Quickstart: Create an Azure Managed CCF resource using Azure CLI

Article
11/02/2023

Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Azure Managed CCF, see About Azure Managed Confidential Consortium Framework.

If you don't have an Azure subscription, create an Azure free account before you begin.

Azure CLI is used to create and manage Azure resources using commands or scripts.

Prerequisites

Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
- If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
- When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

This quickstart requires version 2.51.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
OpenSSL on a computer running Windows or Linux is also required.

Create a resource group

A resource group is a logical container into which Azure resources are deployed and managed. Use the az group create command to create a resource group named myResourceGroup in the southcentralus location.

az group create --name "myResourceGroup" --location "SouthCentralUS"

Create a member

Generate a key pair for the member. After the following commands complete, the member's public key is saved in member0_cert.pem and the private key is saved in member0_privk.pem.

openssl ecparam -out "member0_privk.pem" -name "secp384r1" -genkey
openssl req -new -key "member0_privk.pem" -x509 -nodes -days 365 -out "member0_cert.pem" -"sha384" -subj=/CN="member0"

Create a Managed CCF resource

Use the Azure CLI az confidentialledger managedccfs create command to create a Managed CCF resource in the resource group from the previous step. You must provide some information:

Managed CCF name: A string of 3 to 32 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-)

Important

Each Managed CCF resource must have a unique name. Replace <your-unique-managed-ccf-name> with the name of your resource in the following examples.
Resource group name: myResourceGroup.
Location: southcentralus or westeurope. Default value is southcentralus.
Members: A collection of initial members to be added to the resource. A minimum of one member is required.
Node count: Then number of nodes in the resource. Default value is 3.

az confidentialledger managedccfs create --name "<your-unique-managed-ccf-name>" --resource-group "myResourceGroup" --location "southcentralus" --members "[{certificate:'c:/certs/member0_cert.pem',identifier:'it-admin',group:'IT'},{certificate:'c:/certs/member1_cert.pem',identifier:'finance-admin',group:'Finance'}]"

To view the previously created resource:

az confidentialledger managedccfs show --name "<your-unique-managed-ccf-name>" --resource-group "myResourceGroup"

To list the Managed CCF resources in the myResourceGroup:

az confidentialledger managedccfs list --resource-group "myResourceGroup"

To list the Managed CCF resources in a subscription:

az confidentialledger managedccfs list --subscription <subscription id or subscription name>

Next steps

In this quickstart, you created a Managed CCF resource by using the Azure portal. To learn more about Azure confidential ledger and how to integrate it with your applications, continue on to these articles: