MicrosoftDocs
diff --git a/‎articles/hpc-cache/configuration.md
Lines changed: 65 additions & 0 deletions b/‎articles/hpc-cache/configuration.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎articles/hpc-cache/customer-keys.md
Lines changed: 145 additions & 0 deletions b/‎articles/hpc-cache/customer-keys.md
Lines changed: 145 additions & 0 deletions
diff --git a/‎articles/hpc-cache/hpc-cache-add-storage.md
Lines changed: 0 additions & 2 deletions b/‎articles/hpc-cache/hpc-cache-add-storage.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/hpc-cache/hpc-cache-create.md
Lines changed: 31 additions & 6 deletions b/‎articles/hpc-cache/hpc-cache-create.md
Lines changed: 31 additions & 6 deletions
@@ -0,0 +1,65 @@
+---
+title: Configure Azure HPC Cache settings
+description: Explains how to configure additional settings for the cache like MTU and no-root-squash, and how to access the express snapshots from Azure Blob storage targets.
+author: ekpgh
+ms.service: hpc-cache
+ms.topic: conceptual
+ms.date: 04/15/2020
+ms.author: v-erkel
+---
+
+# Configure additional Azure HPC Cache settings
+
+The **Configuration** page in the Azure portal has options for customizing several settings. Most users do not need to change these from the default values.
+
+This article also describes how to use the snapshot feature for Azure Blob storage targets. The snapshot feature has no configurable settings.
+
+To see the settings, open the cache's **Configuration** page in the Azure portal.
+
+![screenshot of configuration page in Azure portal](media/configuration.png)
+
+## Adjust MTU value
+<!-- linked from troubleshoot-nas article -->
+
+You can select the maximum transmission unit size for the cache by using the drop-down menu labeled **MTU size**.
+
+The default value is 1500 bytes, but you can change it to 1400.
+
+> [!NOTE]
+> If you lower the cache's MTU size, make sure that the clients and storage systems that communicate with the cache have the same MTU setting or a lower value.
+
+Lowering the cache MTU value can help you work around packet size restrictions in the rest of the cache's network. For example, some VPNs can't transmit full-size 1500 byte packets successfully. Reducing the size of packets sent over the VPN might eliminate that issue. However, note that a lower cache MTU setting means that any other component that communicates with the cache - including clients and storage systems - must also have a lower setting to avoid communication problems with the cache.
+
+If you don't want to change the MTU settings on other system components, you should not lower the cache's MTU setting. There are other solutions to work around VPN packet size restrictions. Read [Adjust VPN packet size restrictions](troubleshoot-nas.md#adjust-vpn-packet-size-restrictions) in the NAS troubleshooting article to learn more about diagnosing and addressing this problem.
+
+Learn more about MTU settings in Azure virtual networks by reading [TCP/IP performance tuning for Azure VMs](../virtual-network/virtual-network-tcpip-performance-tuning.md).
+
+## Configure root squash
+<!-- linked from troubleshoot -->
+
+The **Enable root squash** setting controls how the Azure HPC Cache allows root access. Root squash helps to prevent root-level access from unauthorized clients.
+
+This setting lets users control root access at the cache level, which can help compensate for the required ``no_root_squash`` setting for NAS systems used as storage targets. (Read more about [NFS storage target prerequisites](hpc-cache-prereqs.md#nfs-storage-requirements).) It also can improve security when used with Azure Blob storage targets.
+
+The default setting is **Yes**. (Caches created before April 2020 might have the default setting **No**.) When enabled, this feature also prevents use of set-UID permission bits in client requests to the cache.
+
+## View snapshots for blob storage targets
+
+Azure HPC Cache automatically saves storage snapshots for Azure Blob storage targets. Snapshots provide a quick reference point for the contents of the back-end storage container. Snapshots are not a replacement for data backups, and they don't include any information about the state of cached data.
+
+> [!NOTE]
+> This snapshot feature is different from the snapshot feature included in NetApp, Isilon, or ZFS storage software. Those snapshot implementations flush changes from the cache to the back-end storage system before taking the snapshot.
+>
+> For efficiency, the Azure HPC Cache snapshot does not flush changes first, and only records data that has been written to the Blob container. This snapshot does not represent the state of cached data, so recent changes might be excluded.
+
+This feature is available for Azure Blob storage targets only, and its configuration can't be changed.
