How to configure Azure Disk Encryption on a VM with Keyvault using Private link?

Ramisetty, Pratap 1 Reputation point
2020-11-17T12:39:43.933+00:00

Hi All

We are using Azure Disk encryption on Azure, where encryption keys are stored in KeyVault, we are planning to use Private Link for our Keyvault and has below questions

1)Does ADE supports keyvault with Private Link?
2)Is it possible to deploy ADE on a VM automatically using Azure Policy with Private Link enabled keyvault?

Regards
Pratap

Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
174 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
515 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sumarigo-MSFT 47,021 Reputation points Microsoft Employee
    2020-11-19T05:39:24.507+00:00

    @Ramisetty, Pratap Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    1) No
    2) To deploy via policy I would suggest setting up an isolated (non-private-link-service) key vault for disk encryption in the same location and region as the target VM, and if the deployment included other resources using Private Link Service it could do that as well in that separate context.

    Based on my understanding of Private Link Service (https://video2.skills-academy.com/en-us/azure/key-vault/general/private-link-service) it introduces some new network restrictions to key vault access and is not a scenario we include in our daily test automation and validation. Azure Backup and Azure Site Recovery, common features used in conjunction with Azure Disk Encryption, and that also have integration points with a key vault for the ADE scenario, are likely similar.

    As part of Azure Disk Encryption, the host retrieves keys from the key vault and needs to be able to access the key vault endpoint. If the key vault restricts access to a private network or requires outsiders to approve connection requests, that will likely break ADE and partner team solutions.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.