Breaking Change for VM & VMSS PowerShell/CLI Customers

  • Thread starter Thread starter AjKundnani
  • Start date Start date
A

AjKundnani

Introduction


We would like to inform you the upcoming default security type change to Trusted Launch that will affect new virtual machines (VMs), virtual machine scale sets (VMSS), and OS Disk resource deployment in Azure. The change will set OS image to Trusted Launch (TL) compatible image and set security type as Trusted Launch by default. This change is a result of our ongoing efforts to improve the foundational security of our cloud computing platform.



This change will take effect in Azure PowerShell (PS) & command-line interface (CLI) with the November 2023 release, and will affect all new Azure VMs, VMSS and Managed OS Disks deployments.



What is Trusted Launch?


Trusted Launch VMs provide you with foundational compute security by enabling the following capabilities:

  • Secure Boot: Protects OS against rootkits and boot kits.
  • vTPM: It serves as a dedicated secure vault for keys and measurements, enabling attestation by measuring the entire boot chain of your VM.
  • Boot Integrity Monitoring: Guest attestation extension enables proactive attestation and monitoring the boot integrity of your VMs.

Trusted Launch enhances the security posture of a VM through cryptographic verification ensures the VM boots to a desired secure state protecting it from attacks that modify operating system processes. This maintains the trust of the guest OS and adds defence-in-depth. It is essential for maintaining compliance with various regulatory requirements, including Azure Security Benchmark, FedRAMP, Cloud Computing SRG (STIG), HIPAA, PCI-DSS, and others.



What does this mean for Azure PS & CLI Users?


Azure PowerShell module & Azure CLI client tools (including Cloud Shell) will default new VM, and VMSS deployments to Trusted Launch. The PS & CLI client tools will not override inputs provided by you in deployment commands.



Existing behavior


Before November 2023, the following command will create new VM/VMSS without Trusted Launch.



PowerShell




# Virtual Machines
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVM -Name MyVm -Credential $vmCred

# Virtual Machine Scale Sets
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVmss -Credential $vmCred -VMScaleSetName 'VMSSNAME'



To create VM / VMSS with TrustedLaunch security type, you need to run PowerShell commands with additional parameters:



$adminUsername = <USER NAME>
# Virtual Machines
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword);
New-AzVM -Name MyVm -Credential $vmCred -SecurityType TrustedLaunch -enableSecureBoot $true -enablevTPM $true

# Virtual Machine Scale Sets
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVmss -Credential $vmCred -VMScaleSetName 'VMSSNAME' -SecurityType TrustedLaunch -enableSecureBoot $true -enablevTPM $true



CLI




# Virtual Machines
az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204

# Virtual Machine Scale Sets
az vmss create -n MyVmss -g MyResourceGroup --image Ubuntu2204



To create VM / VMSS with TrustedLaunch security type, you need to run CLI commands with additional parameters:



# Virtual Machines
az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204 `
--security-type 'TrustedLaunch' --enable-secure-boot true --enable-vtpm true

# Virtual Machine Scale Sets
az vmss create -n MyVmss -g MyResourceGroup --image Ubuntu2204 `
--security-type 'TrustedLaunch' --enable-secure-boot true --enable-vtpm true





New behavior



Starting November 2023, the following command will create new VM/VMSS with Trusted Launch.



PowerShell




# Virtual Machines
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVM -Name MyVm -Credential $vmCred

# Virtual Machine Scale Sets
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVmss -Credential $vmCred -VMScaleSetName 'VMSSNAME'



To continue deploying VM / VMSS without Trusted Launch, you need to run PowerShell commands with additional parameter SecurityType = “Standard” supported with Azure PowerShell version 10.3.0+:



# Virtual Machines
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVM -Name MyVm -Credential $vmCred -SecurityType Standard

# Virtual Machine Scale Sets
$adminUsername = <USER NAME>
$adminPassword = <PASSWORD> | ConvertTo-SecureString -AsPlainText -Force
$vmCred = New-Object System.Management.Automation.PSCredential($adminUsername, $adminPassword)
New-AzVmss -Credential $vmCred -VMScaleSetName 'VMSSNAME' -SecurityType Standard




CLI




# Virtual Machines
az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204

# Virtual Machine Scale Sets
az vmss create -n MyVmss -g MyResourceGroup --image Ubuntu2204




To continue deploying VM / VMSS without Trusted Launch, you need to run CLI commands with additional parameter --security-type = “Standard” supported with Azure CLI version 2.51.0+:



# Virtual Machines
az vm create -n MyVm -g MyResourceGroup --image Ubuntu2204 `
--security-type 'Standard'

# Virtual Machine Scale Sets
az vmss create -n MyVmss -g MyResourceGroup --image Ubuntu2204 `
--security-type 'Standard'






What do I need to do?



Our goal is to make this transition as seamless for you as possible. However, you need to act before implementation (November 2023) if VM/VMSS is deployed using Azure PowerShell or CLI and:

  1. Deployment is referencing VM Size with planned support for Trusted Launch. OR,
  2. Backup for newly deployed VMs is enabled using Standard Policy. OR,
  3. Deployment is dependent on feature with planned support Trusted Launch.


