[BUG] Azure DiskEncryption fails in Azure China Region

[ashbondu]

Describe the bug When we use Azure Java SDK to kick off the Disk Encryption of a VM, it ends up in a failure in Azure China Environment, where the ADE fails to encrypt the VM.

Exception or Stack Trace Exception from VM's Bitlocker logs (redacted resource names).

2021-01-19T15:34:19.9461074Z    [Info]: vmSettings after adding protectors: VmSettings:
                      DiskEncryptionDataVersion: 4.0
                      encryptionOperation: EnableEncryption
                      KeyVaultUrl: https://<key-vault-name>.vault.azure.net/
                      KeyVaultResourceId: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>
                      KeyEncryptionKeyUrl: 
                      KekVaultResourceId: 
                      KeyEncryptionAlgorithm: RSA-OAEP
                      diskEncryptionSettings: ControllerType: IDE, ControllerId: 0, SlotId: 0, volumeEncSettings: VolumeType: OsVolume, ProtectorFileName: 11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK, SecretTags: TagName: DiskEncryptionKeyFileName, TagValue: 11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK;TagName: VolumeLetter, TagValue: C:\;TagName: VolumeLabel, TagValue: Windows;TagName: MachineName, TagValue: AZCHINAPOC0000
                      protectors: ProtectorName: 11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK, Base64Key: <Hidden>
2021-01-19T15:34:19.9531076Z    [Info]: SendEncryptionSettingsToHostV3:: Send diskEncryptionData with protectors (version 3.0 of WireProtocol)
2021-01-19T15:34:20.3231334Z    [Info]: Serialized encryption settings without special characters and no protector values: {"DiskEncryptionDataVersion":"4.0","DiskEncryptionOperation":"EnableEncryption","Disks":[{"ControllerId":0,"ControllerType":"IDE","SlotId":0,"Volumes":[{"ProtectorFileName":"11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK","SecretTags":[{"Name":"DiskEncryptionKeyFileName","Value":"11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK"},{"Name":"VolumeLetter","Value":"C:\\"},{"Name":"VolumeLabel","Value":"Windows"},{"Name":"MachineName","Value":"AZCHINAPOC0000"}],"VolumeType":"OsVolume"}]}],"KekAlgorithm":"RSA-OAEP","KekUrl":null,"KekVaultResourceId":null,"KeyVaultResourceId":"/subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.KeyVault/vaults/<key-vault-name>","KeyVaultUrl":"https://<key-vault-name>.vault.azure.net/","Protectors":[{"Base64Key":"<Hidden>","Name":"11F846E6-04AB-42A4-AE07-E2A9783AA362.BEK"}]}
2021-01-19T15:34:20.3261367Z    [Info]: SendEncryptionSettingsToHost Start

2021-01-19T15:34:20.3351317Z    [Info]: SendEncryptionSettingsToHost diskEncryptionPostUri: http://168.63.129.16:80/machine?comp=diskEncryptionData
2021-01-19T15:34:20.4281400Z    [Info]: SendEncryptionSettingsToHostHelper responseContent:<?xml version="1.0" encoding="utf-8"?>
<Error xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <Code>BadRequest</Code>
    <Message>The request contents are invalid or incomplete. Please refresh your resource cache and retry.</Message>
    <Details>The fault reason was: '  0xc1425054  RUNTIME_E_DISK_ENCRYPTION_SECRET_KEYVAULT_URL_INVALID  DiskEncryptionSecretKeyVaultURL is invalid. '.</Details>
</Error>, ReasonPhrase:Bad Request, StatusCode:BadRequest
2021-01-19T15:34:20.4291407Z    [Info]: SendEncryptionSettingsToHost failed. Attempting again. retryCount: 0
2021-01-19T15:34:30.4896264Z    [Info]: SendEncryptionSettingsToHostHelper responseContent:<?xml version="1.0" encoding="utf-8"?>
<Error xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <Code>BadRequest</Code>
    <Message>The request contents are invalid or incomplete. Please refresh your resource cache and retry.</Message>
    <Details>The fault reason was: '  0xc1425054  RUNTIME_E_DISK_ENCRYPTION_SECRET_KEYVAULT_URL_INVALID  DiskEncryptionSecretKeyVaultURL is invalid. '.</Details>
</Error>, ReasonPhrase:Bad Request, StatusCode:BadRequest
2021-01-19T15:34:30.4906218Z    [Info]: SendEncryptionSettingsToHost failed. Attempting again. retryCount: 1

To Reproduce Encrypt a VM using Azure Java SDK with a Keyvault in China Region.

Analysis I believe the error is in the below logic where the SDK always assumes the keyvault URL will be https://<key-vault-name>.vault.azure.net/ irrespective of the environment where the Keyvault is located.

https://github.com/Azure/azure-libraries-for-java/blob/v1.38.1/azure-mgmt-compute/src/main/java/com/microsoft/azure/management/compute/VirtualMachineEncryptionConfiguration.java#L94

But that is not the case as the Azure China and Azure Government use a different domain. Example China domain to access keyvault - https://<vault-name>.vault.azure.cn

https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#resource-endpoints

[weidongxu-microsoft]

@xccc-msft Please take this as high priority.

[weidongxu-microsoft]

@ashbondu Thanks for the issue and analysis. We will investigate it on Monday, and if this is indeed the bug, a fix should be released in days.

[weidongxu-microsoft]

The fix would try to figure out the correct cloud region from AzureEnvironment in credential, and use corresponding pattern for vault endpoint, for backward compatibility.

The safer approach would be using the new constructor of e.g. LinuxVMDiskEncryptionConfiguration(vaultId, vaultUri), which let customer provide the vaultUri directly. https://github.com/Azure/azure-libraries-for-java/pull/1355/files#r568270939

[weidongxu-microsoft]

Please use version 1.39.1