Akash saini

Posted on May 27

💿 Azure managed disks

💽 Azure Managed Disks - Explained

Azure Managed Disks are block-level storage volumes used with Azure Virtual Machines. Azure handles all disk management, making it easy and scalable.

📦 What Are Managed Disks?

Managed Disks are like virtual hard drives (VHDs) stored in Azure. When you create a VM, the OS disk and any data disks are usually Azure Managed Disks.

Azure manages the storage accounts, performance, scaling, and availability—you just select the size and type of disk you need.

🔍 Types of Managed Disks

Disk Type	Use Case	Performance
Standard HDD	Low-cost, dev/test, infrequent access	60–500 IOPS, 8–60 MB/s
Standard SSD	Balanced performance and cost	500–2,000 IOPS, 60–400 MB/s
Premium SSD	High-performance apps, low latency	120–20,000 IOPS, 25–900 MB/s
Premium SSD v2	Next-gen premium SSD with better pricing	Up to 80,000 IOPS, 1,200 MB/s
Ultra Disk	Extreme performance workloads (DBs, SAP)	Up to 160,000 IOPS, 4,000 MB/s

📌 Key Features

Fully managed: No need to worry about storage accounts or capacity planning.
Scalable: Easily increase disk size or performance.
Secure: Supports Azure Disk Encryption and integration with Azure Backup.
Reliable: Built-in high availability and disaster recovery.
Snapshot support: Easily create point-in-time backups.
ZRS support: Zone-redundant options for high availability across Availability Zones.

Attach a data disk to:

📸 Azure VM Snapshots

What is a Snapshot?

A Snapshot in Azure is a read-only, point-in-time backup of a managed disk. It captures the entire disk (OS or data) and can be used to restore or duplicate a VM later. Snapshots are stored as standard managed disks and can be used to create new managed disks.

🔄 Types of Snapshots

Azure supports the following types of snapshots:

1. Full Snapshot

Captures the entire disk (all blocks), regardless of whether they have changed.
Consumes storage equal to the full size of the disk.
Create a snapshot of a virtual hard disk

2. Incremental Snapshot

Captures only the changes since the last snapshot.
Much more storage-efficient and cost-effective.
Supports features like snapshot chaining, which is ideal for backups and compliance.
Create an incremental snapshot for managed disks

💿 What is Azure Disk Backup?

Azure Disk Backup is a cloud-native, secure, and cost-effective backup solution designed specifically for Azure managed disks. It helps you back up and restore individual disks (OS or data) without needing to back up the entire virtual machine.

It uses incremental snapshots under the hood to save only the changes made since the last backup, making it efficient and fast.

You don't need to set up any backup infrastructure.
You can back up OS disks and data disks individually.
Backups are policy-based – you set how often and how long to keep them.
You can restore a disk from any backup point.

Configure Azure Disk Backup

🔄 How Does It Work?

You enable backup on a disk.
Azure takes incremental snapshots (only changed data).
Snapshots are stored securely in Azure storage.
You can restore the disk anytime by creating a new disk from a backup.
Optionally, attach the restored disk to the VM or use it as a new disk.

⚙️ Features

✅ Incremental Backups – Saves storage by only backing up changed data.
🕒 Automatic Scheduling – Set daily, weekly, or custom backup schedules.
🔒 Secure Storage – Backups are encrypted and protected with RBAC and Azure policies.
🔁 Point-in-Time Restore – Restore disks to a previous state quickly.
📜 Policy Management – Define backup and retention policies for automation.
📍 No VM Dependency – Backup and restore disks without involving the full VM.

✅ Benefits of Azure Disk Backup

Benefit	Description
🔄 Incremental	Saves space and time by backing up only changed blocks.
🛠️ Easy to Use	No need to install agents or manage backup infrastructure.
💸 Cost-Efficient	Pay only for the storage used by incremental backups.
🔐 Secure	Backups are encrypted and integrated with RBAC and policies.
🕘 Long-Term Retention	Store backups for days, weeks, or months as needed.
🧪 Granular Restore	Restore individual disks without affecting the whole VM.
📅 Policy-Based	Automate your backup strategy with custom policies.

🔐 Azure Managed Disk Encryption

Azure provides several encryption options to secure data stored on managed disks. These options cover everything from basic server-side encryption to customer-managed keys, host-based encryption, and confidential computing scenarios.

📦 1. Server-Side Encryption (SSE) for Azure Disk Storage

Server-Side Encryption (SSE) automatically encrypts data at rest using AES-256. It ensures data is encrypted before being stored and decrypted automatically when read.

🔐 Key Management Options:

Platform-Managed Keys (PMK) – Default, Microsoft-managed.
Customer-Managed Keys (CMK) – You manage keys in Azure Key Vault.

✅ Benefits:

Transparent to apps and users.
No performance overhead.
Supports regulatory compliance.
Works with all managed disk types.

🔑 2. Customer-Managed Keys (CMK)

CMK allows you to use your own keys stored in Azure Key Vault to encrypt disks. You manage key rotation and revocation.

🧱 Requires:

Azure Key Vault with soft-delete and purge protection enabled.
Disk Encryption Set (DES) to associate keys with disks.