VM Size with planned support for Trusted Launch.



You need to update the VM Size to Trusted Launch Supported VM Size in VM, VMSS deployment code. Alternatively, you need to target Standard Security type (described above) if the given VM Size is a must have for your application functionality.



Refer to list of VM Size families with Trusted Launch support planned for more details.



Enabling Backup for new VMs.


You need to update the Policy Name and target policy of type Enhanced Policy. Alternatively, you need to target Standard Security type (described above) if Standard Backup policy must have for your application backup/restore requirements.



PowerShell:


Enable backup for Azure VM using PS.



$policy = Get-AzRecoveryServicesBackupProtectionPolicy -Name "EnhancedPolicy"

Enable-AzRecoveryServicesBackupProtection `
-ResourceGroupName "myResourceGroup" `
-Name "myVM" `
-Policy $policy



CLI


Enable backup for Azure VM using CLI.



az backup protection enable-for-vm \
--resource-group myResourceGroup \
--vault-name myRecoveryServicesVault \
--vm myVM \
--policy-name EnhancedPolicy





Feature with planned support Trusted Launch.



You need to update the VM, VMSS deployment code to target Standard Security type (described above) if the given feature is a must have for your application functionality.



Refer to list of features with Trusted Launch support planned for more details.



How Azure PS & CLI Trusted Launch defaults are implemented?


Azure PowerShell & CLI client tools will implement Trusted Launch default using the following parameters & scenarios.



VM/VMSS Parameter – OS Image



Trusted Launch security configuration will be applied on Gen2-OS Images.



Post implementation all Image aliases listed below will redirect to Gen2-Trusted Launch equivalent OS image.

Image AliasCurrent Image URNPost Implementation image URN
CentOSOpenLogic:CentOS:7.5
OpenLogic:CentOS:7_5-gen2
Debian
Debian:debian-10:10

Debian:debian-10:10-gen2
Flatcar
Kinvolk:flatcar-container-linux-free:stable

Kinvolk:flatcar-container-linux-free:stable-gen2
RHEL
RedHat:RHEL:7-LVM

RedHat:RHEL:7lvm-gen2
UbuntuLTS
Canonical: UbuntuServer:18.04-LTS

Canonical: UbuntuServer:18_04-LTS-gen2
Win2019Datacenter
MicrosoftWindowsServer:WindowsServer:2019-Datacenter

MicrosoftWindowsServer:WindowsServer:2019-datacenter-gensecond
Win2016Datacenter
MicrosoftWindowsServer:WindowsServer:2016-Datacenter

MicrosoftWindowsServer:WindowsServer:2016-datacenter-gensecond



No redirection applicable to Azure Compute Gallery OS Image, Managed Image or if you’re using resource ID of Marketplace OS Image.



Disk CreateOption Parameter – FromImage



Trusted Launch security configuration will be applied if the disk resource created is of type OS (Windows | Linux) and CreateOption is FromImage. Source OS Image will be validated for Trusted Launch Support as described with VM/VMSS Parameter 1 – OS Image above.



How will my existing VMs be affected?


This change will not impact existing Azure VMs, VMSS clusters already running in your environment.



Frequently Asked Questions



I am currently using VM/VMSS without Trusted Launch and would like to start using Trusted Launch for new deployments.

Please update your PowerShell or CLI deployment scripts to specify “Trusted Launch” security type. Refer to Deploy a VM with Trusted Launch enabled for more details.



I am already using VM/VMSS with Trusted Launch.
No action is required, your VM/VMSS deployments will continue with defined Trusted Launch configuration.


I am currently using VM/VMSS without Trusted Launch and would like to continue using Non-Trusted Launch configuration after November 2023
Please update your PowerShell or CLI deployment scripts to specify “Standard” security type to maintain the existing behavior of your VM/VMSS. This update is recommended to be done as soon as possible to avoid any unintended behavior after the change.



My VM/VMSS are deployed with VM size or marketplace OS image currently not supported with Trusted Launch.

You need to update the VM Size to Trusted Launch Supported VM Size or/and OS image to Trusted Launch supported OS image as needed in VM, VMSS deployment code. Alternatively, please update your PowerShell or CLI deployment scripts to specify “Standard” security type to continue using same VM size or/and OS image. This update is recommended to be done as soon as possible to avoid any unintended behavior after the change.



My VM/VMSS are deployed using Azure Compute Gallery and would like to start using Trusted Launch for new deployments.
You need to create new Gen2 (UEFI) ACG OS Image Definition with SecurityType TrustedLaunchSupported and use the new image definition with securityType “TrustedLaunch” for new VM/VMSS deployments.



My VM/VMSS are deployed using Managed Image and would like to start using Trusted Launch for new deployments.
For the most current technology, you are encouraged to use Azure Compute Gallery. If you have an existing managed image, you can use it as a source and create an Azure Compute Gallery image. For more information, see Create an image definition and image version.



Conclusion


We take the security of our cloud computing platform as priority, and this change is an important step towards ensuring that Azure VMs provide more secure environment for your applications and services. We encourage you to take the necessary steps to prepare for this change.


If you have any questions or concerns about this change, please do not hesitate to reach out to our support team for assistance.

Continue reading...
 
Back
Top