Provide ability to encrypt BIG-IP disks using SSE CMK

[mwardbopp]

I have a number of customers who want to encrypt the disks of their BIG-IP deployments in Azure using SSE with customer managed keys. AFAIK the current templates do not support this.

[JeffGiroux]

Here is a quick workaround. You will need to edit the templates.

1. create keyvault
2. create key
3. Now...create Disk Encryption Set

The Disk Encryption Set references the keyvault and key, and it will result in an ID. Copy that ID, and you will use it in the osDisk block of the virtualmachine.

A few more edits...

First...compute apiVersion is old and does not support the DiskEncryptionSet parameter in the managedDisks block for the current templates. Therefore, you need to modify the apiVersion.

old

    "variables": {
        "computeApiVersion": "2017-12-01",

new

    "variables": {
        "computeApiVersion": "2021-07-01",

Second...the osDisk block needs to have a few lines added and point to the the Disk Encryption Set ID.

old

                "osDisk": {
                    "createOption": "FromImage"
                }

new example (make sure to use your own ID)

                "osDisk": {
                    "createOption": "FromImage",
                    "managedDisk": {
                        "storageAccountType": "Premium_LRS",
                        "diskEncryptionSet": {
                            "id": "/subscriptions/xx-xx-xx-xx-xx/resourceGroups/myRg123/providers/Microsoft.Compute/diskEncryptionSets/myDiskEncryptSet123"
                        }
                    }
                }

[shyawnkarim]

Thanks for reporting this RFE that your customers are requesting. We are now tracking this request with internal ID ESECLDTPLT-2987.

[shyawnkarim]

Closing.

This request was reviewed by our team and we believe this falls under scope of template customization. For help on template authoring, please see the "Getting Help" section in the documentation.