From f70488568334fbe2ce8afd26c96998434c6da320 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:06:46 -0700 Subject: [PATCH 01/23] Add scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml --- .../linux/disk-encryption-faq.yml | 200 ++++++++++++++++++ 1 file changed, 200 insertions(+) create mode 100644 scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml new file mode 100644 index 000000000..8912e4362 --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/disk-encryption-faq.yml @@ -0,0 +1,200 @@ +### YamlMime:FAQ +metadata: + title: FAQ - Azure Disk Encryption for Linux VMs + description: This article provides answers to frequently asked questions about Microsoft Azure Disk Encryption for Linux IaaS VMs. + author: msmbaldwin + ms.service: azure-virtual-machines + ms.collection: linux + ms.subservice: security + ms.topic: faq + ms.author: mbaldwin + ms.date: 08/06/2024 +title: Azure Disk Encryption for Linux virtual machines FAQ +summary: | + This article provides answers to frequently asked questions (FAQ) about Azure Disk Encryption for Linux virtual machines (VMs). For more information about this service, see [Azure Disk Encryption overview](disk-encryption-overview.md). + + +sections: + - name: Ignored + questions: + - question: | + What is Azure Disk Encryption for Linux virtual machines? + answer: | + Azure Disk Encryption for Linux virtual machines uses the dm-crypt feature of Linux to provide full disk encryption of the OS disk* and data disks. Additionally, it provides encryption of the temporary disk when using the [EncryptFormatAll feature](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). The content flows encrypted from the VM to the Storage backend with a customer-managed key. + + See [Supported virtual machines and operating systems](disk-encryption-overview.md#supported-vms-and-operating-systems). + + - question: | + Where is Azure Disk Encryption in general availability (GA)? + answer: | + Azure Disk Encryption for Linux virtual machines is in general availability in all Azure public regions. + + - question: | + What user experiences are available with Azure Disk Encryption? + answer: | + Azure Disk Encryption GA supports Azure Resource Manager templates, Azure PowerShell, and Azure CLI. The different user experiences give you flexibility. You have three different options for enabling disk encryption for your virtual machines. For more information on the user experience and step-by-step guidance available in Azure Disk Encryption, see [Azure Disk Encryption scenarios for Linux](disk-encryption-linux.md). + + - question: | + How much does Azure Disk Encryption cost? + answer: | + There's no charge for encrypting VM disks with Azure Disk Encryption, but there are charges associated with the use of Azure Key Vault. For more information on Azure Key Vault costs, see the [Key Vault pricing](https://azure.microsoft.com/pricing/details/key-vault/) page. + + - question: | + How can I start using Azure Disk Encryption? + answer: | + To get started, read the [Azure Disk Encryption overview](disk-encryption-overview.md). + + - question: | + What VM sizes and operating systems support Azure Disk Encryption? + answer: | + The [Azure Disk Encryption overview](disk-encryption-overview.md) article lists the [VM sizes](disk-encryption-overview.md#supported-vms) and [VM operating systems](disk-encryption-overview.md#supported-operating-systems) that support Azure Disk Encryption. + + - question: | + Can I encrypt both boot and data volumes with Azure Disk Encryption? + answer: | + Yes, you can encrypt both boot and data volumes, or you can encrypt the data volume without having to encrypt the OS volume first. + + After you've encrypted the OS volume, disabling encryption on the OS volume isn't supported. For Linux virtual machines in a scale set, only the data volume can be encrypted. + + - question: | + Can I encrypt an unmounted volume with Azure Disk Encryption? + answer: | + No, Azure Disk Encryption only encrypts mounted volumes. + + - question: | + What is Storage server-side encryption? + answer: | + Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key. For more information see: [Server-side encryption of Azure managed disks](../disk-encryption.md). + + - question: | + How is Azure Disk Encryption different from other disk encryption solutions and when should I use each solution? + answer: | + See [Overview of managed disk encryption options](../disk-encryption-overview.md). + + - question: | + How do I rotate secrets or encryption keys? + answer: | + To rotate secrets, just call the same command you used originally to enable disk encryption, specifying a different Key Vault. To rotate the key encryption key, call the same command you used originally to enable disk encryption, specifying the new key encryption. + + >[!WARNING] + > - If you previously used [Azure Disk Encryption with Microsoft Entra app](disk-encryption-linux-aad.md) by specifying Microsoft Entra credentials to encrypt this VM, you must continue to use this option to encrypt your VM. You can't use Azure Disk Encryption on this encrypted VM as this isn't a supported scenario, meaning switching away from Microsoft Entra application for this encrypted VM isn't supported yet. + + - question: | + How do I add or remove a key encryption key if I didn't originally use one? + answer: | + To add a key encryption key, call the enable command again passing the key encryption key parameter. To remove a key encryption key, call the enable command again without the key encryption key parameter. + + - question: | + Does Azure Disk Encryption allow you to bring your own key (BYOK)? + answer: | + Yes, you can supply your own key encryption keys. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption keys support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + Can I use an Azure-created key encryption key? + answer: | + Yes, you can use Azure Key Vault to generate a key encryption key for Azure disk encryption use. These keys are safeguarded in Azure Key Vault, which is the key store for Azure Disk Encryption. For more information on the key encryption key, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + Can I use an on-premises key management service or HSM to safeguard the encryption keys? + answer: | + You can't use the on-premises key management service or HSM to safeguard the encryption keys with Azure Disk Encryption. You can only use the Azure Key Vault service to safeguard the encryption keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + What are the prerequisites to configure Azure Disk Encryption? + answer: | + There are prerequisites for Azure Disk Encryption. See the [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md) article to create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption](disk-encryption-key-vault.md). + + - question: | + What are the prerequisites to configure Azure Disk Encryption with a Microsoft Entra app (previous release)? + answer: | + There are prerequisites for Azure Disk Encryption. See the [Azure Disk Encryption with Microsoft Entra ID](disk-encryption-linux-aad.md) content to create an Microsoft Entra application, create a new key vault, or set up an existing key vault for disk encryption access to enable encryption, and safeguard secrets and keys. For more information on the key encryption key support scenarios, see [Creating and configuring a key vault for Azure Disk Encryption with Microsoft Entra ID](disk-encryption-key-vault-aad.md). + + - question: | + Is Azure Disk Encryption using a Microsoft Entra app (previous release) still supported? + answer: | + Yes. Disk encryption using a Microsoft Entra app is still supported. However, when encrypting new virtual machines it's recommended that you use the new method rather than encrypting with a Microsoft Entra app. + + - question: | + Can I migrate virtual machines that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app? + answer: Currently, there isn't a direct migration path for machines that were encrypted with a Microsoft Entra app to encryption without a Microsoft Entra app. Additionally, there isn't a direct path from encryption without a Microsoft Entra app to encryption with an AD app. + + - question: | + What version of Azure PowerShell does Azure Disk Encryption support? + answer: | + Use the latest version of the Azure PowerShell SDK to configure Azure Disk Encryption. Download the latest version of [Azure PowerShell](https://github.com/Azure/azure-powershell/releases). Azure Disk Encryption is *not* supported by Azure SDK version 1.1.0. + + > [!NOTE] + > The Linux Azure disk encryption preview extension "Microsoft.OSTCExtension.AzureDiskEncryptionForLinux" is deprecated. This extension was published for Azure disk encryption preview release. You should not use the preview version of the extension in your testing or production deployment. + + > For deployment scenarios like Azure Resource Manager (ARM), where you have a need to deploy Azure disk encryption extension for Linux VM to enable encryption on your Linux IaaS VM, you must use the Azure disk encryption production supported extension "Microsoft.Azure.Security.AzureDiskEncryptionForLinux". + + - question: | + Can I apply Azure Disk Encryption on my custom Linux image? + answer: | + You can't apply Azure Disk Encryption on your custom Linux image. Only the gallery Linux images for the supported distributions called out previously are supported. Custom Linux images aren't currently supported. + + - question: | + Can I apply updates to a Linux Red Hat VM that uses the yum update? + answer: | + Yes, you can perform a yum update on a Red Hat Linux VM. For more information, see [Azure Disk Encryption on an isolated network](disk-encryption-isolated-network.md). + + - question: | + What is the recommended Azure disk encryption workflow for Linux? + answer: | + The following workflow is recommended to have the best results on Linux: + * Start from the unmodified stock gallery image corresponding to the needed