The azure-native:compute:VirtualMachine resource, part of the Pulumi Azure Native provider, defines an Azure Virtual Machine: its compute size, OS image, storage, networking, and security configuration. This guide focuses on four capabilities: custom and gallery image deployment, security features (Trusted Launch, Confidential VMs, encryption), patch management and scheduled events, and application deployment via Gallery Applications.
VMs require network interfaces, may reference custom images or encryption sets, and can be placed in availability sets or scale sets. The examples are intentionally small. Combine them with your own networking, security, and placement infrastructure.
Deploy from a custom managed image
Teams often capture generalized VM images for reuse across environments, packaging OS configuration and application state into reusable templates.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
hardwareProfile: {
vmSize: azure_native.compute.VirtualMachineSizeTypes.Standard_D1_v2,
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
},
resourceGroupName: "myResourceGroup",
storageProfile: {
imageReference: {
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadWrite,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
storageAccountType: azure_native.compute.StorageAccountTypes.Standard_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
hardware_profile={
"vm_size": azure_native.compute.VirtualMachineSizeTypes.STANDARD_D1_V2,
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
},
resource_group_name="myResourceGroup",
storage_profile={
"image_reference": {
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_WRITE,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"storage_account_type": azure_native.compute.StorageAccountTypes.STANDARD_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String(compute.VirtualMachineSizeTypes_Standard_D1_v2),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
},
ResourceGroupName: pulumi.String("myResourceGroup"),
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadWrite,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
StorageAccountType: pulumi.String(compute.StorageAccountTypes_Standard_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = AzureNative.Compute.VirtualMachineSizeTypes.Standard_D1_v2,
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
},
ResourceGroupName = "myResourceGroup",
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadWrite,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
StorageAccountType = AzureNative.Compute.StorageAccountTypes.Standard_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_D1_v2")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.build())
.resourceGroupName("myResourceGroup")
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadWrite")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.storageAccountType("Standard_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
hardwareProfile:
vmSize: Standard_D1_v2
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
resourceGroupName: myResourceGroup
storageProfile:
imageReference:
id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/images/{existing-custom-image-name}
osDisk:
caching: ReadWrite
createOption: FromImage
managedDisk:
storageAccountType: Standard_LRS
name: myVMosdisk
vmName: myVM
The imageReference points to your custom image by resource ID. The storageProfile defines the OS disk created from that image. The managedDisk specifies the storage account type for the new disk.
Enable Trusted Launch with UEFI settings
Trusted Launch VMs provide foundational security through UEFI firmware, Secure Boot, and virtual TPM, protecting against boot kits and rootkits.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
hardwareProfile: {
vmSize: azure_native.compute.VirtualMachineSizeTypes.Standard_D2s_v3,
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
},
resourceGroupName: "myResourceGroup",
securityProfile: {
securityType: azure_native.compute.SecurityTypes.TrustedLaunch,
uefiSettings: {
secureBootEnabled: true,
vTpmEnabled: true,
},
},
storageProfile: {
imageReference: {
offer: "windowsserver-gen2preview-preview",
publisher: "MicrosoftWindowsServer",
sku: "windows10-tvm",
version: "18363.592.2001092016",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadOnly,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
storageAccountType: azure_native.compute.StorageAccountTypes.StandardSSD_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
hardware_profile={
"vm_size": azure_native.compute.VirtualMachineSizeTypes.STANDARD_D2S_V3,
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
},
resource_group_name="myResourceGroup",
security_profile={
"security_type": azure_native.compute.SecurityTypes.TRUSTED_LAUNCH,
"uefi_settings": {
"secure_boot_enabled": True,
"v_tpm_enabled": True,
},
},
storage_profile={
"image_reference": {
"offer": "windowsserver-gen2preview-preview",
"publisher": "MicrosoftWindowsServer",