+
+Snapshots are taken every eight hours, at UTC 0:00, 08:00, and 16:00.
+
+Azure HPC Cache stores daily, weekly, and monthly snapshots until they are replaced by new ones. The limits are:
+
+* up to 20 daily snapshots
+* up to 8 weekly snapshots
+* up to 3 monthly snapshots
+
+Access the snapshots from the `.snapshot` directory in your blob storage target's namespace.
@@ -0,0 +1,145 @@
+---
+title: Use customer-manged keys to encrypt data in Azure HPC Cache
+description: How to use Azure Key Vault with Azure HPC Cache to control encryption key access instead of using the default Microsoft-managed encryption keys
+author: ekpgh
+ms.service: hpc-cache
+ms.topic: conceptual
+ms.date: 04/15/2020
+ms.author: v-erkel
+---
+
+# Use customer-managed encryption keys for Azure HPC Cache
+
+You can use Azure Key Vault to control ownership of the keys used to encrypt your data in Azure HPC Cache. This article explains how to use customer-managed keys for cache data encryption.
+
+> [!NOTE]
+> All data stored in Azure, including on the cache disks, is encrypted at rest using Microsoft-managed keys by default. You only need to follow the steps in this article if you want to manage the keys used to encrypt your data.
+
+This feature is available only in these Azure regions:
+
+* East US
+* South Central US
+* West US 2
+
+There are three steps to enable customer-managed key encryption for Azure HPC Cache:
+
+1. Set up an Azure Key Vault to store the keys.
+1. When creating the Azure HPC Cache, choose customer-managed key encryption and specify the key vault and key to use.
+1. After the cache is created, authorize it to access the key vault.
+
+Encryption is not completely set up until after you authorize it from the newly created cache (step 3). This is because you must pass the cache's identity to the key vault to make it an authorized user. You can't do this before creating the cache, because the identity does not exist until the cache is created.
+
+After you create the cache, you cannot change between customer-managed keys and Microsoft-managed keys. However, if your cache uses customer-managed keys you can [change](#update-key-settings) the encryption key, the key version, and the key vault as needed.
+
+## Understand key vault and key requirements
+
+The key vault and key must meet these requirements to work with Azure HPC Cache.
+
+Key vault properties:
+
+* **Subscription** - Use the same subscription that is used for the cache.
+* **Region** - The key vault must be in the same region as the Azure HPC Cache.
+* **Pricing tier** - Standard tier is sufficient for use with Azure HPC Cache.
+* **Soft delete** - Azure HPC Cache will enable soft delete if it is not already configured on the key vault.
+* **Purge protection** - Purge protection must be enabled.
+* **Access policy** - Default settings are sufficient.
+* **Network connectivity** - Azure HPC Cache must be able to access the key vault regardless of the endpoint settings you choose.
+
+Key properties:
+
+* **Key type** - RSA
+* **RSA key size** - 2048
+* **Enabled** - Yes
+
+Key vault access permissions:
+
+* The user that creates the Azure HPC Cache must have permissions equivalent to the [Key Vault contributor role](../role-based-access-control/built-in-roles.md#key-vault-contributor). The same permissions are needed to set up and manage Azure Key Vault.
+
+  Read [Secure access to a key vault](../key-vault/key-vault-secure-your-key-vault.md) for more information.
+
+## 1. Set up Azure Key Vault
+
+You can set up a key vault and key before you create the cache, or do it as part of cache creation. Make sure these resources meet the requirements outlined [above](#understand-key-vault-and-key-requirements).
+
+At cache creation time you must specify a vault, key, and key version to use for the cache's encryption.
+
+Read the [Azure Key Vault documentation](../key-vault/key-vault-overview.md) for details.
+
+> [!NOTE]
+> The Azure Key Vault must use the same subscription and be in the same region as the Azure HPC Cache. Use one of the supported regions listed at the beginning of this article.
+
+## 2. Create the cache with customer-managed keys enabled
+
+You must specify the encryption key source when you create your Azure HPC Cache. Follow the instructions in [Create an Azure HPC Cache](hpc-cache-create.md), and specify the key vault and key in the **Disk encryption keys** page. You can create a new key vault and key during cache creation.
+
+> [!TIP]
+> If the **Disk encryption keys** page does not appear, make sure that your cache is in one of the supported regions.
+
+The user who creates the cache must have privileges equal to the [Key Vault contributor role](../role-based-access-control/built-in-roles.md#key-vault-contributor) or higher.
