Merge pull request #101591 from dlepow/acifix2

[ACI] Encrypt and dedicated host updates

Author: Kellylorenebaker

articles/container-instances/container-instances-dedicated-hosts.md

@@ -1,9 +1,10 @@
 ---
-title: Deploy on dedicated hosts 
-description: Use dedicated hosts to achieve true host level isolation for your workloads
+title: Deploy on dedicated host 
+description: Use a dedicated host to achieve true host-level isolation for your Azure Container Instances workloads
 ms.topic: article
-ms.date: 01/10/2020
-ms.author: danlep
+ms.date: 01/17/2020
+author: dkkapur
+ms.author: dekapur
 ---
 
 # Deploy on dedicated hosts
@@ -12,23 +13,50 @@ ms.author: danlep
 
 The dedicated sku is appropriate for container workloads that require workload isolation from a physical server perspective.
 
-## Using the dedicated sku
+## Prerequisites
+
+* The default limit for any subscription to use the dedicated sku is 0. If you would like to use this sku for your production container deployments, create an [Azure Support request][azure-support] to increase the limit.
+
+## Use the dedicated sku
 
 > [!IMPORTANT]
-> Using the dedicated sku is only available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template. Additionally, the default limit for any subscription to use the dedicated sku is 0. If you would like to use this sku for your production container deployments, please create an [Azure Support request][azure-support]
+> Using the dedicated sku is only available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template.
+>
 
-Starting with API version 2019-12-01, there is a "sku" property under the container group properties section of a deployment template,  which is required for an ACI deployment. Currently, you can use this property as part of an Azure Resource Manager deployment template for ACI. You can learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
+Starting with API version 2019-12-01, there is a `sku` property under the container group properties section of a deployment template, which is required for an ACI deployment. Currently, you can use this property as part of an Azure Resource Manager deployment template for ACI. Learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
 
-The sku property can have one of the following values:
-* Standard - the standard ACI deployment choice, which still guarantees hypervisor-level security 
-* Dedicated - used for workload level isolation with dedicated physical hosts for the container group
+The `sku` property can have one of the following values:
+* `Standard` - the standard ACI deployment choice, which still guarantees hypervisor-level security 
+* `Dedicated` - used for workload level isolation with dedicated physical hosts for the container group
 
 ## Modify your JSON deployment template
 
-In your deployment template, where the container group resource is specified, ensure that the `"apiVersion": "2019-12-01",`. In the properties section of the container group resource, set `"sku": "Dedicated",`.
+In your deployment template, modify or add the following properties:
+* Under `resources`, set `apiVersion` to `2012-12-01`.
+* Under the container group properties, add a `sku` property with value `Dedicated`.
 
 Here is an example snippet for the resources section of a container group deployment template that uses the dedicated sku:
 
+```json
+[...]
+"resources": [
+    {
+        "name": "[parameters('containerGroupName')]",
+        "type": "Microsoft.ContainerInstance/containerGroups",
+        "apiVersion": "2019-12-01",
+        "location": "[resourceGroup().location]",    
+        "properties": {
+            "sku": "Dedicated",
+            "containers": {
+                [...]
+            }
+        }
+    }
+]
+```
+
+Following is a complete template that deploys a sample container group running a single container instance:
+
 ```json
 {
     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
@@ -86,9 +114,8 @@ Here is an example snippet for the resources section of a container group deploy
                     ],
                     "type": "Public"
                 },
-                "osType": "Linux",
+                "osType": "Linux"
             },
-            "location": "eastus2euap",
             "tags": {}
         }
     ]
@@ -111,7 +138,7 @@ Deploy the template with the [az group deployment create][az-group-deployment-cr
 az group deployment create --resource-group myResourceGroup --template-file deployment-template.json
 ```
 
-Within a few seconds, you should receive an initial response from Azure. Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.
+Within a few seconds, you should receive an initial response from Azure. A successful deployment takes place on a dedicated host.
 
 <!-- LINKS - Internal -->
 [az-group-create]: /cli/azure/group#az-group-create

articles/container-instances/container-instances-encrypt-data.md

@@ -2,8 +2,9 @@
 title: Encrypt deployment data
 description: Learn about encryption of data persisted for your container instance resources and how to encrypt the data with a customer-managed key
 ms.topic: article
-ms.date: 01/10/2020
-ms.author: danlep
+ms.date: 01/17/2020
+author: dkkapur
+ms.author: dekapur
 ---
 
 # Encrypt deployment data
@@ -83,15 +84,18 @@ The access policy should now show up in your key vault's access policies.
 > [!IMPORTANT]
 > Encrypting deployment data with a customer-managed key is available in the latest API version (2019-12-01) that is currently rolling out. Specify this API version in your deployment template. If you have any issues with this, please reach out to Azure Support.
 
-Once the key vault key and access policy are set up, add the following property to your ACI deployment template. You can learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
-
-Specifically, under the container group properties section of the deployment template, add an "encryptionProperties", which contains the following values:
-* vaultBaseUrl: the DNS Name of your key vault, can be found  on the overview blade of the key vault resource in Portal
-* keyName: the name of the key generated earlier
-* keyVersion: the current version of the key. This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)
+Once the key vault key and access policy are set up, add the following properties to your ACI deployment template. Learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
+* Under `resources`, set `apiVersion` to `2012-12-01`.
+* Under the container group properties section of the deployment template, add an `encryptionProperties`, which contains the following values:
+  * `vaultBaseUrl`: the DNS Name of your key vault, can be found  on the overview blade of the key vault resource in Portal
+  * `keyName`: the name of the key generated earlier
+  * `keyVersion`: the current version of the key. This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)
+* Under the container group properties, add a `sku` property with value `Standard`. The `sku` property is required in API version 2019-12-01.
 
+The following template snippet shows these additional properties to encrypt deployment data:
 
 ```json
+[...]
 "resources": [
     {
         "name": "[parameters('containerGroupName')]",
@@ -104,6 +108,7 @@ Specifically, under the container group properties section of the deployment tem
                 "keyName": "acikey",
                 "keyVersion": "xxxxxxxxxxxxxxxx"
             },
+            "sku": "Standard",
             "containers": {
                 [...]
             }
@@ -112,6 +117,100 @@ Specifically, under the container group properties section of the deployment tem
 ]
 ```
 
+Following is a complete template, adapted from the template in [Tutorial: Deploy a multi-container group using a Resource Manager template](https://docs.microsoft.com/azure/container-instances/container-instances-multi-container-group). 
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "containerGroupName": {
+      "type": "string",
+      "defaultValue": "myContainerGroup",
+      "metadata": {
+        "description": "Container Group name."
+      }
+    }
+  },
+  "variables": {
+    "container1name": "aci-tutorial-app",
+    "container1image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",
+    "container2name": "aci-tutorial-sidecar",
+    "container2image": "mcr.microsoft.com/azuredocs/aci-tutorial-sidecar"
+  },
+  "resources": [
+    {
+      "name": "[parameters('containerGroupName')]",
+      "type": "Microsoft.ContainerInstance/containerGroups",
+      "apiVersion": "2019-12-01",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "encryptionProperties": {
+            "vaultBaseUrl": "https://example.vault.azure.net",
+            "keyName": "acikey",
+            "keyVersion": "xxxxxxxxxxxxxxxx"
+        },
+        "sku": "Standard",  
+        "containers": [
+          {
+            "name": "[variables('container1name')]",
+            "properties": {
+              "image": "[variables('container1image')]",
+              "resources": {
+                "requests": {
+                  "cpu": 1,
+                  "memoryInGb": 1.5
+                }
+              },
+              "ports": [
+                {
+                  "port": 80
+                },
+                {
+                  "port": 8080
+                }
+              ]
+            }
+          },
+          {
+            "name": "[variables('container2name')]",
+            "properties": {
+              "image": "[variables('container2image')]",
+              "resources": {
+                "requests": {
+                  "cpu": 1,
+                  "memoryInGb": 1.5
+                }
+              }
+            }
+          }
+        ],
+        "osType": "Linux",
+        "ipAddress": {
+          "type": "Public",
+          "ports": [
+            {
+              "protocol": "tcp",
+              "port": "80"
+            },
+            {
+                "protocol": "tcp",
+                "port": "8080"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "containerIPv4Address": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups/', parameters('containerGroupName'))).ipAddress.ip]"
+    }
+  }
+}
+```
+
 ### Deploy your resources
 
 If you created and edited the template file on your desktop, you can upload it to your Cloud Shell directory by dragging the file into it.