"sku": "windows10-tvm",
"version": "18363.592.2001092016",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_ONLY,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"storage_account_type": azure_native.compute.StorageAccountTypes.STANDARD_SS_D_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String(compute.VirtualMachineSizeTypes_Standard_D2s_v3),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SecurityProfile: &compute.SecurityProfileArgs{
SecurityType: pulumi.String(compute.SecurityTypesTrustedLaunch),
UefiSettings: &compute.UefiSettingsArgs{
SecureBootEnabled: pulumi.Bool(true),
VTpmEnabled: pulumi.Bool(true),
},
},
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Offer: pulumi.String("windowsserver-gen2preview-preview"),
Publisher: pulumi.String("MicrosoftWindowsServer"),
Sku: pulumi.String("windows10-tvm"),
Version: pulumi.String("18363.592.2001092016"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadOnly,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
StorageAccountType: pulumi.String(compute.StorageAccountTypes_StandardSSD_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = AzureNative.Compute.VirtualMachineSizeTypes.Standard_D2s_v3,
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
},
ResourceGroupName = "myResourceGroup",
SecurityProfile = new AzureNative.Compute.Inputs.SecurityProfileArgs
{
SecurityType = AzureNative.Compute.SecurityTypes.TrustedLaunch,
UefiSettings = new AzureNative.Compute.Inputs.UefiSettingsArgs
{
SecureBootEnabled = true,
VTpmEnabled = true,
},
},
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Offer = "windowsserver-gen2preview-preview",
Publisher = "MicrosoftWindowsServer",
Sku = "windows10-tvm",
Version = "18363.592.2001092016",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadOnly,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
StorageAccountType = AzureNative.Compute.StorageAccountTypes.StandardSSD_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.SecurityProfileArgs;
import com.pulumi.azurenative.compute.inputs.UefiSettingsArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_D2s_v3")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.build())
.resourceGroupName("myResourceGroup")
.securityProfile(SecurityProfileArgs.builder()
.securityType("TrustedLaunch")
.uefiSettings(UefiSettingsArgs.builder()
.secureBootEnabled(true)
.vTpmEnabled(true)
.build())
.build())
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.offer("windowsserver-gen2preview-preview")
.publisher("MicrosoftWindowsServer")
.sku("windows10-tvm")
.version("18363.592.2001092016")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadOnly")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.storageAccountType("StandardSSD_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
hardwareProfile:
vmSize: Standard_D2s_v3
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
resourceGroupName: myResourceGroup
securityProfile:
securityType: TrustedLaunch
uefiSettings:
secureBootEnabled: true
vTpmEnabled: true
storageProfile:
imageReference:
offer: windowsserver-gen2preview-preview
publisher: MicrosoftWindowsServer
sku: windows10-tvm
version: 18363.592.2001092016
osDisk:
caching: ReadOnly
createOption: FromImage
managedDisk:
storageAccountType: StandardSSD_LRS
name: myVMosdisk
vmName: myVM
The securityProfile sets securityType to TrustedLaunch. The uefiSettings enable secureBootEnabled and vTpmEnabled, which activate hardware-based security features. The image must support Gen2 VMs for these features to work.
Configure Confidential VM with customer-managed encryption
Confidential VMs encrypt data in use through hardware-based trusted execution environments, with customer-managed keys providing additional control over encryption.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
hardwareProfile: {
vmSize: "Standard_DC2as_v5",
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
},
resourceGroupName: "myResourceGroup",
securityProfile: {
securityType: azure_native.compute.SecurityTypes.ConfidentialVM,
uefiSettings: {
secureBootEnabled: true,
vTpmEnabled: true,
},
},
storageProfile: {
imageReference: {
offer: "2019-datacenter-cvm",
publisher: "MicrosoftWindowsServer",
sku: "windows-cvm",
version: "17763.2183.2109130127",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadOnly,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
securityProfile: {
diskEncryptionSet: {
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}",
},
securityEncryptionType: azure_native.compute.SecurityEncryptionTypes.DiskWithVMGuestState,
},
storageAccountType: azure_native.compute.StorageAccountTypes.StandardSSD_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
hardware_profile={
"vm_size": "Standard_DC2as_v5",
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
},
resource_group_name="myResourceGroup",
security_profile={
"security_type": azure_native.compute.SecurityTypes.CONFIDENTIAL_VM,
"uefi_settings": {
"secure_boot_enabled": True,
