cross-tenant cmk

Author: b-ahibbard

articles/azure-netapp-files/configure-customer-managed-keys.md

@@ -494,3 +494,5 @@ This section lists error messages and possible resolutions when Azure NetApp Fil
 
 * [Azure NetApp Files API](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/netapp/resource-manager/Microsoft.NetApp/stable/2019-11-01)
 * [Configure customer-managed keys with managed Hardware Security Module](configure-customer-managed-keys-hardware.md)
+* [Configure cross-tenant customer-managed keys](customer-managed-keys-cross-tenant.md)
+* [Understand data encryption in Azure NetApp Files](understand-data-encryption.md)

articles/azure-netapp-files/customer-managed-keys-cross-tenant.md

@@ -0,0 +1,178 @@
+---
+title: Configure cross-tenant customer-managed keys for Azure NetApp Files volume encryption
+description: Learn how to configure cross-tenant customer-managed keys for Azure NetApp Files volume encryption.
+services: azure-netapp-files
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.topic: how-to
+ms.custom: references_regions
+ms.date: 12/19/2024
+ms.author: anfdocs
+---
+
+# Configure cross-tenant customer-managed keys for Azure NetApp Files volume encryption (preview)
+
+Cross-tenant customer-managed keys (CMK) for Azure NetApp Files volume encryption allows service providers based on Azure to offer [customer-managed key encryption](configure-customer-managed-keys.md). In the cross-tenant scenario, the NetApp account resides in a tenant managed by an independent software vendor (ISV), while the key used for encryption of volumes in that NetApp account resides in a key vault in a tenant that you manage.
+
+## Understand cross-tenant customer-managed keys
+
+The following diagram illustrates a sample cross-tenant CMK configuration. In the diagram, there are two Azure tenants: a service provider's tenant (Tenant 1) and your tenant (Tenant 2). Tenant 1 hosts the NetApp Account (source Azure resource). Tenant 2 hosts your key vault.
+
+:::image type="content" source="./media/customer-managed-keys-cross-tenant/cross-tenant-diagram.png" alt-text="Screenshot of create application volume group interface for extension one." lightbox="./media/customer-managed-keys-cross-tenant/cross-tenant-diagram.png":::
+
+A multitenant application registration is created by the service provider in Tenant 1. A [federated identity credential](/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp) is created on this application using a user-assigned managed identity along with a private endpoint to the key vault. Then, the name and application ID of the app are shared. 
+
+Following these steps, you install the service provider's application in your tenant (tenant 2) and grant the service principal associated with the installed application access to the key vault. You also store the encryption key (that is, the customer-managed key) in the key vault. You also shares the key location (the URI of the key) with the service provider. Following configuration, the service provider has:
+
+- An application ID for a multitenant application installed in the customer's tenant, which has been granted access to the customer-managed key. 
+- A managed identity configured as the credential on the multitenant application. 
+ The location of the key in the key vault. 
+
+With these three parameters, the service provider provisions Azure resources in tenant 1 that can be encrypted with the customer-managed key in tenant 2. 
+
+## Supported regions 
+
+Azure NetApp Files cross-tenant customer-managed keys for volume encryption is supported for the following regions:
+
+- Australia Central 
+- Australia Central 2 
+- Australia East 
+- Australia Southeast 
+- Brazil South 
+- Brazil Southeast 
+- Canada Central 
+- Canada East 
+- Central India 
+- Central US 
+- East Asia 
+- East US 
+- East US 2 
+- France Central 
+- Germany North 
+- Germany West Central 
+- Israel Central 
+- Italy North 
+- Japan East 
+- Japan West 
+- Korea Central 
+- Korea South 
+- North Central US 
+- North Europe 
+- Norway East 
+- Norway West 
+- Qatar Central 
+- South Africa North 
+- South Central US 
+- South India 
+- Southeast Asia 
+- Spain Central 
+- Sweden Central 
+- Switzerland North 
+- Switzerland West 
+- UAE Central 
+- UAE North 
+- UK South 
+- UK West 
+- West Europe 
+- West US 
+- West US 2 
+- West US 3 
+
+## Register the feature 
+
+<!-- register the feature --> 
+
+## Configure cross-tenant CMK for Azure NetApp Files 
+
+Cross-tenant CMK is currently only supported for the REST API. 
+
+##  Configure a NetApp account to use a key from a vault in another tenant.
+
+1. Create the application registration. 
+    1. Navigate to Microsoft Entra ID in the Azure Portal
+    1. Select **Manage > App registrations** from the left pane.
+    1. Select **+ New registration**.
+    1. Provide the name for the application registration then select **Account** in any organizational directory.
+    1. Select **Register**.
+    1. Take note of the ApplicationID/ClientID of the application.
+1. Create a user-assigned managed identity. 
+    1. Navigate to Managed Identities in the Azure Portal. 
+    1. Select **+ Create**.
+    1. Provide the resource group, region, and name for the managed identity.    
+    1. Select **Review + create**.
+    1. On successful deployment, note the Azure ResourceId of the user-assigned managed identity, which is available under Properties. For example:
