azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

VM/VMSS to support v2 Version of Azure Metadata Security Protocol

Open hmyan90 opened this issue 7 months ago • 4 comments

Preconditions

Need to release Python SDK support 2024-07-01

Related command

Please see v1 https://github.com/Azure/azure-cli/issues/27729 , this v2 involves deleting a parameter (proxy-agent-mode) from the v1 version and add a couple new

az vm create [--enable-proxy-agent {false, true}] [--wireServer-mode {Audit, Enforce, Disabled}] [--wireServer-InVMAccessControlProfileReferenceId "" ] [--imds-mode {Audit, Enforce, Disabled}] [--imds-InVMAccessControlProfileReferenceId "" ] [--keyIncarnationId integer] az vm update az vmss create az vmss update

Resource Provider

Microsoft.Compute

Description of Feature or Work Requested

PM doc: https://microsoft.sharepoint.com/:w:/r/teams/CPlat-PM/_layouts/15/Doc.aspx?sourcedoc=%7BDD02825F-7D23-4C67-B21C-6352733A8858%7D&file=Wire-Server%20Endpoint%20Security%20PM%20Spec.docx&action=default&mobileredirect=true&share=IQFfggLdI31nTLIcY1JzOohYAV82cMdRnCluKCTcaCyt91E

User can opt-in the Azure metadata security protocol for their VM by specifying the newly introduced VM or VMSS property, thus their VM can be protected from SSRF and Scorpin heart attack to IMDS and WireServer endpoints.

Need to support for vm create, vm update, vmss create, vmss update.

Minimum API Version Required

2024-03-01

Swagger PR link / SDK link

https://github.com/Azure/azure-rest-api-specs/pull/29402

Request Example

VM: https://github.com/Azure/azure-rest-api-specs/blob/c9d9a0180149e72541752672790ed642a439adfa/specification/compute/resource-manager/Microsoft.Compute/ComputeRP/stable/2023-09-01/examples/virtualMachineExamples/VirtualMachine_Create_WithProxyAgentSettings.json

VMSS: https://github.com/Azure/azure-rest-api-specs/blob/c9d9a0180149e72541752672790ed642a439adfa/specification/compute/resource-manager/Microsoft.Compute/ComputeRP/stable/2023-09-01/examples/virtualMachineScaleSetExamples/VirtualMachineScaleSet_Create_WithProxyAgentSettings.json

Target Date

08-06-2024

PM Contact

[email protected]

Engineer Contact

[email protected]

Additional context

No response

hmyan90 avatar Jun 28 '24 21:06 hmyan90