Skip to content

Commit 770a9dc

Browse files
schaffererinschaffererin
committed
adding note per gh feedback regarding proper permissions to ensure access to key vault keys
1 parent 4569637 commit 770a9dc

File tree

1 file changed

+10
-6
lines changed

1 file changed

+10
-6
lines changed

articles/aks/enable-host-encryption.md

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24,17 +24,17 @@ This feature can only be set at cluster creation or node pool creation time.
2424
2525
### Prerequisites
2626

27-
- Ensure you have the CLI extension v2.23 or higher version installed.
27+
- Make sure you have the CLI extension v2.23 or higher version installed.
2828

2929
### Limitations
3030

3131
- Can only be enabled on new node pools.
3232
- Can only be enabled in [Azure regions][supported-regions] that support server-side encryption of Azure managed disks and only with specific [supported VM sizes][supported-sizes].
33-
- Requires an AKS cluster and node pool based on Virtual Machine Scale Sets(VMSS) as *VM set type*.
33+
- Requires an AKS cluster and node pool based on Virtual Machine Scale Sets as *VM set type*.
3434

3535
## Use host-based encryption on new clusters
3636

37-
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
37+
Configure the cluster agent nodes to use host-based encryption when the cluster is created.
3838

3939
```azurecli-interactive
4040
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
@@ -52,11 +52,13 @@ az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-gr
5252

5353
If you want to create new node pools without the host-based encryption feature, you can do so by omitting the `--enable-encryption-at-host` parameter.
5454

55-
## Next steps
55+
> [!NOTE]
56+
> Once you've enabled host-based encryption, make sure you provide the proper permissions to grant access to your Azure Key Vault keys. For more information, see [Full control of your keys][full-control-keys] and [Built-in roles for Key Vault data plane operations][akv-built-in-roles].
5657
57-
Review [best practices for AKS cluster security][best-practices-security]
58-
Read more about [host-based encryption](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
58+
## Next steps
5959

60+
- Review [best practices for AKS cluster security][best-practices-security].
61+
- Read more about [host-based encryption](../virtual-machines/disk-encryption.md#encryption-at-host---end-to-end-encryption-for-your-vm-data).
6062

6163
<!-- LINKS - external -->
6264

@@ -70,3 +72,5 @@ Read more about [host-based encryption](../virtual-machines/disk-encryption.md#e
7072
[az-feature-register]: /cli/azure/feature#az_feature_register
7173
[az-feature-list]: /cli/azure/feature#az_feature_list
7274
[az-provider-register]: /cli/azure/provider#az_provider_register
75+
[full-control-keys]: ../virtual-machines/disk-encryption#full-control-of-your-keys
76+
[akv-built-in-roles]: ../key-vault/general/rbac-guide#azure-built-in-roles-for-key-vault-data-plane-operations

0 commit comments

Comments
 (0)