Merge pull request #226186 from lakmeedee/patch-589

PMEds28 · web-flow · commit 321a88840d83 · 2023-05-17T08:22:45.000+01:00
Update trusted-launch-portal.md
diff --git a/articles/virtual-machines/trusted-launch-portal.md b/articles/virtual-machines/trusted-launch-portal.md
@@ -157,9 +157,23 @@ You can deploy trusted launch VMs using a quickstart template:
 
 ---
 
-## Deploy a trusted launch VM from an Azure Compute Gallery image
+## Deploy a Trusted launch VM from an Azure Compute Gallery image
 
-### [Portal](#tab/portal2)
+[Azure trusted launch virtual machines](trusted-launch.md) supports the creation and sharing of custom images using Azure Compute Gallery. There are two types of images that you can create, based on the security types of the image:
+
+- [Trusted launch VM (`TrustedLaunch`) images](#trusted-launch-vm-images) are images where the source usually has [VM Guest state information](trusted-launch.md#what-is-vm-guest-state-vmgs) and can be used to create only Azure Trusted launch VMs.
+- [Trusted launch VM Supported (`TrustedLaunchSupported`) images](#trusted-launch-vm-supported-images) are images where the source doesn't have VM Guest state information and can be used to create either Azure Gen2 VMs or Azure Trusted launch VMs.
+
+### Trusted launch VM Images
+
+For the following image sources, the security type on the image definition should be set to `TrustedLaunch` as the image source already has [VM Guest state information](trusted-launch.md#what-is-vm-guest-state-vmgs):
+- Trusted launch VM capture
+- Managed OS disk 
+- Managed OS disk snapshot
+
+The resulting image version can be used only to create Azure Trusted launch VMs.
+
+#### [Portal](#tab/portal2)
 
 1. Sign in to the Azure [portal](https://portal.azure.com).
 2. To create an Azure Compute Gallery Image from a VM, open an existing Trusted launch VM and select **Capture**.
@@ -177,7 +191,8 @@ You can deploy trusted launch VMs using a quickstart template:
 14. The image and the security type are already populated based on the selected image version. The **Secure Boot** and **vTPM** checkboxes are enabled by default.
 15. Fill in the **Administrator account** information and then **Inbound port rules**.
 16. At the bottom of the page, select **Review + Create**
-17. On the **Create a virtual machine** page, you can see the details about the VM you are about to deploy. Once validation shows as passed, select **Create**.
+1. On the validation page, review the details of the VM.
+1. After the validation succeeds, select **Create** to finish creating the VM.
 
 In case you want to use either a managed disk or a managed disk snapshot as a source of the image version (instead of a trusted launch VM), then use the following steps
 
@@ -193,10 +208,10 @@ In case you want to use either a managed disk or a managed disk snapshot as a so
 10.	The **Encryption** tab can also be used to provide SSE encryption related information, if required.
 11.	Select **Create** in the **Review + create** tab to create the image
 12.	Once the image version is successfully created, select the **+ Create VM** to land on the Create a virtual machine page.
-13.	Please follow steps 12 to 17 as mentioned earlier to create a trusted launch VM using this image version
+13.	Follow steps 12 to 18 as mentioned earlier to create a trusted launch VM using this image version
 
 
-### [CLI](#tab/cli2)
+#### [CLI](#tab/cli2)
 
 Make sure you are running the latest version of Azure CLI 
 
@@ -228,21 +243,22 @@ az sig image-version create --resource-group MyResourceGroup \
 
 In case a managed disk or a managed disk snapshot needs to be used as the image source for the image version, replace the --managed-image in the above command with --os-snapshot and provide the disk or the snapshot resource name
 
-Create a Trusted Launch VM from the above image version
+Create a Trusted launch VM from the above image version
 
 ```azurecli-interactive
 adminUsername=linuxvm
 az vm create --resource-group MyResourceGroup \
     --name myTrustedLaunchVM \
     --image "/subscriptions/00000000-0000-0000-0000-00000000xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/galleries/MyGallery/images/MyImageDef" \
+    --size Standard_D2s_v5 \
     --security-type TrustedLaunch \
     --enable-secure-boot true \ 
     --enable-vtpm true \
     --admin-username $adminUsername \
     --generate-ssh-keys
 ```
 
-### [PowerShell](#tab/powershell2)
+#### [PowerShell](#tab/powershell2)
 
 Create an image definition with `TrustedLaunch` security type
 
@@ -271,15 +287,203 @@ $galleryImageVersionName = "1.0.0"
 $sourceImageId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myVMRG/providers/Microsoft.Compute/virtualMachines/myVM"
 New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $galleryImageDefinitionName -Name $galleryImageVersionName -Location $location -SourceImageId $sourceImageId
 ```
-Create a Trusted Launch VM from the above image version
+Create a Trusted launch VM from the above image version
+
+```azurepowershell-interactive
+$rgName = "MyResourceGroup"
+$galleryName = "MyGallery"
+$galleryImageDefinitionName = "MyImageDef"
+$location = "eastus"
+$vmName = "myVMfromImage"
+$vmSize = "Standard_D2s_v5"
+$imageDefinition = Get-AzGalleryImageDefinition `
+   -GalleryName $galleryName `
+   -ResourceGroupName $rgName `
+   -Name $galleryImageDefinitionName
+$cred = Get-Credential `
+   -Message "Enter a username and password for the virtual machine"
+# Network pieces
+$subnetConfig = New-AzVirtualNetworkSubnetConfig `
+   -Name mySubnet `
+   -AddressPrefix 192.168.1.0/24
+$vnet = New-AzVirtualNetwork `
+   -ResourceGroupName $rgName `
+   -Location $location `
+   -Name MYvNET `
+   -AddressPrefix 192.168.0.0/16 `
+   -Subnet $subnetConfig
+$pip = New-AzPublicIpAddress `
+   -ResourceGroupName $rgName `
+   -Location $location `
+  -Name "mypublicdns$(Get-Random)" `
+  -AllocationMethod Static `
+  -IdleTimeoutInMinutes 4
+$nsgRuleRDP = New-AzNetworkSecurityRuleConfig `
+   -Name myNetworkSecurityGroupRuleRDP  `
+   -Protocol Tcp `
+  -Direction Inbound `
+   -Priority 1000 `
+   -SourceAddressPrefix * `
+   -SourcePortRange * `
+   -DestinationAddressPrefix * `
+   -DestinationPortRange 3389 `
+   -Access Deny
+$nsg = New-AzNetworkSecurityGroup `
+   -ResourceGroupName $rgName `
+   -Location $location `
+  -Name myNetworkSecurityGroup `
+  -SecurityRules $nsgRuleRDP
+$nic = New-AzNetworkInterface `
+   -Name myNic `
+   -ResourceGroupName $rgName `
+   -Location $location `
+  -SubnetId $vnet.Subnets[0].Id `
+  -PublicIpAddressId $pip.Id `
+  -NetworkSecurityGroupId $nsg.Id
+$vm = New-AzVMConfig -vmName $vmName -vmSize $vmSize | `
+      Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
+      Set-AzVMSourceImage -Id $imageDefinition.Id | `
+      Add-AzVMNetworkInterface -Id $nic.Id
+$vm = Set-AzVMSecurityProfile -SecurityType "TrustedLaunch" -VM $vm
+$vm = Set-AzVmUefi -VM $vm `
+   -EnableVtpm $true `
+   -EnableSecureBoot $true 
+New-AzVM `
+   -ResourceGroupName $rgName `
+   -Location $location `
+   -VM $vm
+```
+---
+
+### Trusted launch VM Supported Images
+
+For the following image sources, the security type on the image definition should be set to `TrustedLaunchsupported` as the image source does not have VM Guest state information:
+- Gen2 OS Disk VHD
+- Gen2 Managed Image
+- Gen2 Gallery Image Version
+
+The resulting image version can be used to create either Azure Gen2 VMs or Trusted launch VMs.
+
