Introduction

As a person who has worked in this industry for over a decade, I sometimes ponder how cloud computing has made availing computing resources. This ease has resulted in the exponential growth of cloud computing. Which also makes it one of the most vulnerable platforms to host our applications. Since IaaS security and patch management has to be taken care of by the consumer, it is also easily targeted and has to be secured in the best way possible.

What is Trusted Launch?

Microsoft recently announced trusted launch offering for Generation 2 Azure Virtual machines and flexible scale sets. Trusted launch protects against advanced and persistent attack techniques with the help of several coordinated infrastructure technologies. Trusted launch can only be enabled while creating new virtual machines on the portal.

Why should you enable Trusted Launch?

  • It allows the Virtual machine deployment with verified boot loaders, OS kernels and drivers.
  • It also protects keys, certificates and secrets in the virtual machine with the help fo vTPM.
  • Also helps gain insights and confidence of the entire boot chain’s integrity.

Limitations

Supported VM sizes :

VM size support:

  • B-series
  • Dav4-series, Dasv4-series
  • DCsv2-series
  • Dv4-series, Dsv4-series, Dsv3-series, Dsv2-series
  • Ddv4-series, Ddsv4-series
  • Fsv2-series
  • Eav4-series, Easv4-series
  • Ev4-series, Esv4-series, Esv3-series
  • Edv4-series, Edsv4-series
  • Lsv2-series

OS support:

  • Redhat Enterprise Linux 8.3
  • SUSE 15 SP2
  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Debian 11
  • CentOS 8.4
  • Oracle Linux 8.3
  • CBL-Mariner
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows 11 Pro
  • Windows 11 Enterprise
  • Windows 11 Enterprise multi-session
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 10 Enterprise multi-session

Regions:

  • All public regions

Pricing: No additional cost to existing VM pricing.

The following features are not supported:

  • Azure Site Recovery
  • Azure Compute Gallery (formerly known as Shared Image Gallery)
  • Ephemeral OS disk
  • Shared disk
  • Ultra disk
  • Managed image
  • Azure Dedicated Host
  • Nested Virtualization

How to create virtual machine with Trusted Launch option?

YouTube Video: YouTube

GitHub Link: GitHub

Powershell Script : trusted-launch.ps1

CLI:

CLI
Make sure you are running the latest version of Azure CLI

Sign in to Azure using az login.

az login 
Create a virtual machine with Trusted Launch.

az group create -n resourceGroup -l eastus 
az vm create \
   --resource-group ResourceGroup \
   --name TrustedVM \
   --image Canonical:UbuntuServer:18_04-lts-gen2:latest \
   --admin-username azureuser \
   --generate-ssh-keys \
   --security-type TrustedLaunch \
   --enable-secure-boot true \ 
   --enable-vtpm true 

For existing VMs, you can enable or disable secure boot and vTPM settings. Updating the virtual machine with secure boot and vTPM settings will trigger auto-reboot.

az vm update \
   --resource-group ExistingResourceGroup \
   --name ExistingVM \
   --enable-secure-boot true \
   --enable-vtpm true