This week Microsoft announced the public preview of support to deploy gen2 VMs in Azure. Gen2 VMs have been around since Windows Server 2012 R2 for on-premises Hyper-V deployments. However, there are some serious limitations during the Azure preview. Let’s look at the benefits first.
Why Should I Deploy Gen2 VMs in Azure?
For security purposes. Gen2 VMs will offer the following features in Azure during the preview:
- Operating System (OS) disks that exceed 2 TB
- Future support for SecureBoot to block rootkits
- UEFI-based boot architecture vs. legacy BIOS architecture
- Future support for Virtual Trusted Platform Module (vTPM)
- SCSI Disk Controllers (instead of IDE) but only for Premium Storage
- Support for Accelerated Networking (This isn’t new, it’s just not broken.)
If you’re considering deploying Windows Virtual Desktop in Azure, then SecureBoot in generation 2 VMs should allow you to enable Device Guard and Credential Guard to block credential-theft attacks. I’ll update this post after I deploy credential guard in WVD. (WVD is currently not supported in the gen2 preview. Neither is VBS.)
Why Shouldn’t I Deploy Gen2 VMs in Azure?
Also for security purposes. And budgetary reasons. Let’s start with the primary reason why I’m not converting all of my Azure VMs to generation 2 right now.
- Not compatible with Azure Site Recovery or Azure Backup. I avoid using Veeam, Zerto, or third-party backups for Azure VMs because the seamless integration of ASR and Azure Backup make automation and orchestration significantly easier.
- No support for Azure Disk Encryption. That means no BitLocker.
- Virtualization-Based Security is not supported. (Yet.)
- Shielded VMs are missing.
- No VHDX support.
- Currently only Windows Server 2012 through 2019 is supported.
As far as your budget goes, the preview does not support A or B series VMs. Which means you’ll have to deploy using a more expensive Dsv2/3, Esv3, Fsv2, GS, Ls/v2, or Mv2 series VM.
Deploying Windows Server 2019 Generation 2 in Azure
Deploy Gen2 VMs Using the Azure Portal
To deploy a generation 2 VM in Azure, just navigate to the Azure Marketplace and search for:
Select Windows Server 2019 Datacenter (Gen2) and then proceed to create your VM as normal.
Deploy Gen2 VMs Using PowerShell and the Az Module
If you prefer to use PowerShell to deploy your VMs, our DevSecOps team suggests running something similar to the following using the Az module.
Install-Module Az Import-Module Az $VMLocalAdminUser = "SecqurAdmin" $VMLocalAdminSecurePassword = ConvertTo-SecureString 'Long!Passwords?Are#More*Secure%2019' -AsPlainText -Force $LocationName = "eastus2" $ResourceGroupName = "MyResourceGroup" $ComputerName = "Thor-Gen2" $VMName = "Thor-Gen2" $VMSize = "Standard_D4s_v3" $NetworkName = "Ragnarök" $NICName = "Thor-Gen2-Nic" $SubnetName = "ThroneRoom" $SubnetAddressPrefix = "10.0.0.0/24" $VnetAddressPrefix = "10.0.0.0/16" $SingleSubnet = New-AzVirtualNetworkSubnetConfig -Name $SubnetName -AddressPrefix $SubnetAddressPrefix $Vnet = New-AzVirtualNetwork -Name $NetworkName -ResourceGroupName $ResourceGroupName -Location $LocationName -AddressPrefix $VnetAddressPrefix -Subnet $SingleSubnet $NIC = New-AzNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $Vnet.Subnets.Id $Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword); $VirtualMachine = New-AzVMConfig -VMName $VMName -VMSize $VMSize $VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate $VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id $VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus 'windowsserver-gen2preview' -Version latest New-AzVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine -Verbose
I’m optimistic about using virtualization-based security in Azure, especially for Windows Virtual Desktop. But until there is support for VBS and BitLocker, I won’t be deploying any generation 2 VMs soon. Right now the main reason to deploy a generation 2 VM is for REALLY BIG servers where you need more than 12 TB of data. (Only if you use a tool other than Azure Backup to protect your data.)
Head on over to the official Azure Support page for Gen2 VMs to see the latest updates.