+These images can be shared with specific subscriptions or tenants through [Azure Compute Gallery - Direct Shared Gallery](../virtual-machines/azure-compute-gallery.md#shared-directly-to-a-tenant-or-subscription) and with all Azure users using [Azure Compute Gallery - Community Gallery](../virtual-machines/azure-compute-gallery.md#community-gallery)
+
+> [!NOTE]
+> The OS disk VHD, Managed Image or Gallery Image Version should be created from a [Gen2 image that is compatible with Trusted launch VMs](trusted-launch.md#limitations). 
+
+#### [Portal](#tab/portal3)
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Search for and select **VM image versions** in the search bar
+1. On the **VM image versions** page, select **Create**.
+1. On the **Create VM image version** page, on the **Basics** tab:
+    1. Select the Azure subscription.
+    1. Select an existing resource group or create a new resource group.
+    1. Select the Azure region.
+    1. Enter an image version number.
+    1. For **Source**, select either **Storage Blobs (VHD)** or **Managed Image** or another **VM Image Version**
+    1. If you selected **Storage Blobs (VHD)**, enter an OS disk VHD (without the VM Guest state). Make sure to use a Gen 2 VHD.
+    1. If you selected **Managed Image**, select an existing managed image of a Gen 2 VM.
+    1. If you selected **VM Image Version**, select an existing Gallery Image Version of a Gen2 VM.
+    1. For **Target Azure compute gallery**, select or create a gallery to share the image.
+    1. For **Operating system state**, select either **Generalized** or **Specialized** depending on your use case. If you're using a managed image as the source, always select **Generalized**. If you're using a storage blob (VHD) and want to select **Generalized**, follow the steps to [generalize a Linux VHD](../virtual-machines/linux/create-upload-generic.md) or [generalize a Windows VHD](../virtual-machines/windows/upload-generalized-managed.md) before you continue. If you're using an existing VM Image Version, select either **Generalized** or **Specialized** based on what is used in the source VM image definition.
+    1. For **Target VM Image Definition**, select **Create new**.
+    1. In the **Create a VM image definition** pane, enter a name for the definition. Make sure the security type is set to **Trustedlaunch Supported**. Enter publisher, offer, and SKU information. Then, select **Ok**.
+1. On the **Replication** tab, enter the replica count and target regions for image replication, if required.
+1. On the **Encryption** tab, enter SSE encryption-related information, if required.
+1. Select **Review + Create**.
+1. After the configuration is successfully validated, select **Create** to finish creating the image.
+1. After the image version is created, select **Create VM**.
+12. In the Create a virtual machine page, under **Resource group**, select **Create new** and type a name for your resource group or select an existing resource group from the dropdown.
+13. Under **Instance details**, type a name for the virtual machine name and choose a region that supports [trusted launch](trusted-launch.md#limitations).
+14. Select **Trusted launch virtual machines** as the security type. The **Secure Boot** and **vTPM** checkboxes are enabled by default.
+15. Fill in the **Administrator account** information and then **Inbound port rules**.
+1. On the validation page, review the details of the VM.
+1. After the validation succeeds, select **Create** to finish creating the VM.
+
+
+#### [CLI](#tab/cli3)
+
+Make sure you are running the latest version of Azure CLI 
+
+Sign in to Azure using `az login`.  
+
+```azurecli-interactive
+az login 
+```
+
+Create an image definition with `TrustedLaunchSupported` security type 
+
+```azurecli-interactive
+az sig image-definition create --resource-group MyResourceGroup --location eastus \ 