"v_tpm_enabled": True,
},
},
storage_profile={
"image_reference": {
"offer": "2019-datacenter-cvm",
"publisher": "MicrosoftWindowsServer",
"sku": "windows-cvm",
"version": "17763.2183.2109130127",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_ONLY,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"security_profile": {
"disk_encryption_set": {
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}",
},
"security_encryption_type": azure_native.compute.SecurityEncryptionTypes.DISK_WITH_VM_GUEST_STATE,
},
"storage_account_type": azure_native.compute.StorageAccountTypes.STANDARD_SS_D_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String("Standard_DC2as_v5"),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SecurityProfile: &compute.SecurityProfileArgs{
SecurityType: pulumi.String(compute.SecurityTypesConfidentialVM),
UefiSettings: &compute.UefiSettingsArgs{
SecureBootEnabled: pulumi.Bool(true),
VTpmEnabled: pulumi.Bool(true),
},
},
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Offer: pulumi.String("2019-datacenter-cvm"),
Publisher: pulumi.String("MicrosoftWindowsServer"),
Sku: pulumi.String("windows-cvm"),
Version: pulumi.String("17763.2183.2109130127"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadOnly,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
SecurityProfile: &compute.VMDiskSecurityProfileArgs{
DiskEncryptionSet: &compute.DiskEncryptionSetParametersArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}"),
},
SecurityEncryptionType: pulumi.String(compute.SecurityEncryptionTypesDiskWithVMGuestState),
},
StorageAccountType: pulumi.String(compute.StorageAccountTypes_StandardSSD_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = "Standard_DC2as_v5",
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
},
ResourceGroupName = "myResourceGroup",
SecurityProfile = new AzureNative.Compute.Inputs.SecurityProfileArgs
{
SecurityType = AzureNative.Compute.SecurityTypes.ConfidentialVM,
UefiSettings = new AzureNative.Compute.Inputs.UefiSettingsArgs
{
SecureBootEnabled = true,
VTpmEnabled = true,
},
},
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Offer = "2019-datacenter-cvm",
Publisher = "MicrosoftWindowsServer",
Sku = "windows-cvm",
Version = "17763.2183.2109130127",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadOnly,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
SecurityProfile = new AzureNative.Compute.Inputs.VMDiskSecurityProfileArgs
{
DiskEncryptionSet = new AzureNative.Compute.Inputs.DiskEncryptionSetParametersArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}",
},
SecurityEncryptionType = AzureNative.Compute.SecurityEncryptionTypes.DiskWithVMGuestState,
},
StorageAccountType = AzureNative.Compute.StorageAccountTypes.StandardSSD_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.SecurityProfileArgs;
import com.pulumi.azurenative.compute.inputs.UefiSettingsArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import com.pulumi.azurenative.compute.inputs.VMDiskSecurityProfileArgs;
import com.pulumi.azurenative.compute.inputs.DiskEncryptionSetParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_DC2as_v5")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.build())
.resourceGroupName("myResourceGroup")
.securityProfile(SecurityProfileArgs.builder()
.securityType("ConfidentialVM")
.uefiSettings(UefiSettingsArgs.builder()
.secureBootEnabled(true)
.vTpmEnabled(true)
.build())
.build())
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.offer("2019-datacenter-cvm")
.publisher("MicrosoftWindowsServer")
.sku("windows-cvm")
.version("17763.2183.2109130127")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadOnly")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.securityProfile(VMDiskSecurityProfileArgs.builder()
.diskEncryptionSet(DiskEncryptionSetParametersArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}")
.build())
.securityEncryptionType("DiskWithVMGuestState")
.build())
.storageAccountType("StandardSSD_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
hardwareProfile:
vmSize: Standard_DC2as_v5
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
resourceGroupName: myResourceGroup
securityProfile:
securityType: ConfidentialVM
uefiSettings:
secureBootEnabled: true
vTpmEnabled: true
storageProfile:
imageReference:
offer: 2019-datacenter-cvm
publisher: MicrosoftWindowsServer
sku: windows-cvm
version: 17763.2183.2109130127
osDisk:
caching: ReadOnly
createOption: FromImage
managedDisk:
securityProfile:
diskEncryptionSet:
id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/diskEncryptionSets/{existing-diskEncryptionSet-name}
securityEncryptionType: DiskWithVMGuestState
storageAccountType: StandardSSD_LRS
name: myVMosdisk
vmName: myVM
The securityProfile sets securityType to ConfidentialVM and configures uefiSettings. The managedDisk includes a securityProfile that references a diskEncryptionSet for customer-managed key encryption. The VM size must support Confidential Computing.