OS distro and version + * Back up any mounted drives you want encrypted. This back up allows for recovery if there's a failure, for example if the VM is rebooted before encryption has completed. + * Encrypt (can take several hours or even days depending on VM characteristics and size of any attached data disks) + * Customize, and add software to the image as needed. + + If this workflow isn't possible, relying on [Storage Service Encryption (SSE)](/azure/storage/common/storage-service-encryption) at the platform storage account layer may be an alternative to full disk encryption using dm-crypt. + + - question: | + What is the disk "Bek Volume" or "/mnt/azure_bek_disk"? + answer: | + The "Bek volume" is a local data volume that securely stores the encryption keys for Encrypted Azure virtual machines. + > [!NOTE] + > Do not delete or edit any contents in this disk. Do not unmount the disk since the encryption key presence is needed for any encryption operations on the IaaS VM. + + + - question: | + What encryption method does Azure Disk Encryption use? + answer: | + Azure Disk Encryption uses the decrypt default of aes-xts-plain64 with a 256-bit volume master key. + + - question: | + If I use EncryptFormatAll and specify all volume types, will it erase the data on the data drives that we already encrypted? + answer: | + No, data won't be erased from data drives that are already encrypted using Azure Disk Encryption. Similar to how EncryptFormatAll didn't re-encrypt the OS drive, it won't re-encrypt the already encrypted data drive. For more information, see the [EncryptFormatAll criteria](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). + + - question: | + Is XFS filesystem supported? + answer: | + Encryption of XFS OS disks is supported. + + Encryption of XFS data disks is supported only when the EncryptFormatAll parameter is used. This option reformats the volume, erasing any data previously there. For more information, see the [EncryptFormatAll criteria](disk-encryption-linux.md#use-encryptformatall-feature-for-data-disks-on-linux-vms). + + - question: | + Is resizing the OS partition supported? + answer: | + Resize of an Azure Disk Encryption encrypted OS disk isn't supported. + + - question: | + Can I backup and restore an encrypted VM? + answer: | + Azure Backup provides a mechanism to backup and restore encrypted VM's within the same subscription and region. For instructions, please see [Back up and restore encrypted virtual machines with Azure Backup](/azure/backup/backup-azure-vms-encryption). Restoring an encrypted VM to a different region is not currently supported. + + - question: | + Where can I go to ask questions or provide feedback? + answer: | + You can ask questions or provide feedback on the [Microsoft Q&A question page for Azure Disk Encryption](/answers/topics/azure-disk-encryption.html). + +additionalContent: | + + ## Next steps + + In this document, you learned more about the most frequent questions related to Azure Disk Encryption. For more information about this service, see the following articles: + + - [Azure Disk Encryption Overview](disk-encryption-overview.md) + - [Apply disk encryption in Azure Security Center](/azure/security-center/asset-inventory) + - [Azure data encryption at rest](/azure/security/fundamentals/encryption-atrest) From 73174b32baef0b5e724e03af85f1bdceaf796911 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:06:49 -0700 Subject: [PATCH 02/23] Add scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml --- .../linux/attach-disk-portal.yml | 259 ++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml new file mode 100644 index 000000000..babdb3954 --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/attach-disk-portal.yml @@ -0,0 +1,259 @@ +### YamlMime:HowTo + +metadata: + title: Attach a data disk to a Linux VM + description: Use the portal to attach new or existing data disk to a Linux VM. + author: roygara + ms.author: rogarana + ms.date: 03/19/2024 + ms.service: azure-disk-storage + ms.topic: how-to + ms.collection: linux + ms.custom: + - linux-related-content + - ge-structured-content-pilot + +title: | + Use the portal to attach a data disk to a Linux VM +introduction: | + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets + + This article shows you how to attach both new and existing disks to a Linux virtual machine through the Azure portal. You can also [attach a data disk to a Windows VM in the Azure portal](../windows/attach-managed-disk-portal.yml). + +prerequisites: + summary: | + Before you attach disks to your VM, review these tips: + dependencies: + - The size of the virtual machine controls how many data disks you can attach. For details, see [Sizes for virtual machines](../sizes.md). + +procedureSection: + - title: | + Find the virtual machine + summary: | + Follow these steps: + steps: + - | + Go to the [Azure portal](https://portal.azure.com/) to find the VM. Search for and select **Virtual machines**. + - | + Select the VM you'd like to attach the