Question

Narayana Babu.K on Wed, 07 Dec 2016 05:47:41


I'm trying to enable Disk encryption for Azure VMs using Azure Disk Encryption feature, I have created Keyvault, Azure AD Service Principal and enabled encryption on one of our Azure VM, which works as expected before we configure NSG to block Inbound and Outbound Internet conenctivity. 

But after we configure NSG to block all Inbound and Outbound traffic to Internet, the encryptions failed and when I checked the below link, they suggested to enable outbound connectivity to the Azure AD, Keyvault and Storage endpoints. So need your help on how to proceed to configure it our NSG.

https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption

Azure Disk Encryption feature, the IaaS VMs must meet the following network endpoint configuration requirements:

  • The IaaS VM must be able to connect to Azure Active Directory endpoint [Login.windows.net] to get a token to connect to Azure key vault
  • The IaaS VM must be able to connect to Azure Key Vault endpoint to write the encryptions keys to customer key vault
  • The IaaS VM must be able to connect to Azure storage endpoint which hosts the Azure extension repository and Azure storage account which hosts the VHD files

Thanks and Regards, Narayana Babu



Sponsored



Replies

_Pete_475 on Wed, 21 Dec 2016 13:07:22


Hi, You'll need outbound connectivity to your Azure region's data center addresses for this. The problem is there are over 200 hundred address ranges in some regions.

I used a modified version of the script published here to configure the outbound rules: https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/ 

Depending on the region you may need to ask Microsoft to increase your NSG rule limit to 500