Encrypt Azure storage used by a lab in Azure DevTest Labs
Every lab created in Azure DevTest Labs is created with an associated Azure storage account. The storage account is used for the following purposes:
- Storing formula documents that can be used to create virtual machines.
- Storing artifact results that include deployment and extension logs generated from applying artifacts.
- Uploading virtual hard disks (VHDs) to create custom images in the lab.
- Caching frequently used artifacts and Azure Resource Manager templates for faster retrieval during virtual machine/environment creation.
Note
The information above is critical for the lab to operate. It's stored for the life of the lab (and lab resources) unless explicitly deleted. Manually deleting these resources can lead to errors in creating lab VMs and/or formulas becoming corrupt for future use.
Locate the storage account and view its contents
On the home page for the lab, select the resource group on the Overview page. You should see the Resource group page for the resource group that contains the lab.
Select the Azure storage account of the lab. The naming convention for the lab storage account is:
a<labNameWithoutInvalidCharacters><4-digit number>. For example, if the lab name iscontosolab, the storage account name could beacontosolab7576.
On the Storage account page, select Storage Explorer (preview) on the left menu, and then select BLOB CONTAINERS to find relevant lab-related content.
Encrypt the lab storage account
Azure Storage automatically encrypts your data when it's persisted to the cloud. Azure Storage encryption protects your data and helps you to meet your organizational security and compliance commitments. For more information, see Azure Storage encryption for data at rest.
Data in the lab storage account is encrypted with a Microsoft-managed key. You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. If you choose to manage encryption with your own keys for the lab’s storage account, you can specify a customer-managed key with Azure Key Vault to use for encrypting/decrypting data in Blob storage and in Azure Files. For more information about customer-managed keys, see Use customer-managed keys with Azure Key Vault to manage Azure Storage encryption.
To learn how to configure customer-managed keys for Azure Storage encryption, see the following articles:
Manage the Azure Blob storage life cycle
As mentioned, the information stored in the Lab’s storage account is critical for the lab to operate without any errors. Unless explicitly deleted, this data will continue to remain in the lab’s storage account for the life of the lab or the life of specific lab virtual machines, depending on the type of data.
Uploaded VHDs
These VHDs are used to create custom images. Removing them will make it no longer possible to create custom images from these VHDs.
Artifacts Cache
These caches will be re-created any time artifacts are applied. They'll be refreshed with the latest content from the respective referenced repositories. So, if you delete this information to save Storage-related expenses, the relief will be temporary.
Azure Resource Manager template Cache
These caches will be re-created any time Azure Resource Manager-based template repositories are connected and spun up in the lab. They'll be refreshed with the latest content from the respective referenced repositories. So, if you delete this information to save Storage-related expenses, the relief will be temporary.
Formulas
These documents are used to support the option to both create formulas from existing VMs, and creating VMs from formulas. Deleting these formula documents may lead to errors while doing the following operations:
- Creating a formula from an existing lab VM
- Creating or updating formulas
- Creating a VM from a formula.
Artifact results
As artifacts are applied, the size of the respective artifact results can increase over time depending on the number and type of artifacts being run on lab VMs. So, as a lab owner, you may want to control the lifecycle of such documents. For more information, see Manage the Azure Blob storage lifecycle.
Important
We recommend that you do this step to reduce expenses associated with the Azure Storage account.
For example, the following rule is used to set a 90-day expiration rule specifically for artifact results. It ensures that older artifact results are recycled from the storage account on a regular cadence.
{
"rules": [
{
"name": "expirationRule",
"enabled": true,
"type": "Lifecycle",
"definition": {
"filters": {
"blobTypes": [ "blockBlob" ],
"prefixMatch": [ "artifacts/results" ]
},
"actions": {
"baseBlob": {
"delete": { "daysAfterModificationGreaterThan": 90 }
},
"snapshot": {
"delete": { "daysAfterCreationGreaterThan": 90 }
}
}
}
}
]
}
Next steps
To learn how to configure customer-managed keys for Azure Storage encryption, see the following articles: