You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-machines/boot-integrity-monitoring-overview.md
+24-4Lines changed: 24 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.reviewer: jushiman
7
7
ms.service: virtual-machines
8
8
ms.subservice: trusted-launch
9
9
ms.topic: conceptual
10
-
ms.date: 11/06/2023
10
+
ms.date: 04/10/2024
11
11
ms.custom: template-concept
12
12
---
13
13
@@ -144,7 +144,7 @@ The Microsoft Azure Attestation extensions won't properly work when customers se
144
144
145
145
In Azure, Network Security Groups (NSG) are used to help filter network traffic between Azure resources. NSGs contains security rules that either allow or deny inbound network traffic, or outbound network traffic from several types of Azure resources. For the Microsoft Azure Attestation endpoint, it should be able to communicate with the guest attestation extension. Without this endpoint, Trusted Launch can’t access guest attestation, which allows Microsoft Defender for Cloud to monitor the integrity of the boot sequence of your virtual machines.
146
146
147
-
To unblock traffic using an NSG with service tags, set allow rules for Microsoft Azure Attestation.
147
+
Unblocking Microsoft Azure Attestation traffic in **Network Security Groups** using service tags.
148
148
149
149
1. Navigate to the **virtual machine** that you want to allow outbound traffic.
150
150
1. Under "Networking" in the left-hand sidebar, select the **networking settings** tab.
@@ -153,11 +153,31 @@ To unblock traffic using an NSG with service tags, set allow rules for Microsoft
153
153
1. To allow Microsoft Azure Attestation, make the destination a **service tag**. This allows for the range of IP addresses to update and automatically set allow rules for Microsoft Azure Attestation. The destination service tag is **AzureAttestation** and action is set to **Allow**.
154
154
:::image type="content" source="media/trusted-launch/unblocking-NSG.png" alt-text="Screenshot showing how to make the destination a service tag.":::
155
155
156
+
Firewalls protects a virtual network, which contains multiple Trusted Launch virtual machines. To unblock Microsoft Azure Attestation traffic in **Firewall** using application rule collection.
157
+
158
+
1. Navigate to the Azure Firewall, that has traffic blocked from the Trusted Launch virtual machine resource.
159
+
2. Under settings, select Rules (classic) to begin unblocking guest attestation behind the Firewall.
160
+
3. Select a **network rule collection** and add network rule.
161
+
:::image type="content" source="./media/trusted-launch/firewall-network-rule-collection.png" lightbox="./media/trusted-launch/firewall-network-rule-collection.png" alt-text="Screenshot of the adding application rule":::
162
+
5. The user can configure their name, priority, source type, destination ports based on their needs. The name of the service tag is as follows: **AzureAttestation**, and action needs to be set as **allow**.
163
+
164
+
To unblock Microsoft Azure Attestation traffic in **Firewall** using application rule collection.
165
+
166
+
1. Navigate to the Azure Firewall, that has traffic blocked from the Trusted Launch virtual machine resource.
167
+
:::image type="content" source="./media/trusted-launch/firewall-rule.png" lightbox="./media/trusted-launch/firewall-rule.png" alt-text="Screenshot of the adding traffic for application rule route."::: The rules collection must contain at least one rule, navigate to Target FQDNs (fully qualified domain names).
168
+
2. Select Application Rule collection and add an application rule.
169
+
3. Select a name, a numeric priority for your application rules. The action for rule collection is set to ALLOW. To learn more about the application processing and values, read here.
170
+
:::image type="content" source="./media/trusted-launch/firewall-application-rule.png" lightbox="./media/trusted-launch/firewall-application-rule.png" alt-text="Screenshot of the adding application rule route.":::
171
+
4. Name, source, protocol, are all configurable by the user. Source type for single IP address, select IP group to allow multiple IP address through the firewall.
172
+
173
+
### Regional Shared Providers
174
+
175
+
Azure Attestation provides a [regional shared provider](https://maainfo.azurewebsites.net/) in each available region. Customers can choose to use the regional shared provider for attestation or create their own providers with custom policies. Shared providers can be accessed by any Azure AD user, and the policy associated with it cannot be changed.
176
+
156
177
> [!NOTE]
157
178
> Users can configure their source type, service, destination port ranges, protocol, priority, and name.
158
179
159
-
This service tag is a global endpoint that unblocks Microsoft Azure Attestation traffic in any region.
160
180
161
181
## Next steps
162
182
163
-
Learn more about [trusted launch](trusted-launch.md) and [deploying a trusted virtual machine](trusted-launch-portal.md).
183
+
Learn more about [trusted launch](trusted-launch.md) and [deploying a trusted virtual machine](trusted-launch-portal.md).
0 commit comments