disk to from the list. + - | + In the **Virtual machines** page, under **Settings**, select **Disks**. + + - title: | + Attach a new disk + summary: | + Follow these steps: + steps: + - | + On the **Disks** pane, under **Data disks**, select **Create and attach a new disk**. + - | + Enter a name for your managed disk. Review the default settings, and update the **Storage type**, **Size (GiB)**, **Encryption** and **Host caching** as necessary. + + :::image type="content" source="./media/attach-disk-portal/create-new-md.png" alt-text="Screenshot of review disk settings." lightbox="./media/attach-disk-portal/create-new-md.png"::: + + - | + When you're done, select **Save** at the top of the page to create the managed disk and update the VM configuration. + + - title: | + Attach an existing disk + summary: | + Follow these steps: + steps: + - | + On the **Disks** pane, under **Data disks**, select **Attach existing disks**. + - | + Select the drop-down menu for **Disk name** and select a disk from the list of available managed disks. + - | + Select **Save** to attach the existing managed disk and update the VM configuration: + + - title: | + Connect to the Linux VM to mount the new disk + summary: | + To partition, format, and mount your new disk so your Linux VM can use it, SSH into your VM. For more information, see [How to use SSH with Linux on Azure](mac-create-ssh-keys.md). The following example connects to a VM with the public IP address of *10.123.123.25* with the username *azureuser*: + code: | + ```bash + ssh azureuser@10.123.123.25 + ``` + + - title: | + Find the disk + summary: | + Once connected to your VM, you need to find the disk. In this example, we're using `lsblk` to list the disks. + code: | + ```bash + lsblk -o NAME,HCTL,SIZE,MOUNTPOINT | grep -i "sd" + ``` + + The output is similar to the following example: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + ``` + + In this example, the disk that was added was `sdc`. It's a LUN 0 and is 4GB. + + For a more complex example, here's what multiple data disks look like in the portal: + + :::image type="content" source="./media/attach-disk-portal/find-disk.png" alt-text="Screenshot of multiple disks shown in the portal."::: + + In the image, you can see that there are 3 data disks: 4 GB on LUN 0, 16GB at LUN 1, and 32G at LUN 2. + + Here's what that might look like using `lsblk`: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + sdd 3:0:0:1 16G + sde 3:0:0:2 32G + ``` + + From the output of `lsblk` you can see that the 4GB disk at LUN 0 is `sdc`, the 16GB disk at LUN 1 is `sdd`, and the 32G disk at LUN 2 is `sde`. + + ### Prepare a new empty disk + + > [!IMPORTANT] + > If you are using an existing disk that contains data, skip to [mounting the disk](#mount-the-disk). + > The following instructions will delete data on the disk. + + If you're attaching a new disk, you need to partition the disk. + + The `parted` utility can be used to partition and to format a data disk. + - Use the latest version `parted` that is available for your distro. + - If the disk size is 2 tebibytes (TiB) or larger, you must use GPT partitioning. If disk size is under 2 TiB, then you can use either MBR or GPT partitioning. + + + The following example uses `parted` on `/dev/sdc`, which is where the first data disk will typically be on most VMs. Replace `sdc` with the correct option for your disk. We're also formatting it using the [XFS](https://xfs.wiki.kernel.org/) filesystem. + + ```bash + sudo parted /dev/sdc --script mklabel gpt mkpart xfspart xfs 0% 100% + sudo mkfs.xfs /dev/sdc1 + sudo partprobe /dev/sdc1 + ``` + + Use the [`partprobe`](https://linux.die.net/man/8/partprobe) utility to make sure the kernel is aware of the new partition and filesystem. Failure to use `partprobe` can cause the blkid or lslbk commands to not return the UUID for the new filesystem immediately. + + ### Mount the disk + + Create a directory to mount the file system using `mkdir`. The following example creates a directory at `/datadrive`: + + ```bash + sudo mkdir /datadrive + ``` + + Use `mount` to then mount the filesystem. The following example mounts the */dev/sdc1* partition to the `/datadrive` mount point: + + ```bash + sudo mount /dev/sdc1 /datadrive + ``` + To ensure that the drive is remounted automatically after a reboot, it must be added to the */etc/fstab* file. It's also highly recommended that the UUID (Universally Unique Identifier) is used in */etc/fstab* to refer to the drive rather than just the device name (such as, */dev/sdc1*). If the OS detects a disk error during boot, using the UUID avoids the incorrect disk being mounted to a given location. Remaining data disks would then be assigned those same device IDs. To find the UUID of the new drive, use the `blkid` utility: + + ```bash + sudo blkid + ``` + + The output looks similar to the following example: + + ```output + /dev/sda1: LABEL="cloudimg-rootfs" UUID="11111111-1b1b-1c1c-1d1d-1e1e1e1e1e1e" TYPE="ext4" PARTUUID="1a1b1c1d-11aa-1234-1a1a1a1a1a1a" + /dev/sda15: LABEL="UEFI" UUID="BCD7-96A6" TYPE="vfat" PARTUUID="1e1g1cg1h-11aa-1234-1u1u1a1a1u1u" + /dev/sdb1: UUID="22222222-2b2b-2c2c-2d2d-2e2e2e2e2e2e" TYPE="ext4" TYPE="ext4" PARTUUID="1a2b3c4d-01" + /dev/sda14: PARTUUID="2e2g2cg2h-11aa-1234-1u1u1a1a1u1u" + /dev/sdc1: UUID="33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e" TYPE="xfs" PARTLABEL="xfspart" PARTUUID="c1c2c3c4-1234-cdef-asdf3456ghjk" + ``` + + > [!NOTE] + > Improperly editing the **/etc/fstab** file could result in an unbootable system. If unsure, refer to the distribution's documentation for information on how to properly edit this file. You should create a backup of the **/etc/fstab** file is created before editing. + + Next, open the **/etc/fstab** file in a text editor. Add a line to the end of the file, using the UUID value for the `/dev/sdc1` device that was created in the previous steps, and the mountpoint of `/datadrive`. Using the example from this article, the new line would look like the following: + + ```config + UUID=33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e /datadrive xfs defaults,nofail 1 2 + ``` + + When you're done editing the file, save and close the editor. + + > [!NOTE] + > Later removing a data disk without editing fstab could cause the VM to fail to boot. Most distributions provide either the *nofail* and/or *nobootwait* fstab options. These options allow a system to boot even if the disk fails to mount at boot time. Consult your distribution's documentation for more information on these parameters. + > + > The *nofail* option ensures that the VM starts even if the filesystem is corrupt or the disk does not exist at boot time. Without this option, you may encounter behavior as described in [Cannot SSH to Linux VM due to FSTAB errors](/archive/blogs/linuxonazure/cannot-ssh-to-linux-vm-after-adding-data-disk-to-etcfstab-and-rebooting) + + + - title: | + Verify the disk + summary: | + You can now use `lsblk` again to see the disk and the mountpoint. + + ```bash + lsblk -o NAME,HCTL,SIZE,MOUNTPOINT | grep -i "sd" + ``` + + The output will look something like this: + + ```output + sda 0:0:0:0 30G + ├─sda1 29.9G / + ├─sda14 4M + └─sda15 106M /boot/efi + sdb 1:0:1:0 14G + └─sdb1 14G /mnt + sdc 3:0:0:0 4G + └─sdc1 4G /datadrive + ``` + + You can see that `sdc` is now mounted at `/datadrive`. + + ### TRIM/UNMAP support for Linux in Azure + + Some Linux kernels support TRIM/UNMAP operations to discard unused blocks on the disk. This feature is primarily useful to inform Azure that deleted pages are no longer valid and can be discarded. This feature can save money on disks that are billed based on the amount of consumed storage, such as unmanaged standard disks and disk snapshots. + + There are two ways to enable TRIM support in your Linux VM. As usual, consult your distribution for the recommended approach: + steps: + - | + Use the `discard` mount option in */etc/fstab*, for example: + + ```config + UUID=33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e /datadrive xfs defaults,discard 1 2 + ``` + - | + In some cases, the `discard` option may have performance implications. Alternatively, you can run the `fstrim` command manually from the command line, or add it to your crontab to run regularly: + + **Ubuntu** + + ```bash + sudo apt-get install util-linux + sudo fstrim /datadrive + ``` + + **RHEL** + + ```bash + sudo yum install util-linux + sudo fstrim /datadrive + ``` + + **SUSE** + + ```bash + sudo zypper install util-linux + sudo fstrim /datadrive + ``` + +relatedContent: + - text: Troubleshoot Linux VM device name changes + url: /troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems + - text: Attach a data disk using the Azure CLI + url: add-disk.md +#For more information, and to help troubleshoot disk issues, see [Troubleshoot Linux VM device name changes](/troubleshoot/azure/virtual-machines/troubleshoot-device-names-problems). + +#You can also [attach a data disk](add-disk.md) using the Azure CLI. From 5e6621e6714731b936ac973e0be40c973e57786d Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:06:51 -0700 Subject: [PATCH 03/23] Add scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml --- .../articles/virtual-machines/linux/faq.yml | 141 ++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml b/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml new file mode 100644 index 000000000..5700bcc9c --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/faq.yml @@ -0,0 +1,141 @@ +### YamlMime:FAQ +metadata: + title: Frequently asked questions for Linux VMs in Azure + description: Provides answers to some of the common questions about Linux virtual machines created with the Resource Manager model. + author: ju-shim + ms.service: azure-virtual-machines + ms.collection: linux + ms.topic: faq + ms.date: 03/06/2024 + ms.author: jushiman +title: Frequently asked question about Linux Virtual Machines +summary: | + This article addresses some common questions about Linux virtual machines created in Azure using the