MicrosoftDocs
diff --git a/‎articles/container-instances/TOC.yml
Lines changed: 4 additions & 0 deletions b/‎articles/container-instances/TOC.yml
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/container-instances/container-instances-dedicated-hosts.md
Lines changed: 121 additions & 0 deletions b/‎articles/container-instances/container-instances-dedicated-hosts.md
Lines changed: 121 additions & 0 deletions
diff --git a/‎articles/container-instances/container-instances-encrypt-data.md
Lines changed: 135 additions & 0 deletions b/‎articles/container-instances/container-instances-encrypt-data.md
Lines changed: 135 additions & 0 deletions
diff --git a/‎articles/container-instances/media/container-instances-encrypt-data/access-policy.png
16 KB b/‎articles/container-instances/media/container-instances-encrypt-data/access-policy.png
16 KB
diff --git a/‎articles/container-instances/media/container-instances-encrypt-data/generate-key.png
36.1 KB b/‎articles/container-instances/media/container-instances-encrypt-data/generate-key.png
36.1 KB
diff --git a/‎articles/container-instances/media/container-instances-encrypt-data/set-key-permissions.png
41 KB b/‎articles/container-instances/media/container-instances-encrypt-data/set-key-permissions.png
41 KB
diff --git a/‎includes/container-instances-limits.md
Lines changed: 2 additions & 1 deletion b/‎includes/container-instances-limits.md
Lines changed: 2 additions & 1 deletion
@@ -59,6 +59,10 @@
       href: container-instances-vnet.md
     - name: Deploy from Azure Container Registry
       href: container-instances-using-azure-container-registry.md
+    - name: Encrypt deployment data
+      href: container-instances-encrypt-data.md
+    - name: Deploy on dedicated hosts
+      href: container-instances-dedicated-hosts.md
   - name: Container scenarios
     items:
     - name: Set restart policy for run-once tasks
 
@@ -0,0 +1,121 @@
+---
+title: Deploy on dedicated hosts 
+description: Use dedicated hosts to achieve true host level isolation for your workloads
+ms.topic: article
+ms.date: 01/10/2020
+ms.author: danlep
+---
+
+# Deploy on dedicated hosts
+
+"Dedicated" is an Azure Container Instances (ACI) sku that provides an isolated and dedicated compute environment for securely running containers. Using the dedicated sku results in each container group having a dedicated physical server in an Azure datacenter, ensuring full workload isolation to help meet your organization's security and compliance requirements. 
+
+The dedicated sku is appropriate for container workloads that require workload isolation from a physical server perspective.
+
+## Using the dedicated sku
+
+> [!IMPORTANT]
+> Using the dedicated sku is only available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template. Additionally, the default limit for any subscription to use the dedicated sku is 0. If you would like to use this sku for your production container deployments, please create an [Azure Support request][azure-support]
+
+Starting with API version 2019-12-01, there is a "sku" property under the container group properties section of a deployment template,  which is required for an ACI deployment. Currently, you can use this property as part of an Azure Resource Manager deployment template for ACI. You can learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
+
+The sku property can have one of the following values:
+* Standard - the standard ACI deployment choice, which still guarantees hypervisor-level security 
+* Dedicated - used for workload level isolation with dedicated physical hosts for the container group
+
+## Modify your JSON deployment template
+
+In your deployment template, where the container group resource is specified, ensure that the `"apiVersion": "2019-12-01",`. In the properties section of the container group resource, set `"sku": "Dedicated",`.
+
+Here is an example snippet for the resources section of a container group deployment template that uses the dedicated sku:
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "containerGroupName": {
+        "type": "string",
+        "defaultValue": "myContainerGroup",
+        "metadata": {
+          "description": "Container Group name."
