Merge pull request #305175 from linuxelf001/patch-43

JamesJBarnett · web-flow · commit 840f3b6d154f · 2025-09-16T16:34:55.000-07:00
Clarify VMMD documentation for confidential VMs
diff --git a/articles/confidential-computing/TOC.yml b/articles/confidential-computing/TOC.yml
@@ -67,6 +67,8 @@
       href: how-to-create-custom-image-confidential-vm.md
     - name: How to migrate nested confidential VMs from one region to another
       href: migrate-nested-confidential-vms.md
+    - name: Virtual Machine Metablob Disk
+      href: virtual-machine-metablob-disk.md
     - name: Quickly create confidential VMs
       items:
       - name: Create VM through the Azure portal
diff --git a/articles/confidential-computing/virtual-machine-metablob-disk.md b/articles/confidential-computing/virtual-machine-metablob-disk.md
@@ -0,0 +1,248 @@
+---
+title: Virtual Machine Metablob Disk
+description: Information on Virtual Machine Metablob Disk (VMMD)
+author: linuxelf001
+ms.topic: concept-article
+ms.service: azure-virtual-machines
+ms.subservice: sizes
+ms.date: 09/05/2025
+ms.author: raginjup
+ms.reviewer: raginjup
+---
+# Virtual Machine Metablob Disk
+
+This article outlines the changes to be aware when using confidential virtual machines with Virtual Machine Metablob (VMMD) disk.
+
+> [!NOTE]
+> The VMMD feature support described here are available in Azure REST API version **2025-01-02** and later, Azure CLI version **2.77.0** and later, Azure PowerShell version **14.4.0** and later.
+
+## Prerequisites
+
+Before you begin, ensure you have the following:
+
+* An Azure account with an active subscription. [Create an account for free.](https://azure.microsoft.com/free)
+* A confidential virtual machine with managed disks.
+* The appropriate version of the tools you are using:
+    * Azure REST API version 2025-01-02 or later.
+    * Azure CLI version 2.77.0 or later.
+    * Azure PowerShell version 14.4.0 or later.
+
+## Disk Access
+The process for granting access to confidential virtual machine disks has been updated to provide a SAS URI for the Virtual Machine Metadata Disk (VMMD) blob. This is in addition to the existing SAS URIs for the OS disk and the VM guest state (VMGS) blob.
+
+### [Azure REST API](#tab/rest-access)
+
+To get the VMMD SAS URI using the Azure REST API, use the `beginGetAccess` endpoint with version `2025-01-02` or later.
+
+Grant access to a confidential virtual machine disk
+  * API: beginGetAccess
+  * New in response: securityMetadataAccessSAS
+
+**Sample HTTP Request:**
+
+```http
+POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myDisk/beginGetAccess?api-version=2025-01-02
+
+{
+  "access": "Read",
+  "durationInSeconds": 300,
+  "fileFormat": "VHD"
+}
+```
+
+**Sample Response:**
+
+Status code: 200
+
+```json
+{
+  "accessSAS": "OS disk SAS URI",
+  "securityDataAccessSAS": "VM Guest State SAS URI",
+  "securityMetadataAccessSAS": "VM Metadata SAS URI"
+}
+```
+Detailed documentation and more examples using Java, Go, JavaScript, or dotnet [are available here.](/rest/api/compute/disks/create-or-update?view=rest-compute-2025-01-02&tabs=HTTP#create-a-managed-disk-from-importsecure-create-option-with-metadata-uri-for-confidential-vm&preserve-view=true)
+
+### [Azure CLI](#tab/cli-access)
+
+When using the `az disk grant-access` command in Azure CLI version 2.77.0 or later, confidential virtual machines with three blobs include the `securityMetadataAccessSAS`.
+
+**Example:**
+
+```shell
+diskSas=$(az disk grant-access \
+  -n $diskName \
+  -g $resourceGroupName \
+  --access-level Write \
+  --duration-in-seconds 86400 \
+  --secure-vm-guest-state-sas)
+```
+
+**Returned value schema:**
+
+```json
+{
+  "accessSAS": "OS disk SAS URI",
+  "securityDataAccessSAS": "VM Guest State SAS URI",
+  "securityMetadataAccessSAS": "VM Metadata SAS URI"
+}
+```
+
+### [Azure PowerShell](#tab/powershell-access)
+
+With Azure PowerShell version 14.4.0 or later, the `Grant-AzDiskAccess` cmdlet now returns an object that includes the `securityMetadataAccessSAS`.
+
+**Example:**
+
+```powershell
+Grant-AzDiskAccess `
+  -ResourceGroupName 'ResourceGroup01' `
+  -DiskName 'Disk01' `
+  -Access 'Read' `
+  -DurationInSecond 60 `
+  -SecureVmGuestStateSas
+```
+> [!NOTE]
+> Multiline commands in PowerShell require a trailing backtick (\`) character, which must have a space preceding it. There should NOT be any space or trailing comments after the backtick (\`) either. You may avoid this issue by entering the whole command in a single line.