Resource Manager deployment model. For the Windows version of this topic, see [Frequently asked question about Windows Virtual Machines](../windows/faq.yml) + + +sections: + - name: Ignored + questions: + - question: | + What can I run on an Azure VM? + answer: | + All subscribers can run server software on an Azure virtual machine. For more information, see [Linux on Azure-Endorsed Distributions](endorsed-distros.md) + + - question: | + How much storage can I use with a virtual machine? + answer: | + Each data disk can be up to 32,767 GiB. The number of data disks you can use depends on the size of the virtual machine. For details, see [Sizes for Virtual Machines](../sizes.md). + + Azure Managed Disks are the recommended disk storage offerings for use with Azure Virtual Machines for persistent storage of data. You can use multiple Managed Disks with each Virtual Machine. Managed Disks offer two types of durable storage options: Premium and Standard Managed Disks. For pricing information, see [Managed Disks Pricing](https://azure.microsoft.com/pricing/details/managed-disks). + + Azure storage accounts can also provide storage for the operating system disk and any data disks. Each disk is a .vhd file stored as a page blob. For pricing details, see [Storage Pricing Details](https://azure.microsoft.com/pricing/details/storage/). + + - question: | + How can I access my virtual machine? + answer: | + Establish a remote connection to sign on to the virtual machine, using Secure Shell (SSH). See the instructions on how to connect [from Windows](ssh-from-windows.md) or + [from Linux and Mac](mac-create-ssh-keys.md). By default, SSH allows a maximum of 10 concurrent connections. You can increase this number by editing the configuration file. + + If you’re having problems, check out [Troubleshoot Secure Shell (SSH) connections](/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json). + + - question: | + Can I use the temporary disk (/dev/sdb1) to store data? + answer: | + Don't use the temporary disk (/dev/sdb1) to store data. It is only there for temporary storage. You risk losing data that can’t be recovered. + + - question: | + Can I copy or clone an existing Azure VM? + answer: | + Yes. For instructions, see [How to create a copy of a Linux virtual machine in the Resource Manager deployment model](/previous-versions/azure/virtual-machines/linux/copy-vm). + + - question: | + Why am I not seeing Canada Central and Canada East regions through Azure Resource Manager? + answer: | + The two new regions of Canada Central and Canada East are not automatically registered for virtual machine creation for existing Azure subscriptions. This registration is done automatically when a virtual machine is deployed through the Azure portal to any other region using Azure Resource Manager. After a virtual machine is deployed to any other Azure region, the new regions should be available for subsequent virtual machines. + + - question: | + Can I add a NIC to my VM after it's created? + answer: | + Yes, this is now possible. The VM first needs to be stopped deallocated. Then you can add or remove a NIC (unless it's the last NIC on the VM). + + - question: | + Are there any computer name requirements? + answer: | + Yes. The computer name can be a maximum of 64 characters in length. See [Naming conventions rules and restrictions](/azure/architecture/best-practices/resource-naming) for more information around naming your resources. + + - question: | + Are there any resource group name requirements? + answer: | + Yes. The resource group name can be a maximum of 90 characters in length. See [Naming conventions rules and restrictions](/azure/architecture/best-practices/resource-naming) for more information about resource groups. + + - question: | + What are the username requirements when creating a VM? + answer: | + Usernames should be 1 - 32 characters in length. + + The following usernames are not allowed: + + - `1` + - `123` + - `a` + - `actuser` + - `adm` + - `admin` + - `admin1` + - `admin2` + - `administrator` + - `aspnet` + - `backup` + - `console` + - `david` + - `guest` + - `john` + - `owner` + - `root` + - `server` + - `sql` + - `support_388945a0` + - `support` + - `sys` + - `test` + - `test1` + - `test2` + - `test3` + - `user` + - `user1` + - `user2` + - `user3` + - `user4` + - `user5` + - `video` + + + - question: | + What are the password requirements when creating a VM? + answer: | + There are varying password length requirements, depending on the tool you are using: + - Azure portal - between 12 - 72 characters + - Azure PowerShell - between 8 - 123 characters + - Azure CLI - between 12 - 123 characters + - Azure Resource Manager (ARM) templates - 12 - 72 characters and control characters are not allowed + + + Passwords must also meet 3 out of the following 4 complexity requirements: + + * Have lower characters + * Have upper characters + * Have a digit + * Have a special character (Regex match [\W_]) + + The following passwords are not allowed: + + * abc@123 + * P@$$w0rd + * P@ssw0rd + * P@ssword123 + * Pa$$word + * pass@word1 + * Password! + * Password1 + * Password22 + * iloveyou! From 4bac2dcc9a865658b773d01e027f129a6e96e5fd Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:06:53 -0700 Subject: [PATCH 04/23] Add scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md --- .../linux/quick-create-cli.md | 145 ++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md diff --git a/scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md b/scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md new file mode 100644 index 000000000..109ea1094 --- /dev/null +++ b/scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md @@ -0,0 +1,145 @@ +--- +title: 'Quickstart: Use the Azure CLI to create a Linux Virtual Machine' +description: In this quickstart, you learn how to use the Azure CLI to create a Linux virtual machine +author: ju-shim +ms.service: azure-virtual-machines +ms.collection: linux +ms.topic: quickstart +ms.date: 03/11/2024 +ms.author: jushiman +ms.custom: mvc, devx-track-azurecli, mode-api, innovation-engine, linux-related-content +--- + +# Quickstart: Create a Linux virtual machine with the Azure CLI on Azure + +**Applies to:** :heavy_check_mark: Linux VMs + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://go.microsoft.com/fwlink/?linkid=2285977) + +This quickstart shows you how to use the Azure CLI to deploy a Linux virtual machine (VM) in Azure. The Azure CLI is used to create and manage Azure resources via either the command line or scripts. + +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. + +## Launch Azure Cloud Shell + +The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. + +To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and select **Enter** to run it. + +If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.30 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli). + +## Log in to Azure using the CLI + +In order to run commands in Azure using the CLI, you need to log in first. Log in using the `az login` command. + +## Create a resource group + +A resource group is a container for related resources. All resources must be placed in a resource group. The [az group create](/cli/azure/group) command creates a resource group with the previously defined $MY_RESOURCE_GROUP_NAME and $REGION parameters. + +```bash +export RANDOM_ID="$(openssl rand -hex 3)" +export MY_RESOURCE_GROUP_NAME="myVMResourceGroup$RANDOM_ID" +export REGION=EastUS +az group create --name $MY_RESOURCE_GROUP_NAME --location $REGION +``` + +Results: + + +```json +{ + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myVMResourceGroup", + "location": "eastus", + "managedBy": null, + "name": "myVMResourceGroup", + "properties": { + "provisioningState": "Succeeded" + }, + "tags": null, + "type": "Microsoft.Resources/resourceGroups" +} +``` + +## Create the virtual machine + +To create a VM in this resource group, use the `vm create` command. + +The following example creates a VM and adds a user account. The `--generate-ssh-keys` parameter causes the CLI to look for an available ssh key in `~/.ssh`. If one is found, that key is used. If not, one is generated and stored in `~/.ssh`. The `--public-ip-sku Standard` parameter ensures that the machine is accessible via a public IP address. Finally, we deploy the latest `Ubuntu 22.04` image. + +All other values are configured using environment variables. + +```bash +export MY_VM_NAME="myVM$RANDOM_ID" +export MY_USERNAME=azureuser +export MY_VM_IMAGE="Canonical:0001-com-ubuntu-minimal-jammy:minimal-22_04-lts-gen2:latest" +az vm create \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --name $MY_VM_NAME \ + --image $MY_VM_IMAGE \ + --admin-username $MY_USERNAME \ + --assign-identity \ + --generate-ssh-keys \ + --public-ip-sku Standard +``` + +It takes a few minutes to create the VM and supporting resources. The following example output shows the VM create operation was successful. + +Results: + +```json +{ + "fqdns": "", + "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myVMResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM", + "location": "eastus", + "macAddress": "00-0D-3A-10-4F-70", + "powerState": "VM running", + "privateIpAddress": "10.0.0.4", + "publicIpAddress": "52.147.208.85", + "resourceGroup": "myVMResourceGroup", + "zones": "" +} +``` + +## Enable Azure AD Login for a Linux virtual machine in Azure + +The following code example deploys a Linux VM and then installs the extension to enable an Azure AD Login for a Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. + +```bash +az vm extension set \ + --publisher Microsoft.Azure.ActiveDirectory \ + --name AADSSHLoginForLinux \ + --resource-group $MY_RESOURCE_GROUP_NAME \ + --vm-name $MY_VM_NAME +``` + +## Store IP address of VM in order to SSH + +Run the following command to store the IP address of the VM as an environment variable: + +```bash +export IP_ADDRESS=$(az vm show --show-details --resource-group $MY_RESOURCE_GROUP_NAME --name $MY_VM_NAME --query publicIps --output tsv) +``` + +## SSH into the VM + + + + + +You can now SSH into the VM by running the output of the following command in your ssh client of choice: + +```bash +ssh -o StrictHostKeyChecking=no $MY_USERNAME@$IP_ADDRESS +``` + +## Next Steps + +* [Learn about virtual machines](../index.yml) +* [Use Cloud-Init to initialize a Linux VM on first boot](tutorial-automate-vm-deployment.md) +* [Create custom VM images](tutorial-custom-images.md) +* [Load Balance VMs](/azure/load-balancer/quickstart-load-balancer-standard-public-cli) From 60c3d7e3a94e0f554a1072ea5dc6fc12a0fc19ee Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:06:56 -0700 Subject: [PATCH 05/23] Update metadata for all files --- scenarios/metadata.