+
+1. Click the button to enable privately managed keys. After you change this setting, the key vault settings appear.
+
+1. Click **Select a key vault** to open the key selection page. Choose or create the key vault and key for encrypting data on this cache's disks.
+
+   If your Azure Key Vault does not appear in the list, check these requirements:
+
+   * Is the cache in the same subscription as the key vault?
+   * Is the cache in the same region as the key vault?
+   * Is there network connectivity between the Azure portal and the key vault?
+
+1. After selecting a vault, select the individual key from the available options, or create a new key. The key must be a 2048-bit RSA key.
+
+1. Specify the version for the selected key. Learn more about versioning in the [Azure Key Vault documentation](../key-vault/about-keys-secrets-and-certificates.md#objects-identifiers-and-versioning).
+
+Continue with the rest of the specifications and create the cache as described in [Create an Azure HPC Cache](hpc-cache-create.md).
+
+## 3. Authorize Azure Key Vault encryption from the cache
+<!-- header is linked from create article, update if changed -->
+
+After a few minutes, the new Azure HPC Cache appears in your Azure portal. Go to the **Overview** page to authorize it to access your Azure Key Vault and enable customer-managed key encryption. (The cache might appear in the resources list before the "deployment underway" messages clear.)
+
+This two-step process is necessary because the Azure HPC Cache instance needs an identity to pass to the Azure Key Vault for authorization. The cache identity doesn't exist until after its initial creation steps are complete.
+
+> [!NOTE]
+> You must authorize encryption within 90 minutes after creating the cache. If you don't complete this step, the cache will time out and fail. A failed cache has to be re-created, it can't be fixed.
+
+The cache shows the status **Waiting for key**. Click the **Enable encryption** button at the top of the page to authorize the cache to access the specified key vault.
+
+![screenshot of cache overview page in portal, with highlighting on the Enable encryption button (top row) and Status: Waiting for key](media/waiting-for-key.png)
+
+Click **Enable encryption** and then click the **Yes** button to authorize the cache to use the encryption key. This action also enables soft-delete and purge protection (if not already enabled) on the key vault.
+
+![screenshot of cache overview page in portal, with a banner message at the top that asks the user to enable encryption by clicking yes](media/enable-keyvault.png)
+
+After the cache requests access to the key vault, it can create and encrypt the disks that store cached data.
+
+After you authorize encryption, Azure HPC Cache goes through several more minutes of setup to create the encrypted disks and related infrastructure.
+
+## Update key settings
+
+You can change the key vault, key, or key version for your cache from the Azure portal. Click the cache's **Encryption** settings link to open the **Customer key settings** page. (You cannot change a cache between customer-managed keys and system-managed keys.)
+
+![screenshot of "Customer keys settings" page, reached by clicking Settings > Encryption from the cache page in the Azure portal](media/change-key-click.png)
+
+Click the **Change key** link, then click **Change the key vault, key, or version** to open the key selector.
+
+![screenshot of "select key from Azure Key Vault" page with three drop-down selectors to choose key vault, key, and version](media/select-new-key.png)
+
+Key vaults in the same subscription and same region as this cache are shown in the list.
+
+After you choose the new encryption key values, click **Select**. A confirmation page appears with the new values. Click **Save** to finalize the selection.
+
+![screenshot of confirmation page with Save button at top left](media/save-key-settings.png)
+
+## Read more about customer-managed keys in Azure
+
+These articles explain more about using Azure Key Vault and customer-managed keys to encrypt data in Azure:
+
+* [Azure storage encryption overview](../storage/common/storage-service-encryption.md)
+* [Disk encryption with customer-managed keys](../virtual-machines/linux/disk-encryption.md#customer-managed-keys) - Documentation for using Azure Key Vault and managed disks, which is similar to the process used with Azure HPC Cache
+
+## Next steps
+
+After you have created the Azure HPC Cache and authorized Key Vault-based encryption, continue to set up your cache by giving it access to your data sources.
+
+* [Add storage targets](hpc-cache-add-storage.md)
@@ -113,8 +113,6 @@ Fill in these values for each namespace path:
 