+    `/subscriptions/aaaaaaaa-0000-aaaa-0000-aaaa0000aaaa/resourcegroups/<resourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityTitle>`
+1. Configure the user-assigned managed identity as a federated credential on the application
+    1. Navigate to **Microsoft Entra ID > App registrations > your application**.
+    1. Select **Certificates & secrets**.
+    1. Select **Federated credentials**.
+    1. Select **+ Add credential**.
+    1. Under Federated credential scenario, select **Customer Managed Keys**.
+    1. Choose **Select a managed identity**. From the pane, select the subscription. Under **Managed identity**, select **User-assigned managed identity**. In the Select box, search for the managed identity you created earlier, then choose **Select** at the bottom of the pane.
+    1. Under Credential details, provide a name and optional description for the credential. Select **Add**.
+1. Create a private endpoint to the your key vault:
+    1. Have the customer share the full Azure ResourceId of their Key Vault. <!-- huh? -->
+    1. Navigate to **Private Endpoints**.
+    1. Select **+ Create**.
+    1. Choose your subscription and resource group, and enter a name for the Private Endpoint, then select **Next > Resource**.
+    1. In the Resource tab, enter the following:
+        - Under Connection Method, select **Connect to an Azure resource by resource ID or alias**.
+        - Under **Resource ID or alias**, enter the ResourceID of the customer’s key vault.
+        - Under target sub-resource enter “vault”. Then select **Next > Virtual Network**.
+    1. In the Virtual Network tab, select a virtual network and subnet for the private endpoint. The endpoint must be in the same virtual network as the volumes you wish to create. The subnet must be a different subnet than the one delegated to `Microsoft.NetApp/volumes`.
+    1. Select Next on the next few tabs. Finally, select **Create** on the final tab.
+
+### Authorize access to the key vault 
+
+1. Install the service provider application in the customer tenant
+    1. Get the Admin Consent URL from the provider for their cross-tenant application. In our example the URL would look like this: https://login.microsoftonline.com/<tenant1 tenantId>/adminconsent/client_id=<client/application ID for the cross tenant-application> This opens a login page where you enter your credentials. Once you enter your credentials, you may see an error stating there is no redirect URL configured. This is OK.
+1. Grant the service provider application access to the key vault. 
+    1. Navigate to your key vault. Select Access Control (IAM) from the left pane.  
+    1. Under Grant access to this resource, select **Add role assignment**. 
+    1. Search for then select **Key Vault Crypto User**. 
+    1. Under Members, select **User, group, or service principal**. 
+    1. Select **Members**. Search for the application name of the application you installed from the service provider. 
+    1. Select **Review + Assign**. 
+1. Accept the incoming private endpoint connection to the key vault. 
+    1. Navigate to your key vault. Select **Networking** from the left pane. 
+    1. Under **Private Endpoint Connections**, select the incoming Private Endpoint from the provider’s tenant, then select **Approve**. 
+    1. Set an optional description or accept the default. 
+
+### Configure the NetApp account to use your keys 
+
+1. You must use the `az rest` command to configure your NetApp account to use CMK in a different tenant. Issue the following command: 
+
+    ```azurecli
+    az rest --method put --uri "/subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.NetApp/netAppAccounts/<NetApp Account name>?api-version=2024-01-01-preview" --body 
+    '{  \"properties\":
+        {    \"encryption\":
+            {      \"keySource\": \"Microsoft.KeyVault\",   \"keyVaultProperties\":    
+                {\"keyVaultUri\": \"<URI to the key vault>\",   \"keyVaultResourceId\": \"/<full resource ID of the key vault>\", \"keyName\": \"<customer’s key name>\"   },
+                \"identity\":
+                    { \"userAssignedIdentity\": \"<full resource ID of the user-assigned identity>",  \"federatedClientId\": \"<clientId of multi-tenant application>\"
+                    }
+                }
+            },
+        \"location\": \"southcentralus\",   \"identity\": 
+            {\"type\": \"userAssigned\",   \"userAssignedIdentities\": 
+                {  \"<full resource ID of the user-assigned identity>\": {
+                    }
+                }
+            }
+        }'
+     --verbose 
+    ```
+    Once you have sent the `az rest` command, your NetApp Account has been successfully configured with cross-tenant CMK. 
+
+
+### Create a volume 
+
+1. To create a volume using cross-tenant CMK, you must use the Azure CLI. Issue the following command: 
+
+```azurecli
+az netappfiles volume create -g <resource group name> --account-name <NetApp account name> --pool-name <pool name> --name <volume name> -l southcentralus --service-level premium --usage-threshold 100 --file-path "<file path>" --vnet <virtual network name> --subnet default --network-features Standard --encryption-key-source Microsoft.KeyVault --kv-private-endpoint-id <full resource ID to the private endpoint to the customer's vault> --debug 
+```
+
+## Next steps
+* [Configure customer-managed keys](configure-customer-managed-keys.md)
+* [Understand data encryption in Azure NetApp Files](understand-data-encryption.md)