Configure automatic patching with platform orchestration
Platform-managed patching automates OS updates while providing control over reboot behavior and maintenance windows, reducing operational overhead.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
hardwareProfile: {
vmSize: azure_native.compute.VirtualMachineSizeTypes.Standard_D2s_v3,
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
linuxConfiguration: {
patchSettings: {
assessmentMode: azure_native.compute.LinuxPatchAssessmentMode.AutomaticByPlatform,
automaticByPlatformSettings: {
bypassPlatformSafetyChecksOnUserSchedule: true,
rebootSetting: azure_native.compute.LinuxVMGuestPatchAutomaticByPlatformRebootSetting.Never,
},
patchMode: azure_native.compute.LinuxVMGuestPatchMode.AutomaticByPlatform,
},
provisionVMAgent: true,
},
},
resourceGroupName: "myResourceGroup",
storageProfile: {
imageReference: {
offer: "UbuntuServer",
publisher: "Canonical",
sku: "16.04-LTS",
version: "latest",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadWrite,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
storageAccountType: azure_native.compute.StorageAccountTypes.Premium_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
hardware_profile={
"vm_size": azure_native.compute.VirtualMachineSizeTypes.STANDARD_D2S_V3,
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
"linux_configuration": {
"patch_settings": {
"assessment_mode": azure_native.compute.LinuxPatchAssessmentMode.AUTOMATIC_BY_PLATFORM,
"automatic_by_platform_settings": {
"bypass_platform_safety_checks_on_user_schedule": True,
"reboot_setting": azure_native.compute.LinuxVMGuestPatchAutomaticByPlatformRebootSetting.NEVER,
},
"patch_mode": azure_native.compute.LinuxVMGuestPatchMode.AUTOMATIC_BY_PLATFORM,
},
"provision_vm_agent": True,
},
},
resource_group_name="myResourceGroup",
storage_profile={
"image_reference": {
"offer": "UbuntuServer",
"publisher": "Canonical",
"sku": "16.04-LTS",
"version": "latest",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_WRITE,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"storage_account_type": azure_native.compute.StorageAccountTypes.PREMIUM_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String(compute.VirtualMachineSizeTypes_Standard_D2s_v3),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
LinuxConfiguration: &compute.LinuxConfigurationArgs{
PatchSettings: &compute.LinuxPatchSettingsArgs{
AssessmentMode: pulumi.String(compute.LinuxPatchAssessmentModeAutomaticByPlatform),
AutomaticByPlatformSettings: &compute.LinuxVMGuestPatchAutomaticByPlatformSettingsArgs{
BypassPlatformSafetyChecksOnUserSchedule: pulumi.Bool(true),
RebootSetting: pulumi.String(compute.LinuxVMGuestPatchAutomaticByPlatformRebootSettingNever),
},
PatchMode: pulumi.String(compute.LinuxVMGuestPatchModeAutomaticByPlatform),
},
ProvisionVMAgent: pulumi.Bool(true),
},
},
ResourceGroupName: pulumi.String("myResourceGroup"),
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Offer: pulumi.String("UbuntuServer"),
Publisher: pulumi.String("Canonical"),
Sku: pulumi.String("16.04-LTS"),
Version: pulumi.String("latest"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadWrite,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
StorageAccountType: pulumi.String(compute.StorageAccountTypes_Premium_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = AzureNative.Compute.VirtualMachineSizeTypes.Standard_D2s_v3,
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
LinuxConfiguration = new AzureNative.Compute.Inputs.LinuxConfigurationArgs
{
PatchSettings = new AzureNative.Compute.Inputs.LinuxPatchSettingsArgs
{
AssessmentMode = AzureNative.Compute.LinuxPatchAssessmentMode.AutomaticByPlatform,
AutomaticByPlatformSettings = new AzureNative.Compute.Inputs.LinuxVMGuestPatchAutomaticByPlatformSettingsArgs
{
BypassPlatformSafetyChecksOnUserSchedule = true,
RebootSetting = AzureNative.Compute.LinuxVMGuestPatchAutomaticByPlatformRebootSetting.Never,
},
PatchMode = AzureNative.Compute.LinuxVMGuestPatchMode.AutomaticByPlatform,
},
ProvisionVMAgent = true,
},
},
ResourceGroupName = "myResourceGroup",
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Offer = "UbuntuServer",
Publisher = "Canonical",
Sku = "16.04-LTS",
Version = "latest",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadWrite,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
StorageAccountType = AzureNative.Compute.StorageAccountTypes.Premium_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.LinuxConfigurationArgs;
import com.pulumi.azurenative.compute.inputs.LinuxPatchSettingsArgs;
import com.pulumi.azurenative.compute.inputs.LinuxVMGuestPatchAutomaticByPlatformSettingsArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_D2s_v3")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.linuxConfiguration(LinuxConfigurationArgs.builder()
.patchSettings(LinuxPatchSettingsArgs.builder()
.assessmentMode("AutomaticByPlatform")
.automaticByPlatformSettings(LinuxVMGuestPatchAutomaticByPlatformSettingsArgs.builder()
.bypassPlatformSafetyChecksOnUserSchedule(true)
.rebootSetting("Never")
.build())
.patchMode("AutomaticByPlatform")
.build())
.provisionVMAgent(true)
.build())
.build())
.resourceGroupName("myResourceGroup")
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.offer("UbuntuServer")
.publisher("Canonical")
.sku("16.04-LTS")
.version("latest")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadWrite")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.storageAccountType("Premium_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
hardwareProfile:
vmSize: Standard_D2s_v3
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
linuxConfiguration:
patchSettings:
assessmentMode: AutomaticByPlatform
automaticByPlatformSettings:
bypassPlatformSafetyChecksOnUserSchedule: true
rebootSetting: Never
patchMode: AutomaticByPlatform
provisionVMAgent: true
resourceGroupName: myResourceGroup
storageProfile:
imageReference:
offer: UbuntuServer
publisher: Canonical
sku: 16.04-LTS
version: latest
osDisk:
caching: ReadWrite
createOption: FromImage
managedDisk:
storageAccountType: Premium_LRS
name: myVMosdisk
vmName: myVM
The linuxConfiguration includes patchSettings with patchMode set to AutomaticByPlatform. The automaticByPlatformSettings control reboot behavior through rebootSetting. The bypassPlatformSafetyChecksOnUserSchedule property allows custom maintenance windows.
