5 / ECadsv5

Contacts

Role	Contact
Main developer contacts (emails + github aliases)	Abhishek Verma (AZURE) [email protected], Anshul Solanki [email protected]
PM contact (email + github alias)	Ajay Kundnani [email protected]
Other people who should attend a design review (email)	Run Cai [email protected], Deepak J V [email protected]

[yonzhan]

Compute

[AjKundnani]

@zhoxing-ms - Added Compute Swagger JSON link reference.

[Jing-song]

Hi @AjKundnani , When I test Create Virtual Machine Scale Set with ConfidentialVM Security Type, service returned an error: BadRequest: Virtual Machines Scale Sets do not allow setting managedDisk.securityProfile.diskEncryptionSet. Is this as expected?

[AjKundnani]

@PARADISSEEKR - Currently Confidential VMSS supports PMK / CMK with Azure Compute Gallery (or Shared Image Gallery), please test with image from ACG / SIG.

Support for Platform images will be added in future API release.

[zhoxing-ms]

@AjKundnani May I ask why does Customer Managed Key (CMK) not appear in the list of allowed values for --os-disk-security-encryption-type? The encryption type in sentence Allows customer to provide encryption type details for Confidential VM means --encryption-type of disk-encryption-set instead of --os-disk-security-encryption-type, right?

[AjKundnani]

@AjKundnani May I ask why does Customer Managed Key (CMK) not appear in the list of allowed values for --os-disk-security-encryption-type? The encryption type in sentence Allows customer to provide encryption type details for Confidential VM means --encryption-type of disk-encryption-set instead of --os-disk-security-encryption-type, right?

@zhoxing-ms

• encryption type in sentence Allows customer to provide encryption type details for Confidential VM refers to new parameter --os-disk-security-encryption-type
• Reason CMK doesn't appears in list, is because if customer uses --os-disk-security-encryption-type with value DiskWithVMGuestState and specify Disk encryption set using parameter --os-disk-securevm-disk-encryption-set, then the encryption type will become CMK. This is called out in details for new parameter --os-disk-securevm-disk-encryption-set.

[AjKundnani]

@zhoxing-ms , As per our discussions on other thread:

• We can name the parameter --os-disk-secure-vm-disk-encryption-set to keep it consistent. (In current request securevm is one word)
• Disk Encryption Set should support both resource name and ARM ID
• I want to ensure just by passing DES name CLI will be able to resolve the DES even if it is in a different resource group?

[zhoxing-ms]

I want to ensure just by passing DES name CLI will be able to resolve the DES even if it is in a different resource group?

@AjKundnani The resource group used by DES is from --resource-group parameter

[AjKundnani]

I want to ensure just by passing DES name CLI will be able to resolve the DES even if it is in a different resource group?

@AjKundnani The resource group used by DES is from --resource-group parameter

@zhoxing-ms - There will be scenarios where DES will be in different resource group then disk created in. if we can handle it similarly it is handled for existing --os-disk-encryption-set parameter.

[zhoxing-ms]

@AjKundnani In this case, the user can only pass in the ID, and we cannot support the name from different resource group

The resource group used by DES is from --resource-group parameter

--os-disk-encryption-set parameter is this logic, the new parameter can be consistent with it

[zhoxing-ms]

@AjKundnani The --os-disk-securevm-disk-encryption-set can only be passed in when --os-disk-security-encryption-type is DiskwithVMGuestState, right?

[AjKundnani]

@AjKundnani The --os-disk-securevm-disk-encryption-set can only be passed in when --os-disk-security-encryption-type is DiskwithVMGuestState, right?

@zhoxing-ms - Correct, it's not needed when value for --os-disk-security-encryption-type is VMGuestStateOnly

[Jing-song]

@PARADISSEEKR - Currently Confidential VMSS supports PMK / CMK with Azure Compute Gallery (or Shared Image Gallery), please test with image from ACG / SIG.

Support for Platform images will be added in future API release.

@AjKundnani , test with image from ACG / SIG still error : "Virtual Machines Scale Sets do not allow setting managedDisk.securityProfile.diskEncryptionSet. , test case: test_os_disk_security_encryption_vmss, could you please check it?

[AjKundnani]

managedDisk.securityProfile.diskEncryptionSet

@PARADISSEEKR - Please confirm if --os-disk-security-encryption-type with value VMGuestStateOnly is working as expected? Only issue is with PMK & CMK scenarios?

[ms-saypaul]

So, CMK and PMK scenarios is supported for VMSS with --os-disk-security-encryption-type with value DiskWithVMGuestState from specialized SIG images having SecurityType of the image set as ConfidentialVM.

But the CMK for DiskWithVMGuestState for VMSS is blocked in the current CRP changes present in Canary and Prod, and should be enabled in next rollout, as the changes are checked-in.

Else you can test it in EastUS2EUAP slice 5 around this time tomorrow, and it should be supported for CMK scenarios too. EastUS2EUAP slice 5 is our daily deployment slice. I replied to your mail, with a subId that maps to this slice.

[Jing-song]

@AjKundnani , using VMGuestStateOnly also fails.Virtual Machines Scale Sets do not allow setting managedDisk.securityProfile.diskEncryptionSet
@ms-saypaul , create image-definition with security type will return an error:Currently Snapshot, Disk and VM sources are supported for the Confidential VM security type. If create vmss in eastus2euap, service return an error: ...virtualMachineScaleSets/vmss is currently not available in location 'eastus2euap' zones for subscription '0b....'
Does this feature need to be registered in our test subscription to use it?

[zhoxing-ms]

But the CMK for DiskWithVMGuestState for VMSS is blocked in the current CRP changes present in Canary and Prod, and should be enabled in next rollout, as the changes are checked-in.

@ms-saypaul May I ask what is the approximate rollout time? If CLI has exposed this feature before rollout, is it in line with your expectations?

[AjKundnani]

But the CMK for DiskWithVMGuestState for VMSS is blocked in the current CRP changes present in Canary and Prod, and should be enabled in next rollout, as the changes are checked-

@zhoxing-ms - It is in line with expectations, yes. As these capabilities will be enabled in near future. We will have to document in such way that end user knows for VMSS what the available deployment options are.