+        }
+      }
+    },
+    "resources": [
+        {
+            "name": "[parameters('containerGroupName')]",
+            "type": "Microsoft.ContainerInstance/containerGroups",
+            "apiVersion": "2019-12-01",
+            "location": "[resourceGroup().location]",
+            "properties": {
+                "sku": "Dedicated",
+                "containers": [
+                    {
+                        "name": "container1",
+                        "properties": {
+                            "image": "nginx",
+                            "command": [
+                                "/bin/sh",
+                                "-c",
+                                "while true; do echo `date`; sleep 1000000; done"
+                            ],
+                            "ports": [
+                                {
+                                    "protocol": "TCP",
+                                    "port": 80
+                                }
+                            ],
+                            "environmentVariables": [],
+                            "resources": {
+                                "requests": {
+                                    "memoryInGB": 1.0,
+                                    "cpu": 1
+                                }
+                            }
+                        }
+                    }
+                ],
+                "restartPolicy": "Always",
+                "ipAddress": {
+                    "ports": [
+                        {
+                            "protocol": "TCP",
+                            "port": 80
+                        }
+                    ],
+                    "type": "Public"
+                },
+                "osType": "Linux",
+            },
+            "location": "eastus2euap",
+            "tags": {}
+        }
+    ]
+}
+```
+
+## Deploy your container group
+
+If you created and edited the deployment template file on your desktop, you can upload it to your Cloud Shell directory by dragging the file into it. 
+
+Create a resource group with the [az group create][az-group-create] command.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+```
+
+Deploy the template with the [az group deployment create][az-group-deployment-create] command.
+
+```azurecli-interactive
+az group deployment create --resource-group myResourceGroup --template-file deployment-template.json
+```
+
+Within a few seconds, you should receive an initial response from Azure. Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.
+
+<!-- LINKS - Internal -->
+[az-group-create]: /cli/azure/group#az-group-create
+[az-group-deployment-create]: /cli/azure/group/deployment#az-group-deployment-create
+
+<!-- LINKS - External -->
+[azure-support]: https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest
@@ -0,0 +1,135 @@
+---
+title: Encrypt deployment data
+description: Learn about encryption of data persisted for your container instance resources and how to encrypt the data with a customer-managed key
+ms.topic: article
+ms.date: 01/10/2020
+ms.author: danlep
+---
+
+# Encrypt deployment data
+
+When running Azure Container Instances (ACI) resources in the cloud, the ACI service collects and persists data related to your containers. ACI automatically encrypts this data when it is persisted in the cloud. This encryption protects your data to help meet your organization's security and compliance commitments. ACI also gives you the option to encrypt this data with your own key, giving you greater control over the data related to your ACI deployments.
+
+## About ACI data encryption 
+
+Data in ACI is encrypted and decrypted using 256-bit AES encryption. It is enabled for all ACI deployments, and you don't need to modify your deployment or containers to take advantage of this encryption. This includes metadata about the deployment, environment variables, keys being passed into your containers, and logs persisted after your containers are stopped so you can still see them. Encryption does not affect your container group performance, and there is no additional cost for encryption.
+
+## Encryption key management
+
+You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption with your own keys. The following table compares these options: 
+
+|    |    Microsoft-managed keys     |     Customer-managed keys     |
+|----|----|----|
+|    Encryption/decryption operations    |    Azure    |    Azure    |
+|    Key storage    |    Microsoft key store    |    Azure Key Vault    |
+|    Key rotation responsibility    |    Microsoft    |    Customer    |
+|    Key access    |    Microsoft only    |    Microsoft, Customer    |
+
+The rest of the document covers the steps required to encrypt your ACI deployment data with your key (customer-managed key). 
+
+[!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)]
+
+## Encrypt data with a customer-managed key
+
+### Create Service Principal for ACI
+
+The first step is to ensure that your [Azure tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant) has a service principal assigned for granting permissions to the Azure Container Instances service. 
+
+The following CLI command will set up the ACI SP in your Azure environment:
+
+```azurecli-interactive
+az ad sp create --id 6bb8e274-af5d-4df2-98a3-4fd78b4cafd9
+```
+
+The output from running this command should show you a service principal that has been set up with "displayName": "Azure Container Instance Service."
+
+### Create a Key Vault resource
+
+Create an Azure Key Vault using [Azure portal](https://docs.microsoft.com/azure/key-vault/quick-create-portal#create-a-vault), [CLI](https://docs.microsoft.com/azure/key-vault/quick-create-cli), or [PowerShell](https://docs.microsoft.com/azure/key-vault/quick-create-powershell). 