Deploy VM Gallery Applications at provisioning
VM Gallery Applications package and deploy software alongside VM creation, enabling consistent application delivery across deployments.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
availabilitySet: {
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}",
},
hardwareProfile: {
vmSize: azure_native.compute.VirtualMachineSizeTypes.Standard_D1_v2,
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
},
resourceGroupName: "myResourceGroup",
storageProfile: {
imageReference: {
offer: "WindowsServer",
publisher: "MicrosoftWindowsServer",
sku: "2016-Datacenter",
version: "latest",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadWrite,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
storageAccountType: azure_native.compute.StorageAccountTypes.Standard_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
availability_set={
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}",
},
hardware_profile={
"vm_size": azure_native.compute.VirtualMachineSizeTypes.STANDARD_D1_V2,
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
},
resource_group_name="myResourceGroup",
storage_profile={
"image_reference": {
"offer": "WindowsServer",
"publisher": "MicrosoftWindowsServer",
"sku": "2016-Datacenter",
"version": "latest",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_WRITE,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"storage_account_type": azure_native.compute.StorageAccountTypes.STANDARD_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
AvailabilitySet: &compute.SubResourceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}"),
},
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String(compute.VirtualMachineSizeTypes_Standard_D1_v2),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
},
ResourceGroupName: pulumi.String("myResourceGroup"),
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Offer: pulumi.String("WindowsServer"),
Publisher: pulumi.String("MicrosoftWindowsServer"),
Sku: pulumi.String("2016-Datacenter"),
Version: pulumi.String("latest"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadWrite,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
StorageAccountType: pulumi.String(compute.StorageAccountTypes_Standard_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
AvailabilitySet = new AzureNative.Compute.Inputs.SubResourceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}",
},
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = AzureNative.Compute.VirtualMachineSizeTypes.Standard_D1_v2,
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
},
ResourceGroupName = "myResourceGroup",
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Offer = "WindowsServer",
Publisher = "MicrosoftWindowsServer",
Sku = "2016-Datacenter",
Version = "latest",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadWrite,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
StorageAccountType = AzureNative.Compute.StorageAccountTypes.Standard_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.SubResourceArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.availabilitySet(SubResourceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}")
.build())
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_D1_v2")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.build())
.resourceGroupName("myResourceGroup")
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.offer("WindowsServer")
.publisher("MicrosoftWindowsServer")
.sku("2016-Datacenter")
.version("latest")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadWrite")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.storageAccountType("Standard_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
availabilitySet:
id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/availabilitySets/{existing-availability-set-name}
hardwareProfile:
vmSize: Standard_D1_v2
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
resourceGroupName: myResourceGroup
storageProfile:
imageReference:
offer: WindowsServer
publisher: MicrosoftWindowsServer
sku: 2016-Datacenter
version: latest
osDisk:
caching: ReadWrite
createOption: FromImage
managedDisk:
storageAccountType: Standard_LRS
name: myVMosdisk
vmName: myVM
The applicationProfile lists galleryApplications with packageReferenceId pointing to gallery application versions. The configurationReference provides application-specific settings. The order property controls installation sequence.
