Closed ashbondu closed 3 years ago
@xccc-msft Please take this as high priority.
@ashbondu Thanks for the issue and analysis. We will investigate it on Monday, and if this is indeed the bug, a fix should be released in days.
The fix would try to figure out the correct cloud region from AzureEnvironment
in credential, and use corresponding pattern for vault endpoint, for backward compatibility.
The safer approach would be using the new constructor of e.g. LinuxVMDiskEncryptionConfiguration(vaultId, vaultUri)
, which let customer provide the vaultUri
directly.
https://github.com/Azure/azure-libraries-for-java/pull/1355/files#r568270939
Please use version 1.39.1
Describe the bug When we use Azure Java SDK to kick off the Disk Encryption of a VM, it ends up in a failure in Azure China Environment, where the ADE fails to encrypt the VM.
Exception or Stack Trace Exception from VM's Bitlocker logs (redacted resource names).
To Reproduce Encrypt a VM using Azure Java SDK with a Keyvault in China Region.
Analysis I believe the error is in the below logic where the SDK always assumes the keyvault URL will be
https://<key-vault-name>.vault.azure.net/
irrespective of the environment where the Keyvault is located.https://github.com/Azure/azure-libraries-for-java/blob/v1.38.1/azure-mgmt-compute/src/main/java/com/microsoft/azure/management/compute/VirtualMachineEncryptionConfiguration.java#L94
But that is not the case as the Azure China and Azure Government use a different domain. Example
China domain to access keyvault - https://<vault-name>.vault.azure.cn
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#resource-endpoints