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/scenarios/metadata.json b/scenarios/metadata.json index 11f21445e..ac0d92298 100644 --- a/scenarios/metadata.json +++ b/scenarios/metadata.json @@ -53,7 +53,7 @@ } }, { - "status": "inactive", + "status": "active", "key": "azure-docs/articles/mysql/flexible-server/tutorial-deploy-wordpress-on-aks.md", "title": "Tutorial: Deploy WordPress on AKS cluster by using Azure CLI", "description": "Learn how to quickly build and deploy WordPress on AKS with Azure Database for MySQL - Flexible Server.", @@ -465,5 +465,17 @@ "configurations": { "region": "westeurope" } + }, + { + "status": "active", + "key": "azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md", + "title": "Quickstart: Use the Azure CLI to create a Linux Virtual Machine", + "description": "In this quickstart, you learn how to use the Azure CLI to create a Linux virtual machine", + "stackDetails": "", + "sourceUrl": "https://raw.githubusercontent.com/MicrosoftDocs/executable-docs/main/scenarios/azure-compute-docs/articles/virtual-machines/linux/quick-create-cli.md", + "documentationUrl": "", + "configurations": { + "region": "EastUS" + } } ] \ No newline at end of file From ebce013eb5fb224d3d45772531e5d61161d61294 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:00 -0700 Subject: [PATCH 06/23] Updated localized metadata for cs-CZ From 7320105e6b911ce2434bae88322e02d8b9b4975a Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:01 -0700 Subject: [PATCH 07/23] Updated localized metadata for de-DE From 72c1bb398a08aefac9b844e869b62b86963075c4 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:03 -0700 Subject: [PATCH 08/23] Updated localized metadata for es-ES From 6090da5c49599d5d6948b848e7db17393a70a61a Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:05 -0700 Subject: [PATCH 09/23] Updated localized metadata for fr-FR From c37753eea4bf8216872f0551b47754160376e8d3 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:07 -0700 Subject: [PATCH 10/23] Updated localized metadata for hu-HU From 07d096429b59df4cc5e6c7051ebaffb021024015 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:08 -0700 Subject: [PATCH 11/23] Updated localized metadata for id-ID From 9f030a6eed368ebdf97e8e15f50b54e02699543e Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:10 -0700 Subject: [PATCH 12/23] Updated localized metadata for it-IT From d8e50d8d633961ed7608bcebb03cae7ea4cce76b Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:12 -0700 Subject: [PATCH 13/23] Updated localized metadata for ja-JP From 0e32ed3ceadc6a5f3edd3f2de15d8e100def289c Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:14 -0700 Subject: [PATCH 14/23] Updated localized metadata for ko-KR From 90f50af894cbf1d0826cf2880866d0370b392ba0 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:15 -0700 Subject: [PATCH 15/23] Updated localized metadata for nl-NL From 61896c39921d4346b833bbf00d13677aec4ac92a Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:17 -0700 Subject: [PATCH 16/23] Updated localized metadata for pl-PL From 7b2b1291e144e8fd2f2c46e1fcd1f4478e9a57ea Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:19 -0700 Subject: [PATCH 17/23] Updated localized metadata for pt-BR From 93a2242daec94a4b678ec372e4057ef2ef1e7c86 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:20 -0700 Subject: [PATCH 18/23] Updated localized metadata for pt-PT From 6a13a2ba60b3367d4bfce21cf1ba13e4df4e1b35 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:22 -0700 Subject: [PATCH 19/23] Updated localized metadata for ru-RU From 50d9314d4ae87a17aa1f6ed047f3c9f91f262765 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:24 -0700 Subject: [PATCH 20/23] Updated localized metadata for sv-SE From db04cf62f4cd131f58f0368aa7c44cc19d8ae9f1 Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:25 -0700 Subject: [PATCH 21/23] Updated localized metadata for tr-TR From 05af0c6bdfa88eb90c897fb03b0f79ecf79a7bcf Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:27 -0700 Subject: [PATCH 22/23] Updated localized metadata for zh-CN From 6c661e6a87d08f0314142d3a0c72d86d08fe570e Mon Sep 17 00:00:00 2001 From: naman-msft <146123940+naman-msft@users.noreply.github.com> Date: Fri, 25 Oct 2024 08:07:29 -0700 Subject: [PATCH 23/23] Updated localized metadata for zh-TW