Configure scheduled events and maintenance notifications
Scheduled Events notify applications of upcoming maintenance, allowing graceful shutdown or state preservation during platform events.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const virtualMachine = new azure_native.compute.VirtualMachine("virtualMachine", {
hardwareProfile: {
vmSize: azure_native.compute.VirtualMachineSizeTypes.Standard_DS1_v2,
},
location: "westus",
networkProfile: {
networkInterfaces: [{
id: "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
primary: true,
}],
},
osProfile: {
adminPassword: "{your-password}",
adminUsername: "{your-username}",
computerName: "myVM",
},
plan: {
name: "windows2016",
product: "windows-data-science-vm",
publisher: "microsoft-ads",
},
resourceGroupName: "myResourceGroup",
securityProfile: {
encryptionAtHost: true,
},
storageProfile: {
imageReference: {
offer: "windows-data-science-vm",
publisher: "microsoft-ads",
sku: "windows2016",
version: "latest",
},
osDisk: {
caching: azure_native.compute.CachingTypes.ReadOnly,
createOption: azure_native.compute.DiskCreateOptionTypes.FromImage,
managedDisk: {
storageAccountType: azure_native.compute.StorageAccountTypes.Standard_LRS,
},
name: "myVMosdisk",
},
},
vmName: "myVM",
});
import pulumi
import pulumi_azure_native as azure_native
virtual_machine = azure_native.compute.VirtualMachine("virtualMachine",
hardware_profile={
"vm_size": azure_native.compute.VirtualMachineSizeTypes.STANDARD_DS1_V2,
},
location="westus",
network_profile={
"network_interfaces": [{
"id": "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
"primary": True,
}],
},
os_profile={
"admin_password": "{your-password}",
"admin_username": "{your-username}",
"computer_name": "myVM",
},
plan={
"name": "windows2016",
"product": "windows-data-science-vm",
"publisher": "microsoft-ads",
},
resource_group_name="myResourceGroup",
security_profile={
"encryption_at_host": True,
},
storage_profile={
"image_reference": {
"offer": "windows-data-science-vm",
"publisher": "microsoft-ads",
"sku": "windows2016",
"version": "latest",
},
"os_disk": {
"caching": azure_native.compute.CachingTypes.READ_ONLY,
"create_option": azure_native.compute.DiskCreateOptionTypes.FROM_IMAGE,
"managed_disk": {
"storage_account_type": azure_native.compute.StorageAccountTypes.STANDARD_LRS,
},
"name": "myVMosdisk",
},
},
vm_name="myVM")
package main
import (
compute "github.com/pulumi/pulumi-azure-native-sdk/compute/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewVirtualMachine(ctx, "virtualMachine", &compute.VirtualMachineArgs{
HardwareProfile: &compute.HardwareProfileArgs{
VmSize: pulumi.String(compute.VirtualMachineSizeTypes_Standard_DS1_v2),
},
Location: pulumi.String("westus"),
NetworkProfile: &compute.NetworkProfileArgs{
NetworkInterfaces: compute.NetworkInterfaceReferenceArray{
&compute.NetworkInterfaceReferenceArgs{
Id: pulumi.String("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}"),
Primary: pulumi.Bool(true),
},
},
},
OsProfile: &compute.OSProfileArgs{
AdminPassword: pulumi.String("{your-password}"),
AdminUsername: pulumi.String("{your-username}"),
ComputerName: pulumi.String("myVM"),
},
Plan: &compute.PlanArgs{
Name: pulumi.String("windows2016"),
Product: pulumi.String("windows-data-science-vm"),
Publisher: pulumi.String("microsoft-ads"),
},
ResourceGroupName: pulumi.String("myResourceGroup"),
SecurityProfile: &compute.SecurityProfileArgs{
EncryptionAtHost: pulumi.Bool(true),
},
StorageProfile: &compute.StorageProfileArgs{
ImageReference: &compute.ImageReferenceArgs{
Offer: pulumi.String("windows-data-science-vm"),
Publisher: pulumi.String("microsoft-ads"),
Sku: pulumi.String("windows2016"),
Version: pulumi.String("latest"),
},
OsDisk: &compute.OSDiskArgs{
Caching: compute.CachingTypesReadOnly,
CreateOption: pulumi.String(compute.DiskCreateOptionTypesFromImage),
ManagedDisk: &compute.ManagedDiskParametersArgs{
StorageAccountType: pulumi.String(compute.StorageAccountTypes_Standard_LRS),
},
Name: pulumi.String("myVMosdisk"),
},
},
VmName: pulumi.String("myVM"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var virtualMachine = new AzureNative.Compute.VirtualMachine("virtualMachine", new()
{
HardwareProfile = new AzureNative.Compute.Inputs.HardwareProfileArgs
{
VmSize = AzureNative.Compute.VirtualMachineSizeTypes.Standard_DS1_v2,
},
Location = "westus",
NetworkProfile = new AzureNative.Compute.Inputs.NetworkProfileArgs
{
NetworkInterfaces = new[]
{
new AzureNative.Compute.Inputs.NetworkInterfaceReferenceArgs
{
Id = "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}",
Primary = true,
},
},
},
OsProfile = new AzureNative.Compute.Inputs.OSProfileArgs