+
+**Returned value schema:**
+
+```json
+{
+  "accessSAS": "OS disk SAS URI",
+  "securityDataAccessSAS": "VM Guest State SAS URI",
+  "securityMetadataAccessSAS": "VM Metadata SAS URI"
+}
+```
+
+---
+
+## Create
+
+### [Azure REST API](#tab/rest-create)
+
+To create a confidential virtual machine disk with VMMD URI
+  * API: createOption ImportSecure
+  * Include: securityMetadataUri in the request
+
+**Sample HTTP Request:**
+
+```http
+PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myDisk?api-version=2025-01-02
+
+{
+  "location": "West US",
+  "properties": {
+    "osType": "Windows",
+    "securityProfile": {
+      "securityType": "ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey"
+    },
+    "creationData": {
+      "createOption": "ImportSecure",
+      "storageAccountId": "subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
+      "sourceUri": "https://mystorageaccount.blob.core.windows.net/osimages/osimage.vhd",
+      "securityDataUri": "https://mystorageaccount.blob.core.windows.net/osimages/vmgs.vhd",
+      "securityMetadataUri": "https://mystorageaccount.blob.core.windows.net/osimages/vmmd.vhd"
+    }
+  }
+}
+
+```
+
+**Sample Response:**
+
+Status code: 200
+
+```json
+{
+  "id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/disks/myDisk",
+  "name": "myDisk",
+  "location": "West US",
+  "properties": {
+    "provisioningState": "Updating",
+    "osType": "Windows",
+    "securityProfile": {
+      "securityType": "ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey"
+    },
+    "creationData": {
+      "createOption": "ImportSecure",
+      "storageAccountId": "subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",
+      "sourceUri": "https://mystorageaccount.blob.core.windows.net/osimages/osimage.vhd",
+      "securityDataUri": "https://mystorageaccount.blob.core.windows.net/osimages/vmgs.vhd",
+      "securityMetadataUri": "https://mystorageaccount.blob.core.windows.net/osimages/vmmd.vhd"
+    }
+  }
+}
+```
+Detailed documentation and more examples using Java, Go, JavaScript, or dotnet [are available here.](/rest/api/compute/disks/create-or-update?view=rest-compute-2025-01-02&tabs=HTTP#create-a-managed-disk-from-importsecure-create-option-with-metadata-uri-for-confidential-vm&preserve-view=true)
+
+### [Azure CLI](#tab/cli-create)
+
+To create a confidential virtual machine disk with VMMD URI
+  * Include the --security-metadata-uri parameter.
+  * Requires Azure CLI version 2.77.0 or later.
+
+**Example:**
+
+```shell
+az disk create -n $diskName -g $resourceGroup -l $location --os-type Windows --hyper-v-generation V2 --security-type "ConfidentialVM_VMGuestStateOnlyEncryptedWithPlatformKey" --source $sourceDiskVhdUri --security-data-uri $guestStateDiskVhdUri --security-metadata-uri $metadataDiskVhdUri \ --sku standard_lrs 
+```
+
+**Returned value schema:**
+
+```json
+{
+  "accessSAS": "OS disk SAS URI",
+  "securityDataAccessSAS": "VM Guest State SAS URI",
+  "securityMetadataAccessSAS": "VM Metadata SAS URI"
+}
+```
+
+### [Azure PowerShell](#tab/powershell-create)
+
+With Azure PowerShell version 14.4.0 or later, the `Grant-AzDiskAccess` cmdlet now returns an object that includes the `securityMetadataAccessSAS`.
+
+**Example:**
+
+```powershell
+Grant-AzDiskAccess `
+  -ResourceGroupName 'ResourceGroup01' `
+  -DiskName 'Disk01' `
+  -Access 'Read' `
+  -DurationInSecond 60 `
+  -SecureVmGuestStateSas
+```
+> [!NOTE]
+> Multiline commands in PowerShell require a trailing backtick (\`) character, which must have a space preceding it. There should NOT be any space or trailing comments after the backtick (\`) either. You may avoid this issue by entering the whole command in a single line.
+
+**Returned value schema:**
+
+```json
+{
+  "accessSAS": "OS disk SAS URI",
+  "securityDataAccessSAS": "VM Guest State SAS URI",
+  "securityMetadataAccessSAS": "VM Metadata SAS URI"
+}
+```
+---
+
+When using UploadPreparedSecure, upload the VMMD blob in addition to the OS and VMGS blobs if the source includes VMMD.
+
+
+## FAQ
+
+**Q: What is the VMMD blob?**
+
+**A:** The VMMD (Virtual Machine Metadata) blob contains metadata for a confidential VM.
+
+For more, see our [confidential VM FAQ](/azure/confidential-computing/confidential-vm-faq) and our [managed disk FAQ](/azure/virtual-machines/faq-for-disks)
+
+## Next Steps
+
+* [Deploy a confidential VM from Azure](/azure/confidential-computing/quick-create-confidential-vm-portal)
+* [Azure confidential computing documentation](/azure/confidential-computing/)
+
+## Related Articles
+
+* [Azure managed disks overview](/azure/virtual-machines/managed-disks-overview)
+* [Managed disk migration guide](/azure/virtual-machines/linux/convert-unmanaged-to-managed-disks) 