articles/azure-netapp-files/media/customer-managed-keys-cross-tenant/cross-tenant-diagram.md.png

@@ -14,6 +14,10 @@ ms.author: anfdocs
 
 Azure NetApp Files is updated regularly. This article provides a summary about the latest new features and enhancements.
 
+* [Cross-tenant customer-managed keys for Azure NetApp Files volume encryption](customer-managed-keys-cross-tenant.md) (Preview)
+
+<!-- text incoming -->
+
 ## December 2024
 
 * [Volume enhancement: creating volumes with the same file path, share name, or volume path in different availability zones](manage-availability-zone-volume-placement.md#file-path-uniqueness) is now generally available (GA)
@@ -90,7 +94,7 @@ Azure NetApp Files is updated regularly. This article provides a summary about t
 
 * [Cross-zone replication](cross-zone-replication-introduction.md) is now generally available (GA).
 
-    Cross-zone replication allows you to replicate your Azure NetApp Files volumes asynchronously from one Azure availability zone (AZ) to another within the same region. Using technology similar to the cross-region replication feature and Azure NetApp Files availability zone volume placement feature, cross-zone replication replicates data in-region across different zones; only changed blocks are sent over the network in a compressed, efficient format. It helps you protect your data from unforeseeable zone failures without the need for host-based data replication. This feature minimizes the amount of data required to replicate across the zones, limiting data transfers required and shortens the replication time so you can achieve a smaller Restore Point Objective (RPO). Cross-zone replication doesn’t involve any network transfer costs and is highly cost-effective. 
+    Cross-zone replication allows you to replicate your Azure NetApp Files volumes asynchronously from one Azure availability zone (AZ) to another wi thin the same region. Using technology similar to the cross-region replication feature and Azure NetApp Files availability zone volume placement feature, cross-zone replication replicates data in-region across different zones; only changed blocks are sent over the network in a compressed, efficient format. It helps you protect your data from unforeseeable zone failures without the need for host-based data replication. This feature minimizes the amount of data required to replicate across the zones, limiting data transfers required and shortens the replication time so you can achieve a smaller Restore Point Objective (RPO). Cross-zone replication doesn’t involve any network transfer costs and is highly cost-effective. 
 
     Cross-zone replication is available in all [regions with availability zones](../reliability/availability-zones-region-support.md) and with [Azure NetApp Files presence](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=netapp&regions=all&rar=true).