+--gallery-name MyGallery --gallery-image-definition MyImageDef \ 
+--publisher TrustedLaunchPublisher --offer TrustedLaunchOffer --sku TrustedLaunchSku \ 
+--os-type Linux --os-state Generalized \ 
+--hyper-v-generation V2 \ 
+--features SecurityType=TrustedLaunchSupported
+```
+
+Use an OS disk VHD to create an image version. Ensure that the Linux VHD was generalized before uploading to an Azure storage account blob using steps outlined [here](../virtual-machines/linux/create-upload-generic.md)
+
+```azurecli-interactive
+az sig image-version create --resource-group MyResourceGroup \
+--gallery-name MyGallery --gallery-image-definition MyImageDef \
+--gallery-image-version 1.0.0 \
+--os-vhd-storage-account /subscriptions/00000000-0000-0000-0000-00000000xxxx/resourceGroups/imageGroups/providers/Microsoft.Storage/storageAccounts/mystorageaccount \
+--os-vhd-uri https://mystorageaccount.blob.core.windows.net/container/path_to_vhd_file
+```
+
+Create a Trusted launch VM from the above image version
+
+```azurecli-interactive
+adminUsername=linuxvm
+az vm create --resource-group MyResourceGroup \
+    --name myTrustedLaunchVM \
+    --image "/subscriptions/00000000-0000-0000-0000-00000000xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/galleries/MyGallery/images/MyImageDef" \
+    --size Standard_D2s_v5 \
+    --security-type TrustedLaunch \
+    --enable-secure-boot true \ 
+    --enable-vtpm true \
+    --admin-username $adminUsername \
+    --generate-ssh-keys
+```
+
+#### [PowerShell](#tab/powershell3)
+
+Create an image definition with `TrustedLaunch` security type
+
+```azurepowershell-interactive
+$rgName = "MyResourceGroup"
+$galleryName = "MyGallery"
+$galleryImageDefinitionName = "MyImageDef"
+$location = "eastus"
+$publisherName = "TrustedlaunchPublisher"
+$offerName = "TrustedlaunchOffer"
+$skuName = "TrustedlaunchSku"
+$description = "My gallery"
+$SecurityType = @{Name='SecurityType';Value='TrustedLaunchSupported'}
+$features = @($SecurityType)
+New-AzGalleryImageDefinition -ResourceGroupName $rgName -GalleryName $galleryName -Name $galleryImageDefinitionName -Location $location -Publisher $publisherName -Offer $offerName -Sku $skuName -HyperVGeneration "V2" -OsState "Generalized" -OsType "Windows" -Description $description -Feature $features
+```
+
+To create an image version, we can use an existing Gen2 Gallery Image Version which was generalized during creation.
+
+```azurepowershell-interactive
+$rgName = "MyResourceGroup"
+$galleryName = "MyGallery"
+$galleryImageDefinitionName = "MyImageDef"
+$location = "eastus"
+$galleryImageVersionName = "1.0.0"
+$sourceImageId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myVMRG/providers/Microsoft.Compute/galleries/MyGallery/images/Gen2VMImageDef/versions/0.0.1"
+New-AzGalleryImageVersion -ResourceGroupName $rgName -GalleryName $galleryName -GalleryImageDefinitionName $galleryImageDefinitionName -Name $galleryImageVersionName -Location $location -SourceImageId $sourceImageId
+```
+Create a Trusted launch VM from the above image version
 
 ```azurepowershell-interactive
 $rgName = "MyResourceGroup"
 $galleryName = "MyGallery"
 $galleryImageDefinitionName = "MyImageDef"
 $location = "eastus"
 $vmName = "myVMfromImage"
-$vmSize = "Standard_D2s_v3"
+$vmSize = "Standard_D2s_v5"
 $imageDefinition = Get-AzGalleryImageDefinition `
    -GalleryName $galleryName `
    -ResourceGroupName $rgName `
@@ -338,6 +542,7 @@ New-AzVM `
    -VM $vm
 ```
 ---
+
 ## Verify or update your settings
 
 For VMs created with trusted launch enabled, you can view the trusted launch configuration by visiting the **Overview** page for the VM in the portal. The **Properties** tab will show the status of Trusted Launch features:
