Merge pull request #127271 from pkshultz/batch-disk-encryption

Add Batch disk encryption article

Author: v-shmck

articles/batch/TOC.yml

@@ -137,6 +137,8 @@
       href: batch-sig-images.md
     - name: Create a pool with a managed image resource
       href: batch-custom-images.md
+    - name: Create a pool with disk encryption enabled
+      href: disk-encryption.md
     - name: Create a pool in a virtual network
       href: batch-virtual-network.md
     - name: Create a pool with public IP addresses

articles/batch/batch-customer-managed-key.md

@@ -145,6 +145,6 @@ az batch account set \
   * **How can I rotate my keys?** Customer-managed keys are not automatically rotated. To rotate the key, update the Key Identifier that the account is associated with.
   * **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
   * **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to customer-managed keys is lost will continue to run. However, the nodes will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes will become available again and tasks will be restarted.
-  * **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Service Configuration Pools, no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration Pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks.
+  * **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Service Configuration Pools, no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration Pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
   * **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. This managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key.
 

articles/batch/disk-encryption.md

@@ -0,0 +1,104 @@
+---
+title: Create a pool with disk encryption enabled 
+description: Learn how to use disk encryption configuration to encrypt nodes with a platform-managed key.
+author: pkshultz
+ms.topic: how-to
+ms.date: 08/25/2020
+ms.author: peshultz
+ms.custom: references_regions
+---
+
+# Create a pool with disk encryption enabled
+
+When you create an Azure Batch pool using virtual machine configuration, you can encrypt compute nodes in the pool with a platform-managed key by specifying the disk encryption configuration. 
+
+This article explains how to create a Batch pool with disk encryption enabled. 
+
+## Why use a pool with disk encryption configuration?
+
+With a Batch pool, you can access and store data on the OS and temporary disks of the compute node. Encrypting the server-side disk with a platform-managed key will safeguard this data with low overhead and convenience.  
+
+Batch will apply one of these disk encryption technologies on compute nodes, based on pool configuration and regional supportability. 
+
+* [Managed disk encryption at rest with platform-managed keys](../virtual-machines/windows/disk-encryption.md#platform-managed-keys) 
+
+* [Encryption at host using a platform-managed Key](../virtual-machines/windows/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data) 
+
+* [Azure Disk Encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) 
+
+> [!IMPORTANT]
+> Support for encryption at host using a platform-managed key in Azure Batch is currently in public preview for the East US, West US 2, South Central US, US Gov Virginia, and US Gov Arizona regions.
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+You won't be able to specify which encryption method will be applied to the nodes in your pool. Instead, you provide the target disks you want to encrypt on their nodes, and Batch can choose the appropriate encryption method, ensuring the specified disks are encrypted on the compute node.
+ 
+## Azure portal 
+
+When creating a Batch pool in the the Azure portal, select either **TemporaryDisk** or **OsAndTemporaryDisk** under **Disk Encryption Configuration**.
+
+![Screenshot of the Disk Encryption Configuration option in the Azure portal.](./media/disk-encryption/portal-view.png)
+
+After the pool is created, you can see the disk encryption configuration targets in the pool's **Properties** section.
+
+![Screenshot showing the disk encryption configuration targets in the Azure portal.](./media/disk-encryption/disk-encryption-configuration-target.png)
+
+## Examples
+
+The following examples show how to encrypt the OS and temporary disks on a Batch pool using the Batch .NET SDK, the Batch REST API, and the Azure CLI.
+
+### Batch .NET SDK 
+
+```csharp
+pool.VirtualMachineConfiguration.DiskEncryptionConfiguration = new DiskEncryptionConfiguration(
+    targets: new List<DiskEncryptionTarget> { DiskEncryptionTarget.OsDisk, DiskEncryptionTarget.TemporaryDisk }
+    );
+```
+
+### Batch REST API
+
+
+REST API URL:
+```
+POST {batchURL}/pools?api-version=2020-03-01.11.0
+client-request-id: 00000000-0000-0000-0000-000000000000
+```
+Request body:
+```
+"pool": {
+    "id": "pool2",
+    "vmSize": "standard_a1",
+    "virtualMachineConfiguration": {
+        "imageReference": {
+            "publisher": "Canonical",
+            "offer": "UbuntuServer",
+            "sku": "18.04-LTS"
+        },
+        "diskEncryptionConfiguration": {
+            "targets": [
+                "OsDisk",
+                "TemporaryDisk"
+            ]
+        }
+        "nodeAgentSKUId": "batch.node.ubuntu 18.04"
+    },
+    "resizeTimeout": "PT15M",
+    "targetDedicatedNodes": 5,
+    "targetLowPriorityNodes": 0,
+    "maxTasksPerNode": 3,
+    "enableAutoScale": false,
+    "enableInterNodeCommunication": false
+}
+```
+
+### Azure CLI
+
+```azurecli-interactive
+az batch pool create \
+    --id diskencryptionPool \
+    --vm-size Standard_DS1_V2 \
+    --target-dedicated-nodes 2 \
+    --image canonical:ubuntuserver:18.04-LTS \
+    --node-agent-sku-id "batch.node.ubuntu 18.04" \
+    --disk-encryption-targets OsDisk TemporaryDisk
+```