Merge pull request #312956 from svaldesgzz/aezkvedits

v-shils · web-flow · commit 0d3a85052966 · 2026-03-11T10:53:31.000-07:00
added KV article and refreshed TOC and overview
diff --git a/.github/copilot/skills/extended-zones-article-writer.md b/.github/copilot/skills/extended-zones-article-writer.md
@@ -0,0 +1,131 @@
+# Extended Zones Article Writer
+
+Write production-ready how-to, quickstart, tutorial, or overview articles for the Azure Extended Zones Learn documentation.
+
+## Context Sources
+
+### Existing articles (reference for style and structure)
+- **Directory:** `C:\github\azure-docs-pr\articles\extended-zones\`
+- **Best style reference:** `create-storage-account.md` (canonical how-to example)
+- **TOC:** `TOC.yml` — defines the site navigation structure
+- **Overview:** `overview.md` — contains the supported services table
+
+### Team code repos (for technical accuracy)
+- `C:\github\AzureStack-Fiji-Workloads` — team workloads and service code
+- `C:\github\Extended-Zones-Core-Platform` — core platform code
+- `C:\github\Fiji-Services-EdgeZoneRP` — Edge Zone resource provider
+- `C:\github\Fiji-EdgeZones-TSG-TeamDocs` — troubleshooting and team docs
+- `C:\github\EdgeZones-Operations-Configuration` — operations config
+- `C:\github\EdgeZones-Operations-Validation` — validation scripts
+
+---
+
+## Frontmatter Template
+
+```yaml
+---
+title: <Descriptive title — verb + noun + "in an Azure Extended Zone">
+description: <One sentence, under 160 characters, starting with "Learn how to...">
+author: svaldesgzz
+ms.author: svaldes
+ms.service: azure-extended-zones
+ms.topic: <how-to | quickstart | tutorial | overview | concept-article>
+ms.date: <MM/DD/YYYY>
+---
+```
+
+---
+
+## Article Naming Conventions
+
+| Type | Pattern | Example |
+|---|---|---|
+| How-to | `[action]-[resource].md` | `create-storage-account.md` |
+| Quickstart | `deploy-[resource]-[method].md` | `deploy-vm-portal.md` |
+| Tutorial | `[action]-[resource].md` | `backup-virtual-machine.md` |
+| Overview | `overview.md` or `[topic]-overview.md` | `overview.md` |
+
+---
+
+## Article Structure by Type
+
+### How-to guide (`ms.topic: how-to`)
+1. H1 title
+2. Intro paragraph ("In this article, you learn how to...")
+3. `## Prerequisites` — subscription, Extended Zone access, tools
+4. `## Sign in to Azure` — standard portal sign-in step
+5. Main task sections (H2 per major step)
+6. `## Clean up resources` — portal resource group deletion
+7. `## Related content` — 3–4 bullet links to related articles
+
+### Quickstart (`ms.topic: quickstart`)
+Same as how-to but faster-paced, single focused task, ends with a "Next steps" section.
+
+### Tutorial (`ms.topic: tutorial`)
+Multi-step, progressive task. Each H2 section builds on the previous one.
+
+---
+
+## Key Formatting Rules
+
+**Tables** (use for all settings/configuration steps):
+```markdown
+| Setting | Value |
+| --- | --- |
+| Key vault name | Enter a unique name, such as *myKeyVault*. |
+| Region | Select the **parent region** of the target Extended Zone. |
+```
+
+**Note/Important/Caution blocks:**
+```markdown
+> [!NOTE]
+> Note text here.
+
+> [!IMPORTANT]
+> Critical info here.
+
+> [!CAUTION]
+> Warning text here.
+```
+
+**Code blocks** — always use language-specific fences:
+- Azure CLI: ` ```azurecli `
+- PowerShell: ` ```azurepowershell `
+- JSON: ` ```json `
+- Bash: ` ```bash `
+
+**Cross-links** — use relative paths:
+```markdown
+[Request access to an Azure Extended Zone](request-access.md)
+```
+
+**No screenshots** — use text instructions and tables only (no `:::image` directives).
+
+---
+
+## Extended Zone–Specific Notes
+
+- **Key Vault, Disk Encryption Sets, and most control-plane services** are created in the **parent Azure region**, not the Extended Zone itself.