{
AdminPassword = "{your-password}",
AdminUsername = "{your-username}",
ComputerName = "myVM",
},
Plan = new AzureNative.Compute.Inputs.PlanArgs
{
Name = "windows2016",
Product = "windows-data-science-vm",
Publisher = "microsoft-ads",
},
ResourceGroupName = "myResourceGroup",
SecurityProfile = new AzureNative.Compute.Inputs.SecurityProfileArgs
{
EncryptionAtHost = true,
},
StorageProfile = new AzureNative.Compute.Inputs.StorageProfileArgs
{
ImageReference = new AzureNative.Compute.Inputs.ImageReferenceArgs
{
Offer = "windows-data-science-vm",
Publisher = "microsoft-ads",
Sku = "windows2016",
Version = "latest",
},
OsDisk = new AzureNative.Compute.Inputs.OSDiskArgs
{
Caching = AzureNative.Compute.CachingTypes.ReadOnly,
CreateOption = AzureNative.Compute.DiskCreateOptionTypes.FromImage,
ManagedDisk = new AzureNative.Compute.Inputs.ManagedDiskParametersArgs
{
StorageAccountType = AzureNative.Compute.StorageAccountTypes.Standard_LRS,
},
Name = "myVMosdisk",
},
},
VmName = "myVM",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.compute.VirtualMachine;
import com.pulumi.azurenative.compute.VirtualMachineArgs;
import com.pulumi.azurenative.compute.inputs.HardwareProfileArgs;
import com.pulumi.azurenative.compute.inputs.NetworkProfileArgs;
import com.pulumi.azurenative.compute.inputs.OSProfileArgs;
import com.pulumi.azurenative.compute.inputs.PlanArgs;
import com.pulumi.azurenative.compute.inputs.SecurityProfileArgs;
import com.pulumi.azurenative.compute.inputs.StorageProfileArgs;
import com.pulumi.azurenative.compute.inputs.ImageReferenceArgs;
import com.pulumi.azurenative.compute.inputs.OSDiskArgs;
import com.pulumi.azurenative.compute.inputs.ManagedDiskParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var virtualMachine = new VirtualMachine("virtualMachine", VirtualMachineArgs.builder()
.hardwareProfile(HardwareProfileArgs.builder()
.vmSize("Standard_DS1_v2")
.build())
.location("westus")
.networkProfile(NetworkProfileArgs.builder()
.networkInterfaces(NetworkInterfaceReferenceArgs.builder()
.id("/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}")
.primary(true)
.build())
.build())
.osProfile(OSProfileArgs.builder()
.adminPassword("{your-password}")
.adminUsername("{your-username}")
.computerName("myVM")
.build())
.plan(PlanArgs.builder()
.name("windows2016")
.product("windows-data-science-vm")
.publisher("microsoft-ads")
.build())
.resourceGroupName("myResourceGroup")
.securityProfile(SecurityProfileArgs.builder()
.encryptionAtHost(true)
.build())
.storageProfile(StorageProfileArgs.builder()
.imageReference(ImageReferenceArgs.builder()
.offer("windows-data-science-vm")
.publisher("microsoft-ads")
.sku("windows2016")
.version("latest")
.build())
.osDisk(OSDiskArgs.builder()
.caching("ReadOnly")
.createOption("FromImage")
.managedDisk(ManagedDiskParametersArgs.builder()
.storageAccountType("Standard_LRS")
.build())
.name("myVMosdisk")
.build())
.build())
.vmName("myVM")
.build());
}
}
resources:
virtualMachine:
type: azure-native:compute:VirtualMachine
properties:
hardwareProfile:
vmSize: Standard_DS1_v2
location: westus
networkProfile:
networkInterfaces:
- id: /subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/{existing-nic-name}
primary: true
osProfile:
adminPassword: '{your-password}'
adminUsername: '{your-username}'
computerName: myVM
plan:
name: windows2016
product: windows-data-science-vm
publisher: microsoft-ads
resourceGroupName: myResourceGroup
securityProfile:
encryptionAtHost: true
storageProfile:
imageReference:
offer: windows-data-science-vm
publisher: microsoft-ads
sku: windows2016
version: latest
osDisk:
caching: ReadOnly
createOption: FromImage
managedDisk:
storageAccountType: Standard_LRS
name: myVMosdisk
vmName: myVM
The scheduledEventsProfile includes terminateNotificationProfile and osImageNotificationProfile. The notBeforeTimeout specifies how much advance notice the VM receives before events. The scheduledEventsPolicy controls automatic approval of user-initiated operations.
Beyond these examples
These snippets focus on specific VM-level features: image sources and custom images, security configurations (Trusted Launch, Confidential VMs, encryption), patch management and scheduled events, and application deployment via Gallery Applications. They’re intentionally minimal rather than full VM deployments.
The examples may reference pre-existing infrastructure such as network interfaces and virtual networks, custom images or disk encryption sets, storage accounts for boot diagnostics, and availability sets or Virtual Machine Scale Sets for placement. They focus on configuring the VM rather than provisioning everything around it.