✅ Use Cases:

Regulatory compliance.
Full control over encryption keys.
Integration with on-prem HSMs.

🛡️ 3. Azure Disk Encryption (ADE)

ADE uses BitLocker (Windows) or dm-crypt (Linux) to provide OS-level encryption, in addition to SSE.

🔧 Key Features:

Requires Azure VM agent.
Supports CMK via Azure Key Vault.

✅ Use Cases:

Extra control over OS/data encryption.
Required by some legacy compliance standards.

🔒 4. Encryption at Host

Encrypts data before it leaves the compute host. Complements SSE by encrypting data in transit between VM and storage.

🧱 Requirements:

Enabled during VM or disk creation.
Can be used with PMK or CMK.

✅ Use Cases:

Enhanced security.
Defense-in-depth for sensitive workloads.

🧊 5. Confidential Disk Encryption (CDE)

Confidential Disk Encryption is designed specifically for Confidential VMs (CVMs). It provides hardware-based encryption using Trusted Platform Module (vTPM) and Intel® TDX or AMD SEV-SNP technologies.

🔐 Key Management:

Keys are protected within the VM using a virtual TPM.
Supports customer-provided keys via Azure Key Vault.
Full encryption at the guest OS level, outside of Azure control.

🧱 Requirements:

Supported on Confidential VMs.
Must be enabled at VM creation.

✅ Benefits:

Maximum data protection: even Azure cannot access the keys.
Protects against malicious host or insider access.
Ideal for highly confidential workloads and zero-trust architectures.

🧾 Comparison Table

Feature	SSE (PMK)	SSE (CMK)	ADE	Encryption at Host	Confidential Disk Encryption
Key Ownership	Microsoft	Customer	Customer or Microsoft	Customer or Microsoft	Customer (vTPM)
Key Location	Internal	Azure Key Vault	Azure Key Vault	Azure Key Vault	Inside VM (vTPM)
OS-Level Encryption	❌	❌	✅	❌	✅
Host-Level Encryption	❌	❌	❌	✅	✅
Requires VM Agent	❌	❌	✅	❌	✅
Best For	Simplicity	Compliance	Legacy or OS-level need	Defense-in-depth	Confidential workloads
Confidential VM Required	❌	❌	❌	❌	✅

✅ Summary

Option	Description	Best For
SSE with PMK	Default at-rest encryption with Microsoft-managed keys	Simplicity and baseline protection
SSE with CMK	Your keys stored in Azure Key Vault	Compliance, key ownership
Azure Disk Encryption (ADE)	OS-level encryption using BitLocker or dm-crypt	Extra protection at the OS layer
Encryption at Host	Encrypts data before it leaves the compute host	Defense-in-depth for sensitive data
Confidential Disk Encryption	Hardware-enforced encryption using vTPM in Confidential VMs	High-trust, zero-trust architecture

🔐 Azure Key Vault

Azure Key Vault is a cloud service offered by Microsoft Azure that allows you to securely store and manage secrets, encryption keys, and certificates. It helps safeguard cryptographic keys and secrets used by cloud applications and services.

🧱 Key Capabilities

🔑 1. Secrets Management

Store and tightly control access to tokens, passwords, connection strings, and API keys.
Retrieve secrets programmatically or via portal/CLI.

🔐 2. Key Management

Create and manage encryption keys (RSA, EC).
Use keys for encryption/decryption, signing/verification, and key wrapping.
Supports integration with Azure Disk Encryption, Storage Service Encryption, etc.

📄 3. Certificate Management

Securely store and manage SSL/TLS certificates.
Automate certificate renewal and provisioning with integrated Certificate Authorities.

🛡️ 4. Hardware Security Modules (HSM)

Option to store keys in HSM-backed Key Vaults for higher security assurance.
Supports FIPS 140-2 Level 2 validated HSMs.

🚀 Key Features

Feature	Description
Secure Storage	Centralized location to manage secrets, keys, and certificates
Access Policies	Fine-grained access control using Azure Active Directory (AAD)
Logging & Auditing	Integration with Azure Monitor for logging and auditing
Backup & Recovery	Supports soft-delete and purge protection for accidental recovery
Managed Identities	Apps can securely access Key Vault without storing credentials
Versioning	Automatically maintains versions of secrets and keys

🛠️ Use Cases

Storing API keys and DB connection strings for apps
Managing TLS/SSL certificates for web apps
Protecting encryption keys for Azure services (e.g., Storage, SQL, Disk)
Enabling Bring Your Own Key (BYOK) scenarios
Supporting Managed HSM for regulated industries

🔐 Access Control

Azure Key Vault supports two permission models:

Vault Access Policy (Legacy)
- Explicitly define which AAD user/app can access what operations.
Azure Role-Based Access Control (RBAC)
- Use built-in or custom roles to grant permissions.
- More scalable and aligned with modern Azure governance.

💡 Best Practices

Use RBAC model for better manageability.
Enable soft-delete and purge protection to prevent accidental deletion.
Use Managed Identities to authenticate applications securely.
Periodically rotate secrets and keys.
Enable logging with Azure Monitor or Log Analytics.