azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

CLI - Gen2+TLVM As default - New VM with minimal Inputs

Open AjKundnani opened this issue 3 years ago • 3 comments

Related command

Resource Provider

Microsoft.Compute/virtualMachines

Description of Feature or Work Requested

Gen2+TLVM as default (Preferred)

As part of making compute layer secure for customers to deploy workloads, request is to make Trusted Launch (GA Date: November 2021) as default deployment option in CLI. Following changes will need to be made for same:

Scenario 1 - User runs az vm create with minimal parameters.

Present Behavior Updated Behavior post change
New VM with minimal parameters:
  1. User runs command az vm create --name vmname --resource-group rgname.
  2. User gets prompted for value of --image parameter. User provides specific image ID or URNAlias
  3. CLI creates VM with size Standard_DS1_v2.
 Updated default parameters:
  1. User runs command az vm create --name vmname --resource-group rgname.
  2. CLI takes default value for --image parameter as MicrosoftWindowsServer:WindowsServer:2019-DATACENTER-GENSECOND:latest i.e., no prompt for user for value of --image parameter.
  3. Following parameters are set by default:
    • --enable-secure-boot with value true
    • --enable-vtpm with value true
    • --security-type with value TrustedLaunch
  4. CLI creates VM with size Standard_DS1_v2 and default values for parameters mentioned in Step 2 & 3

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vm create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

Scenario 2 - User runs az vmss create with minimal parameters.

Present Behavior Updated Behavior post change
New VMSS with minimal parameters:
  1. User runs command az vmss create --name vmssname --resource-group rgname.
  2. User gets prompted for value of --image parameter. User provides specific image ID or URNAlias
  3. CLI creates VMSS with size Standard_DS1_v2.
 Updated default parameters:
  1. runs command az vmss create --name vmssname --resource-group rgname.
  2. CLI takes default value for --image parameter as MicrosoftWindowsServer:WindowsServer:2019-DATACENTER-GENSECOND:latest i.e., no prompt for user for value of --image parameter.
  3. Following parameters are set by default:
    • --enable-secure-boot with value true
    • --enable-vtpm with value true
    • --security-type with value TrustedLaunch
  4. CLI creates VMSS with size Standard_DS1_v2 and default values for parameters mentioned in Step 2 & 3

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vmss create command will deploy Trusted Launch VM by default. To know more about Trusted Launch, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/trusted-launch

NOTE: Please review limitations Trusted Launch VM Limitations to assess any impact for CLI users.

Gen2-as-Default (Failback)

If Gen2+TLVM-as-default cannot be implemented, we request to make Generation 2 VM (GA Date: 2019) as failback alternative default deployment option in CLI. Following changes will need to be made for same:

Scenario 1 - User runs az vm create with minimal parameters.

Present Behavior Updated Behavior post change
New VM with minimal parameters:
  1. User runs command az vm create --name vmname --resource-group rgname.
  2. User gets prompted for value of --image parameter. User provides specific image ID or URNAlias
  3. CLI creates VM with size Standard_DS1_v2.
 Updated default parameters:
  1. User runs command az vm create --name vmname --resource-group rgname.
  2. CLI takes default value for --image parameter as MicrosoftWindowsServer:WindowsServer:2019-DATACENTER-GENSECOND:latest i.e., no prompt for user for value of --image parameter.
  3. CLI creates VM with size Standard_DS1_v2 and default image mentioned in Step 2.

Scenario 2 - User runs az vmss create with minimal parameters.

Present Behavior Updated Behavior post change
New VMSS with minimal parameters:
  1. User runs command az vmss create --name vmssname --resource-group rgname.
  2. User gets prompted for value of --image parameter. User provides specific image ID or URNAlias
  3. CLI creates VMSS with size Standard_DS1_v2.
 Updated default parameters:
  1. User runs command az vmss create --name vmname --resource-group rgname.
  2. CLI takes default value for --image parameter as 2019-DATACENTER-GENSECOND i.e., no prompt for user for value of --image parameter.
  3. CLI creates VMSS with size Standard_DS1_v2 and default image mentioned in Step 2.

