Reading Time: 3 minutes
Follow by Email

In an era where security is paramount, the Azure Kubernetes Service (AKS) has taken a significant leap forward with the introduction of Trusted Launch in its preview phase. This cool new feature is all about giving your AKS nodes – which are basically the backbone of your AKS clusters – a massive security boost, underpinned by Generation 2 virtual machines (VMs). Let’s dive into what makes Trusted Launch so special and how you can start using it.

Understanding Trusted Launch

Trusted Launch is not just a feature; it’s a comprehensive security framework composed of several coordinated infrastructure technologies, each designed to add an additional layer of defence against advanced threats. It empowers administrators with the capability to deploy AKS nodes, complete with verified and signed bootloaders, OS kernels, and drivers, ensuring the integrity of the entire boot chain.

Key Components of Trusted Launch

Virtual TPM (vTPM):At the heart of Trusted Launch lies the virtualized version of a hardware Trusted Platform Module (TPM), compliant with the TPM 2.0 specification. This dedicated secure vault outside the reach of VMs provides a robust mechanism for attestation by measuring the entire boot chain. It enables remote attestation by the cloud, allowing for platform health checks and trust-based decisions.

Secure Boot: Secure Boot acts as the foundation of Trusted Launch, ensuring that only signed operating systems and drivers can boot. It establishes a “root of trust” for your VM’s software stack, preventing the installation of malware-based rootkits and boot kits.

Important Limitations to Consider

While Trusted Launch brings a lot of exciting features to the table, there are a few limitations you should be aware of:

  • Windows Server Woes: Unfortunately, cluster nodes running the Windows Server operating system aren’t supported yet.
  • FIPS and ARM64: If your node pools are FIPS enabled or based on ARM64, Trusted Launch (preview) won’t be able to protect them just yet.
  • Availability Sets vs. VM Scale Sets: Remember, Availability Sets are out of the game here; only Virtual Machine Scale Sets can join the Trusted Launch party.
  • GPU Node Pools: Want Secure Boot with your GPU node pools? You’ll need to skip installing the GPU driver for now. For more details, it’s worth checking out the guidance on skipping GPU driver installation.
  • Ephemeral OS Disks: Good news – ephemeral OS disks can get cozy with Trusted Launch across all regions. However, keep in mind not all virtual machine sizes are compatible. For the nitty-gritty on which sizes make the cut, take a look at the Trusted Launch ephemeral OS sizes info.

Getting Started with Trusted Launch

Before diving into the world of Trusted Launch, there are a few prerequisites:

  • Ensure your Azure CLI is version 2.44.1 or later.
  • Install the aks-preview Azure CLI extension version 1.0.0b6 or later.
  • Register the TrustedLaunchPreview feature in your Azure subscription.
  • Trusted Launch is supported on AKS version 1.25.2 and higher and only supports Azure Generation 2 VMs.

Installing the aks-preview Extension

Begin by installing the aks-preview extension with the following command:

And then, update to the latest version of the extension:

Registering the TrustedLaunchPreview Feature Flag

Register the TrustedLaunchPreview feature flag to get started:

This command registers the feature flag with your Azure subscription. It can take a short while to finish.

Confirm that the registration is complete by running:

Wait until the status shows ‘Registered’.

After registration, refresh the Microsoft.ContainerService resource provider using:

Now let’s look at the commands for Trusted Launch.

Deploying a New Cluster with Trusted Launch

Creating a new AKS cluster with Trusted Launch switched on is a breeze. Just use the az aks create command and flick the switches for Secure Boot and vTPM:

This command will create a cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.

Adding and Updating Node Pools

Want to add a new node pool with all this security goodness? Or maybe upgrade an existing one? No problem:

This command will create a node pool called mynodepool on cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.

Updating is just as easy, ensuring your nodes are wearing their security armor:

This command will update a node pool called mynodepool on cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.


Trusted Launch is here to turn your AKS nodes into Fort Knox. It’s like giving them a security shield that blocks the bad stuff right from the get-go. With just a few steps, you can get this protection up and running, giving you peace of mind and keeping your AKS clusters safe and sound. Try it out and see how it takes your AKS security to the next level!

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *