Azure Disk Encryption on an isolated network

When connectivity is restricted by a firewall, proxy requirement, or network security group (NSG) settings, the ability of the extension to perform needed tasks might be disrupted. This disruption can result in status messages such as "Extension status not available on the VM."

Package management

Azure Disk Encryption depends on a number of components, which are typically installed as part of ADE enablement if not already present. When behind a firewall or otherwise isolated from the Internet, these packages must be pre-installed or available locally.

Here are the packages necessary for each distribution. For a full list of supported distros and volume types, see supported VMs and operating systems.

  • Ubuntu 14.04, 16.04, 18.04: lsscsi, psmisc, at, cryptsetup-bin, python-parted, python-six, procps, grub-pc-bin
  • CentOS 7.2 - 7.7: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, pyparted, procps-ng, util-linux
  • CentOS 6.8: lsscsi, psmisc, lvm2, uuid, at, cryptsetup-reencrypt, pyparted, python-six
  • RedHat 7.2 - 7.7: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup, cryptsetup-reencrypt, procps-ng, util-linux
  • RedHat 6.8: lsscsi, psmisc, lvm2, uuid, at, patch, cryptsetup-reencrypt
  • openSUSE 42.3, SLES 12-SP4, 12-SP3: lsscsi, cryptsetup

On Red Hat, when a proxy is required, you must make sure that the subscription-manager and yum are set up properly. For more information, see How to troubleshoot subscription-manager and yum problems.

When packages are installed manually, they must also be manually upgraded as new versions are released.

Network security groups

Any network security group settings that are applied must still allow the endpoint to meet the documented network configuration prerequisites for disk encryption. See Azure Disk Encryption: Networking requirements

Azure Disk Encryption with Azure AD (previous version)

If using Azure Disk Encryption with Azure AD (previous version), the Azure Active Directory Library will need to be installed manually for all distros (in addition to the packages appropriate for the distro, as listed above).

When encryption is being enabled with Azure AD credentials, the target VM must allow connectivity to both Azure Active Directory endpoints and Key Vault endpoints. Current Azure Active Directory authentication endpoints are maintained in sections 56 and 59 of the Microsoft 365 URLs and IP address ranges documentation. Key Vault instructions are provided in the documentation on how to Access Azure Key Vault behind a firewall.

Azure Instance Metadata Service

The virtual machine must be able to access the Azure Instance Metadata service endpoint, which uses a well-known non-routable IP address (169.254.169.254) that can be accessed only from within the VM. Proxy configurations that alter local HTTP traffic to this address (for example, adding an X-Forwarded-For header) are not supported.

Next steps