+
+For the properties of your key vault, use the following guidelines: 
+* Name: A unique name is required. 
+* Subscription: Choose a subscription.
+* Under Resource Group, either choose an existing resource group, or create new and enter a resource group name.
+* In the Location pull-down menu, choose a location.
+* You can leave the other options to their defaults or pick based on additional requirements.
+
+> [!IMPORTANT]
+> When using customer-managed keys to encrypt an ACI deployment template, it is recommended that the following two properties be set on the key vault, Soft Delete and Do Not Purge. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.
+
+### Generate a new key 
+
+Once your key vault is created, navigate to the resource in Azure portal. On the left navigation menu of the resource blade, under Settings, click **Keys**. On the view for "Keys," click "Generate/Import" to generate a new key. Use any unique Name for this key, and any other preferences based on your requirements. 
+
+![Generate a new key](./media/container-instances-encrypt-data/generate-key.png)
+
+### Set access policy
+
+Create a new access policy for allowing the ACI service to access your Key.
+
+* Once your key has been generated, back in your key vault resource blade, under Settings, click **Access Policies**.
+* On the "Access Policies" page for your key vault, click **Add Access Policy**.
+* Set the *Key Permissions* to include **Get** and **Unwrap Key**
+    ![Set key permissions](./media/container-instances-encrypt-data/set-key-permissions.png)
+* For *Select Principal*, select **Azure Container Instance Service**
+* Click **Add** at the bottom 
+
+The access policy should now show up in your key vault's access policies.
+
+![New access policy](./media/container-instances-encrypt-data/access-policy.png)
+
+### Modify your JSON deployment template
+
+> [!IMPORTANT]
+> Encrypting deployment data with a customer-managed key is available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template. If you have any issues with this, please reach out to Azure Support.
+
+Once the key vault key and access policy are set up, add the following property to your ACI deployment template. You can learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
+
+Specifically, under the container group properties section of the deployment template, add an "encryptionProperties", which contains the following values:
+* vaultBaseUrl: the DNS Name of your key vault, can be found  on the overview blade of the key vault resource in Portal
+* keyName: the name of the key generated earlier
+* keyVersion: the current version of the key. This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)
+
+
+```json
+"resources": [
+    {
+        "name": "[parameters('containerGroupName')]",
+        "type": "Microsoft.ContainerInstance/containerGroups",
+        "apiVersion": "2019-12-01",
+        "location": "[resourceGroup().location]",    
+        "properties": {
+            "encryptionProperties": {
+                "vaultBaseUrl": "https://example.vault.azure.net",
+                "keyName": "acikey",
+                "keyVersion": "xxxxxxxxxxxxxxxx"
+            },
+            "containers": {
+                [...]
+            }
+        }
+    }
+]
+```
+
+### Deploy your resources
+
+If you created and edited the template file on your desktop, you can upload it to your Cloud Shell directory by dragging the file into it. 
+
+Create a resource group with the [az group create][az-group-create] command.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+```
+
+Deploy the template with the [az group deployment create][az-group-deployment-create] command.
+
+```azurecli-interactive
+az group deployment create --resource-group myResourceGroup --template-file deployment-template.json
+```
+
+Within a few seconds, you should receive an initial response from Azure. Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.
+
+<!-- LINKS - Internal -->
+[az-group-create]: /cli/azure/group#az-group-create
+[az-group-deployment-create]: /cli/azure/group/deployment#az-group-deployment-create
@@ -7,7 +7,8 @@ ms.author: danlep
 ---
 | Resource | Default limit |
 | --- | :--- |
-| Container groups per region per [subscription](../articles/billing-buy-sign-up-azure-subscription.md) | 100<sup>1</sup> |
+| Standard sku container groups per region per [subscription](../articles/billing-buy-sign-up-azure-subscription.md) | 100<sup>1</sup> |
+| Dedicated sku container groups per region per [subscription](../articles/billing-buy-sign-up-azure-subscription.md) | 0<sup>1</sup> |
 | Number of containers per container group | 60 |
 | Number of volumes per container group | 20 |
 | Ports per IP | 5 |