+- **VMs, AKS clusters, storage accounts** are deployed **in the Extended Zone** using `--edge-zone <zone-name>` in the CLI or by selecting "Deploy to an Azure Extended Zone" in the portal under the Region field.
+- Always remind users: select the **parent region** first in the portal, then select **Deploy to an Azure Extended Zone** and choose the Extended Zone.
+- Storage in Extended Zones is **Premium only** with **LRS** redundancy.
+- Refer to `request-access.md` whenever Extended Zone access or zone names are needed.
+
+---
+
+## Publishing Checklist
+
+After writing the article:
+
+1. **Save the file** to `C:\github\azure-docs-pr\articles\extended-zones\<filename>.md`
+
+2. **Update `TOC.yml`** — add an entry under the appropriate section:
+   ```yaml
+   - name: <Short descriptive name>
+     href: <filename>.md
+   ```
+   Sections in TOC: Overview, Quickstarts, Tutorials, Concepts, How-to guides, Arc-enabled PaaS workloads, Security, Reference, Resources
+
+3. **Update `overview.md`** if the article covers a new service — add it to the supported services table under the correct category row (`Compute`, `Networking`, `Storage`, `BCDR`, `Arc-enabled PaaS`, `Other`). Services use `<br>` as separator and are written as markdown links.
+
+4. **Verify frontmatter** — all required fields present (`title`, `description`, `author`, `ms.author`, `ms.service`, `ms.topic`, `ms.date`).
diff --git a/articles/extended-zones/TOC.yml b/articles/extended-zones/TOC.yml
@@ -37,6 +37,8 @@
     href: purchase-reservations-savings-plans.md
   - name: Create a custom Azure Policy in an Extended Zone
     href: create-azure-policy.md
+  - name: Encrypt disks with customer-managed keys in an Azure Extended Zone
+    href: key-vault-encrypt-azure-extended-zone-disk.md
 - name: Arc-enabled PaaS workloads in Extended Zones
   items:
   - name: Create Arc-Enabled AKS Clusters in Extended Zones
diff --git a/articles/extended-zones/create-azure-policy.md b/articles/extended-zones/create-azure-policy.md
@@ -43,7 +43,7 @@ For this example, we created an Allowed Locations policy that restricts the loca
 **Required fields:**
 
 | Field | Guidance |
-|------|---------|
+| ------ | --------- |
 | Definition location | Use a **management group** for enterprise-wide governance (recommended), or a **subscription** for more granular control. |
 | Name | Use a clear, intent-based name (for example, `Deny-NonApproved-Locations`). |
 | Description | Explain what the policy enforces and why. |
diff --git a/articles/extended-zones/key-vault-encrypt-azure-extended-zone-disk.md b/articles/extended-zones/key-vault-encrypt-azure-extended-zone-disk.md
@@ -0,0 +1,105 @@
+---
+title: Encrypt disks with customer-managed keys in an Azure Extended Zone
+description: Learn how to use Azure Key Vault, Disk Encryption Sets, and Azure CLI to encrypt disks for virtual machines deployed in an Azure Extended Zone
+author: svaldesgzz
+ms.author: svaldes
+ms.service: azure-extended-zones
+ms.topic: how-to
+ms.date: 03/04/2026
+---
+
+# Encrypt disks with customer-managed keys in an Azure Extended Zone
+
+In this article, you learn how to encrypt Azure managed disks with **customer-managed keys (CMK)** for virtual machines deployed in an **Azure Extended Zone**.
+
+The process uses **Azure Key Vault** and a **Disk Encryption Set (DES)**. 
+
+> [!NOTE]
+> While Key Vault and Disk Encryption Sets (DES) can be created using either the Azure portal or Azure CLI, assigning a Disk Encryption Set to disks for Azure Extended Zone workloads is currently supported only via Azure CLI.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
+
+- Access to an Extended Zone. For more information, see [Request access to an Azure Extended Zone](request-access.md).
+
+- Azure CLI installed (version 2.26 or later). [Install Azure CLI](/cli/azure/install-azure-cli).
+
+- Basic understanding of Azure Key Vault and disk encryption concepts. For more information, see [Azure Key Vault documentation](/azure/key-vault/general/overview) and [Azure Disk Encryption documentation](/azure/virtual-machines/windows/disk-encryption-overview).
