Part 7: Expose Shielded VMs to Windows Azure Pack Portal

Previous Post in Series: Part 6: Deploy and Configure Shielded VMs Using SCVMM

Welcome to part 7 of the Server 2016 Features Series. In the last two sections we deployed a Guarded Fabric and set things up to allow us to deploy Shielded VMs from within SCVMM. This section of the guide will build on that by exposing the Shielded VM capability to the Windows Azure Pack portal.

This guide assumes that you already have a WAP server up and running and connected to SCVMM via SPF, if you’ve yet to do this, I’ve put together a guide on it HERE

Here’s a quick list of what will be covered in this guide:

  • Create a Shielded VM Template in SCVMM
  • Create a VM Cloud in SCVMM
  • Create a plan and user in WAP Admin Portal
  • Deploy a shielded VM from template within the WAP Portal

Let’s get on with it then

Create a Shielded VM Template in SCVMM

The first thing we’ll want to do is create a VM template that we can use within our WAP portal to give our tenants the ability to deploy shielded VMs. With that in mind:

Open your SCVMM console and navigate to “Library”, “Templates”, right-click on “VM Templates” and select “Create VM Template”


Click “Browse” (the correct option is highlighted by default).
Select the signed VHDx that you created back in part 6 of the guide and click “OK” and “Next”


Give you’re template a “Name” and optionally a “Description”. Now click “Next”


Configure your VM resources paying particular attention to “Network Adapters”, making sure to set the “IP Address” to “Static” (See screenshot).

Now click “Next”

NOTE:  Remember that if an IP isn’t configured within the VM at the point of deployment, you won’t have any access to it when it’s fully shielded. Choose a network that has a static IP pool configured.


Enter a “Product Key” for the edition of windows installed on your template VHDx, click “Next” and “Create”


That’s the template taken care of, let’s go create a VM Cloud.

Create a VM Cloud in SCVMM

Clouds in SCVMM let us bundle together resources for consumption by tenants from the WAP portal (in our use case anyway). Here are a FEW on the configurable settings on a cloud:

  • What resources it uses. In other words, what host group and by extension what compute clusters VMs can be deployed to within this cloud
  • Which logical networks are exposed to this cloud. This will allow you to then expose specific related VM networks to WAP
  • Which storage to present to this cloud, based on the classifications you’ve set against the different types
  • Which library server can be used with this cloud
  • Allows scoping down of the available resources within the hosts groups configured against this cloud

Let’s crack on and create a test cloud

Navigate to “VMs and Services”, right-click on “Clouds” and select “Create Cloud”


Type a name for your cloud and select “Supported on this private cloud” from the “Shielded VM support” drop-down.

Now click “Next”


Select the host group that contains the Hyper-V cluster you want to deploy your VMs to and click “Next”


Decide which VM networks you want to expose to your cloud, select the Logical Networks they sit on and click “Next”

NOTE: I’m adding my management logical network here as it’s the only one I currently have set up this a configured static IP address pool


Skip the “Load Balancers”, “VIP Templates” and “Port Classifications” tabs for the time being.

On the Storage tab, select which storage you want to consume from this cloud (these are presented via configured storage classifications) and click “Next”


Under “Read-only library shares” click “Add” and select a library share to attach to your cloud. This is especially important because it’s a requirement when downloading the Volume Signature Catalogue for signed template disks.


On the Capacity tab, decide how much resource you want to make available to this cloud and click “Next”


Click “Next” through to the end of the wizard and click “Finish”


Create a Plan and User in WAP Admin Portal

We now have everything we need to move on over to our WAP admin portal, so go ahead and log in

NOTE:  The default URL is https://WAPServerFQDN:30091

First we’ll create a plan which has access to the resources we just configured within SCVMM. We’ll then create a new user account and subscribe them to that plan. The aim here being that we can then log in AS that user and deploy a shielded VM from the tenant portal.

Click “+ NEW”, “PLAN” and “CREATE PLAN”


Type a “Friendly Name” for your plan and click the arrow.


Place a tick in “VIRTUAL MACHINE CLOUDS”, click the “right” arrow and the “tick” to complete.


So we’ve now created a plan but need to configure it. This will let us chop up our available resource, assign specific VM networks and templates etc.

Click on the plan you just created to view it’s properties.


Within the plan properties, click on the “Virtual Machine Clouds” link.


Select your SCVMM server from the drop-down named “VMM Management Server”

Select the cloud you created earlier from the drop-down named “Virtual Machine Cloud”

You’ll notice that shielded VMs are supported on this cloud.


Click “Add networks” and select the VM network you configured within your SCVMM VM Template


Click “Add templates” and select the VM Template you created in SCVMM earlier


When finished, it should look something like this:


Under “additional settings” and “custom settings” choose what makes sense for your environment and click “Save”


OK, now that we have a plan, let’s create a tenant and given them access to it.


  • Enter an email address for your tenant (this should be any valid email address)
  • Enter a password for the tenant (they can change this later within their tenant portal)
  • Choose the plan you just created and click “CREATE”

Once the job completed fully, your new account should look like below:


…and that’s us finished in the admin portal for the time being, let’s go deploy something

Deploy a shielded VM from template within the WAP Portal

Log into the tenant portal as the user you just created, the default URL is: https://WAPServerFQDN:30081

So we’re going to deploy a shielded VM using everything that we’ve configured up until now, so fingers crossed
Before we can do that though, you’ll remember from part 6 that we need the guardian fabric metadata file, a copy of the volume signature catalog for our signed VHDx and a shielding data file.

As a tenant, you can download the guardian metadata file from the portal by clicking “DOWNLOAD GUARDIAN”
You can download the VSC file by clicking “DOWNLOAD CATALOG”
Once created you can upload your shielding data file (.PDK) to WAP by clicking “UPLOAD SHIELDING DATA”

However…we’ve already done all this, so we’re going to cheat a little bit.
Go and grab the shielding data file you created in part 6, it’s the .PDK file. If you no longer have it, download the guardian and catalog files from the WAP portal and recreate your shielding data file by following the instructions HERE

So, armed with your shielding data file…

Navigate to the “VIRTUAL MACHINES” tab and click “SHIELDING DATA”




Browse to your .PFK file, give it a “Friendly Name” and click the “tick”


You should now see your shielding data file in WAP


We’ve now got everything we need to deploy a shielded VM, so let’s do that.


Enter a “Name” for your new VM, the “Template” and “Shielding Data” fields should be auto-populated.



Jump over to your SCVMM console and you can watch it being deployed…exciting RIGHT?  No, just me?


Once deployed, the status of the VM will update within WAP as below:


Jumping on to the VM via Remote Desktop shows that it deployed without issue.

NOTE:  Remember that you won’t be able to console on to the VM from the WAP portal as the VM is fully shielded


Congratulations, you’ve just deployed a shielded virtual machine as a tenant with no access to the underlying infrastructure 🙂

…and that covers it, I’ll see you in part 8 for deploying and configuring SDN v2 to our cluster.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.