Notification Message if needed to be provided to end users prior to making changes - Starting xx/xx/xxxx az vmss create command will deploy Generation 2 VM by default. To know more about Azure Generation 2 VM, please visit https://docs.microsoft.com/en-us/azure/virtual-machines/generation-2

NOTE: Generation 2 VMs have full feature parity with existing Generation 1 VMs used by majority of customers.

Minimum API Version Required

2021-11-01

Swagger PR link

Compute Swagger 2021-11-01

Request Example

Target Date

2022-10-10

Additional context

  • Target date for implementing notification for user is to match ignite event scheduled for 2022-10-12
  • My understanding is before change is implemented, user will need to be provided with notification, hence target date for implementation of the changes is Build event 2023 (May 2023)
  • Multiple Trusted Launch VM limitations will be tentatively addressed before actual implementation date of May 2023.
  • VM Size / SKU capability to support Gen2 or Trusted Launch VM can be queried using API Resource SKU List API
    • For Gen2 refer to property HyperVGeneration with supported value of v2
    • For trusted launch VM, refer to property TrustedLaunchSupportDisabled set to true, for sizes which support Gen2 but not Trusted Launch.
  • Image capability to support Gen2 or Trusted Launch VM can be queried using API Virtual Machines Images GET API
  • TLVM-as-default implementation in Azure Portal is planned for December 2022.

AjKundnani avatar Aug 04 '22 13:08 AjKundnani

Compute

yonzhan avatar Aug 04 '22 14:08 yonzhan

@AjKundnani In fact, when users only execute the az vm create --name vmname --resource-group rgname command without other parameters, CLI will prompt incorrect usage: --image IMAGE | --attach-os-disk DISK This is because at present, users can also create a VM by attaching the OS disk without using the --image parameter, such as execute vm create -g {rg} -n vm2 --attach-os-disk {disk_uri} --os-type linux --use-unmanaged-disk. And it is similar for VMSS.

So I want to confirm whether these default behaviors only take effect when the user has neither passed in --image parameter nor --attach-os-disk parameter?

zhoxing-ms avatar Aug 05 '22 04:08 zhoxing-ms

@AjKundnani In fact, when users only execute the az vm create --name vmname --resource-group rgname command without other parameters, CLI will prompt incorrect usage: --image IMAGE | --attach-os-disk DISK This is because at present, users can also create a VM by attaching the OS disk without using the --image parameter, such as execute vm create -g {rg} -n vm2 --attach-os-disk {disk_uri} --os-type linux --use-unmanaged-disk. And it is similar for VMSS.

So I want to confirm whether these default behaviors only take effect when the user has neither passed in --image parameter nor --attach-os-disk parameter?

@zhoxing-ms That is correct, for this scenario we assume user has not passed values to parameter --image nor for --attach-os-disk. For scenario where users will pass specific values (and other scenarios), I'll be submitting different request. #23450

AjKundnani avatar Aug 05 '22 04:08 AjKundnani

@zhoxing-ms - Based on other initiatives, updated default OS Image to Windows Server 2022 Azure Edition. Will not impact notification message, it will be needed during implementation.

AjKundnani avatar Nov 29 '22 09:11 AjKundnani

@AjKundnani OK, got it. Please also update the default OS Image in the feature description~

zhoxing-ms avatar Nov 29 '22 09:11 zhoxing-ms

@AjKundnani OK, got it. Please also update the default OS Image in the feature description~

Done, thanks.

AjKundnani avatar Nov 29 '22 10:11 AjKundnani

Hi @AjKundnani could you please help review this change?

yanzhudd avatar Oct 24 '23 07:10 yanzhudd

Hi @AjKundnani could you please help review this change?

@yanzhudd - The condition in validator.py looked good to me. Will validate further during bug bash.

AjKundnani avatar Oct 25 '23 10:10 AjKundnani