+
+## High-level architecture context 
+
+When using customer-managed keys with Azure Extended Zones resources:
+- Control plane operations (Azure Resource Manager, Key Vault metadata, DES) run in the parent Azure region.
+- Data plane resources (virtual machines and disks) run in the Extended Zone location.
+- Disk encryption is enforced at the managed disk level (data plane) using a Disk Encryption Set.
+
+## Create a Key Vault and encryption key in an Azure Extended Zone
+
+In this section, you create a Key Vault, encryption key and Disk Encryption Set in the parent region of an Extended Zone. 
+
+For this example, you have flexibility as to which tool to use to create the encryption tools, but the disk creation and encryption will only work via Azure CLI. 
+
+### Create a Key Vault and encryption key
+To encrypt resources in an Azure Extended Zone, you must first create an Azure Key Vault and an RSA key **in the parent Azure region associated with your Extended Zone**. You can do this using the Azure portal, or Azure CLI / PowerShell. When creating the Key Vault, ensure the following:
+- All the resources belong to the same resource group.
+- Azure role-based access control (RBAC) is enabled.
+- Purge protection is enabled.
+- You create or import an RSA key (2048-bit or higher).
+
+
+## Create a Disk Encryption Set (DES)
+Next, create a Disk Encryption Set that references the Key Vault key. The Disk Encryption Set must:
+- Be created in the same parent region as the Key Vault.
+- Use a system-assigned managed identity.
+
+Grant the Disk Encryption Set access to the Key Vault key by assigning it the Key Vault Crypto Service Encryption User role. 
+
+## Deploy a virtual machine in an Azure Extended Zone
+When deploying a virtual machine in an Azure Extended Zone, you must specify:
+
+--location: the parent Azure region
+
+--edge-zone: the Extended Zone name
+
+The following example creates a Windows Server 2022 VM in the Los Angeles Extended Zone, using West US as the parent region.
+
+```cli
+az vm create --resource-group 'myResourceGroup' --name 'myVM' --image Win2022Datacenter --size Standard_DS4_v2 --admin-username 'username' --admin-password 'password' --edge-zone losangeles --location westus 
+
+```
+
+## Create an encrypted managed disk using a Disk Encryption Set (CLI only)
+
+After creating the VM, create a managed disk encrypted with your Disk Encryption Set. This step explicitly applies customer-managed keys to the disk.
+
+```cli
+az disk create --resource-group 'myResourceGroup' --name 'myDisk' --edge-zone losangeles --location westus --size 64 --sku Premium_LRS --encryption-type EncryptionAtRestWithCustomerKey --disk-encryption-set DES_ID
+```
+
+### Verify disk encryption
+
+Use the following command to confirm that the disk is encrypted with a customer-managed key and associated with the correct Disk Encryption Set:
+
+``` cli
+az disk show -g 'myResourceGroup' -n 'myDisk' --query "{encryptionType:encryption.type, desId:encryption.diskEncryptionSetId}" -o json
+```
+### Attach the encrypted disk to the VM
+
+Finally, once verified, attach the encrypted disk to the VM using the following command:
+```cli
+az vm disk attach --resource-group 'myResourceGroup' --vm-name 'myVM' --name 'myDisk'
+```
+
+## Clean up resources
+If you're done working with resources from this tutorial, use the following instructions to delete the resource group and all resources it contains:
+
+```cli
+az group delete --name 'myResourceGroup' --yes --no-wait
+```
+
+## Related content
+- [Azure Key Vault documentation](/azure/key-vault/general/overview)
+- [What is Azure Extended Zones?](overview.md)
+- [Deploy a virtual machine in an Extended Zone](deploy-vm-portal.md)
+- [Frequently asked questions](faq.md)
diff --git a/articles/extended-zones/overview.md b/articles/extended-zones/overview.md
@@ -43,15 +43,15 @@ The following table lists key services that are available in Azure Extended Zone
 
 | Service category | Available Azure services and features |
 | ------------------ | ------------------- |
-| **Compute** | [Azure Kubernetes Service](/azure/aks/extended-zones?tabs=azure-resource-manager)* <br> [Azure Virtual Desktop](/azure/virtual-desktop/azure-extended-zones)* <br> [Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/overview) <br> [Virtual machines](/azure/virtual-machines/overview) (general purpose: A, B, D, E, and F series and GPU NVadsA10 v5 series**)|
+| **Compute** | [Azure Kubernetes Service](/azure/aks/extended-zones?tabs=azure-resource-manager)* <br> [Azure Virtual Desktop](/azure/virtual-desktop/azure-extended-zones)* <br> [Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/overview) <br> [Virtual machines](/azure/virtual-machines/overview) (general purpose: A, B, D, E, and F series and GPU NVadsA10 v5 series**) |
 | **Networking** | [DDoS](../ddos-protection/ddos-protection-overview.md) (Standard protection) <br> [ExpressRoute](../expressroute/expressroute-introduction.md) <br> [Private Link](../private-link/private-link-overview.md) <br> [Standard Load Balancer](../load-balancer/load-balancer-overview.md) <br> [Standard public IP](../virtual-network/ip-services/public-ip-addresses.md) <br> [Virtual Network](../virtual-network/virtual-networks-overview.md) <br> [Virtual Network Peering](../virtual-network/virtual-network-peering-overview.md) <br> Azure Firewall (API version) |
 | **Storage** | [Managed disks](/azure/virtual-machines/managed-disks-overview) <br> - Premium SSD <br> - Standard SSD <br> [Premium Page Blobs](../storage/blobs/storage-blob-pageblob-overview.md) <br> [Premium Block Blobs](../storage/blobs/storage-blob-block-blob-premium.md) <br> [Premium Files](../storage/files/storage-files-introduction.md) <br> [Data Lake Storage Gen2 Hierarchical Namespace](../storage/blobs/data-lake-storage-namespace.md) <br>Data Lake Storage Gen2 Flat Namespace <br> [Change Feed](/azure/cosmos-db/change-feed) <br> Blob Features <br> - [SFTP](../storage/blobs/secure-file-transfer-protocol-support.md) <br> - [NFS](../storage/files/files-nfs-protocol.md) |
 | **BCDR** | [Azure Site Recovery](../site-recovery/site-recovery-overview.md)* (Extended Zone to parent region) <br> [Azure Backup](../backup/backup-overview.md) |
 | **Arc-enabled PaaS** | [ContainerApps](/azure/extended-zones/arc-enabled-workloads-container-apps)* <br> [ManagedSQL](/azure/extended-zones/arc-enabled-workloads-managed-sql)* |
-| **Other** | [Azure Policy](/azure/extended-zones/create-azure-policy)* <br> [Savings Plans](/azure/extended-zones/purchase-reservations-savings-plans) <br> [Reserved Instances](/azure/extended-zones/purchase-reservations-savings-plans) (through recommendations flow) |
+| **Other** | [Azure Key Vault](/azure/extended-zones/articles/extended-zones/key-vault-encrypt-azure-extended-zone-disk) (with encryption resources in parent region, targeting the Extended Zone) <br> [Azure Policy](/azure/extended-zones/create-azure-policy) <br> [Reserved Instances](/azure/extended-zones/purchase-reservations-savings-plans) (through recommendations flow) <br> [Savings Plans](/azure/extended-zones/purchase-reservations-savings-plans) |
 
 \* While these services are GA in Azure Regions, they are currently in Preview in Azure Extended Zones.  
-\** [Learn more about Virtual Machine family series here](/azure/virtual-machines/sizes/overview?tabs=breakdownseries%2Cgeneralsizelist%2Ccomputesizelist%2Cmemorysizelist%2Cstoragesizelist%2Cgpusizelist%2Cfpgasizelist%2Chpcsizelist). You can obtain a detailed VM list in the Azure Extended Zones environment. 
+** [Learn more about Virtual Machine family series here](/azure/virtual-machines/sizes/overview?tabs=breakdownseries%2Cgeneralsizelist%2Ccomputesizelist%2Cmemorysizelist%2Cstoragesizelist%2Cgpusizelist%2Cfpgasizelist%2Chpcsizelist). You can obtain a detailed VM list in the Azure Extended Zones environment. 
 
 ## Supported Independent Software Vendors (ISVs)
 