To keep things focused, common VM patterns are omitted, including:
- Data disk configuration and attachment
- Availability zones and fault domain placement
- Boot diagnostics and performance monitoring
- SSH keys and password authentication methods
- Marketplace image plans and licensing
- Network interface inline creation (networkInterfaceConfigurations)
These omissions are intentional: the goal is to illustrate how each VM feature is wired, not provide drop-in VM modules. See the Virtual Machine resource reference for all available configuration options.
Let's deploy Azure Virtual Machines
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Patch Management & Updates
What are the patch management options for Linux VMs?
Linux VMs support two patch modes:
- ImageDefault: Uses the default patching configuration from the VM image
- AutomaticByPlatform: Azure manages patch assessment and installation automatically
Set both assessmentMode and patchMode in linuxConfiguration.patchSettings to control patching behavior.
What are the patch management options for Windows VMs?
Windows VMs support three patch modes:
- AutomaticByOS: Windows Update manages patches automatically
- AutomaticByPlatform: Azure manages patch assessment and installation
- Manual: You control all patching operations
Configure patchMode in windowsConfiguration.patchSettings. For AutomaticByPlatform, you can also enable hot patching with enableHotpatching.
How do I control reboot behavior during automatic patching?
When using AutomaticByPlatform patch mode, configure automaticByPlatformSettings with:
rebootSetting: Set toNever,IfRequired, orAlwaysbypassPlatformSafetyChecksOnUserSchedule: Set totrueto bypass safety checks on user-scheduled maintenance
Security & Encryption
How do I enable Trusted Launch for a VM?
Set securityProfile.securityType to TrustedLaunch and configure UEFI settings:
uefiSettings.secureBootEnabled: Enable Secure BootuefiSettings.vTpmEnabled: Enable virtual TPM
Both settings are typically enabled together for full Trusted Launch protection.
What are the encryption options for Confidential VMs?
Confidential VMs support three encryption types via osDisk.managedDisk.securityProfile.securityEncryptionType:
- DiskWithVMGuestState: Encrypts disk and VM state (requires customer-managed or platform-managed keys)
- NonPersistedTPM: Encrypts with non-persisted TPM (no disk encryption set required)
Set securityProfile.securityType to ConfidentialVM and enable uefiSettings.vTpmEnabled.
How do I enable host-based encryption?
Set
securityProfile.encryptionAtHost to true. This encrypts data at rest on the VM host, providing an additional layer of encryption beyond disk encryption.How do I use customer-managed keys for disk encryption?
Configure diskEncryptionSet in managedDisk for both OS and data disks:
managedDisk:
diskEncryptionSet:
id: "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Compute/diskEncryptionSets/{name}"
The disk encryption set must reference your Azure Key Vault key.
Image Sources & Deployment
What image sources can I use to create a VM?
You can create VMs from several image sources:
- Marketplace images: Specify
publisher,offer,sku, andversioninimageReference - Custom images: Set
imageReference.idto your custom image resource ID - Shared gallery images: Set
imageReference.idto a gallery image path (generalized or specialized) - Community gallery images: Use
communityGalleryImageIdfor public gallery images
What's the difference between generalized and specialized images?
- Generalized images: Require
osProfileconfiguration (admin credentials, computer name) during VM creation - Specialized images: Already contain OS configuration; omit
osProfilewhen creating the VM
Both types use the same imageReference.id format; the image’s state determines the behavior.
High Availability & Placement
How do I configure high availability for VMs?
You have three options:
- Availability sets: Set
availabilitySet.idto distribute VMs across fault and update domains - Virtual Machine Scale Sets: Set
virtualMachineScaleSet.idto join a scale set - Availability zones: Use
placement.includeZoneswithzonePlacementPolicyfor zone placement
Availability sets and scale sets are mutually exclusive.
How do I control fault domain placement in a scale set?
Set
platformFaultDomain to a specific fault domain number (e.g., 1, 2, 3) when the VM is part of a scale set. The scale set must have platformFaultDomainCount greater than 1.Advanced Features
How do I enable hibernation for a VM?
Set
additionalCapabilities.hibernationEnabled to true. Hibernation allows you to pause a VM and save its memory state to disk, then resume it later.How do I configure scheduled events notifications?
Use scheduledEventsProfile to configure notifications:
terminateNotificationProfile: Notifications before VM termination (setenableandnotBeforeTimeout)osImageNotificationProfile: Notifications before OS image updates
You can also configure scheduledEventsPolicy to automatically approve user-initiated reboots and redeploys.
How do I deploy gallery applications to a VM?
Configure applicationProfile.galleryApplications with an array of applications:
packageReferenceId: Gallery application version resource IDconfigurationReference: Optional URL to configuration fileorder: Installation order (lower numbers install first)enableAutomaticUpgrade: Whether to auto-upgrade the application