 * **Virtual namespace path** - Set the client-facing file path for this storage target. Read [Configure aggregated namespace](hpc-cache-namespace.md) to learn more about the virtual namespace feature.
 
-<!--  The virtual path should start with a slash ``/``. -->
-
 * **NFS export path** - Enter the path to the NFS export.
 
 * **Subdirectory path** - If you want to mount a specific subdirectory of the export, enter it here. If not, leave this field blank.
 
@@ -4,8 +4,8 @@ description: How to create an Azure HPC Cache instance
 author: ekpgh
 ms.service: hpc-cache
 ms.topic: how-to
-ms.date: 11/11/2019
-ms.author: rohogue
+ms.date: 04/15/2020
+ms.author: v-erkel
 ---
 
 # Create an Azure HPC Cache
@@ -18,7 +18,7 @@ Use the Azure portal to create your cache.
 
 ![screenshot of project details page in Azure portal](media/hpc-cache-create-basics.png)
 
-In **Project Details**, select the subscription and resource group that will host the cache. Make sure the subscription is on the [access](hpc-cache-prereqs.md#azure-subscription) list.
+In **Project Details**, select the subscription and resource group that will host the cache.
 
 In **Service Details**, set the cache name and these other attributes:
 
@@ -46,6 +46,28 @@ Azure HPC Cache manages which files are cached and preloaded to maximize cache h
 
 ![screenshot of cache sizing page](media/hpc-cache-create-capacity.png)
 
+## Enable Azure Key Vault encryption (optional)
+
+If your cache is in a region that supports customer-managed encryption keys, the **Disk encryption keys** page appears between the **Cache** and **Tags** tabs. As of publication time, this option is supported in East US, South Central US, and West US 2.
+
+If you want to manage the encryption keys used with your cache storage, supply your Azure Key Vault information on the **Disk encryption keys** page. The key vault must be in the same region and in the same subscription as the cache.
+
+You can skip this section if you do not need customer-managed keys. Azure encrypts data with Microsoft-managed keys by default. Read [Azure storage encryption](../storage/common/storage-service-encryption.md) to learn more.
+
+> [!NOTE]
+>
+> * You cannot change between Microsoft-managed keys and customer-managed keys after creating the cache.
+> * After the cache is created, you must authorize it to access the key vault. Click the **Enable encryption** button in the cache's **Overview** page to turn on encryption. Take this step within 90 minutes of creating the cache.
+> * Cache disks are created after this authorization. This means that the initial cache creation time is short, but the cache will not be ready to use for ten minutes or more after you authorize access.
+
+For a complete explanation of the customer-managed key encryption process, read [Use customer-managed encryption keys for Azure HPC Cache](customer-keys.md).
+
+![screenshot of encryption keys page with "customer managed" selected and key vault fields showing](media/create-encryption.png)
+
+Select **Customer managed** to choose customer-managed key encryption. The key vault specification fields appear. Select the Azure Key Vault to use, then select the key and version to use for this cache. The key must be a 2048-bit RSA key. You can create a new key vault, key, or key version from this page.
+
+After you create the cache, you must authorize it to use the key vault service. Read [Authorize Azure Key Vault encryption from the cache](customer-keys.md#3-authorize-azure-key-vault-encryption-from-the-cache) for details.
+
 ## Add resource tags (optional)
 
 The **Tags** page lets you add [resource tags](https://go.microsoft.com/fwlink/?linkid=873112) to your Azure HPC Cache instance.
@@ -59,12 +81,15 @@ Cache creation takes about 10 minutes. You can track the progress in the Azure p
 ![screenshot of cache creation "deployment underway" and "notifications" pages in portal](media/hpc-cache-deploy-status.png)
 
 When creation finishes, a notification appears with a link to the new Azure HPC Cache instance, and the cache appears in your subscription's **Resources** list.
-<!-- double check on notification -->
 
 ![screenshot of Azure HPC Cache instance in Azure portal](media/hpc-cache-new-overview.png)
 
+> [!NOTE]
+> If your cache uses customer-managed encryption keys, the cache might appear in the resources list before the deployment status changes to complete. As soon as the cache's status is **Waiting for key** you can [authorize it](customer-keys.md#3-authorize-azure-key-vault-encryption-from-the-cache) to use the key vault.
+
 ## Next steps
 
-After your cache appears in the **Resources** list, define storage targets to give your cache access to your data sources.
+After your cache appears in the **Resources** list, you can move to the next step.
 
-* [Add storage targets](hpc-cache-add-storage.md)
+* [Define storage targets](hpc-cache-add-storage.md) to give your cache access to your data sources.
+* If you use customer-managed encryption keys, you need to [authorize Azure Key Vault encryption](customer-keys.md#3-authorize-azure-key-vault-encryption-from-the-cache) from the cache's overview page to complete your cache setup. You must do this step before you can add storage. Read [Use customer-managed encryption keys](customer-keys.md) for details.