constellation/docs/versioned_docs/version-2.0/workflows/trusted-launch.md

# Azure trusted launch VMs

Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D*_v4` and `Standard_E*_v4`.

:::caution

Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md).
For highest security, use Confidential VMs.

:::

Run `constellation config instance-types` to show all supported instance types.

## VM images

Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription.

The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version.

After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
You can use a script to do this:
```bash
wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh
chmod +x importAzure.sh
AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
```

The script creates the following resources:
1. A new image gallery with the default name `constellation-import`
2. A new image definition with the default name `constellation`
3. The actual image with the provided version. In this case `2.0.0`

Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.

:::info

The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images:

```shell-session
Configured image doesn't look like a released production image. Double check image before deploying to production.
```

Please ignore this warning.

:::
Ref/docs 2.0 (#112) 2022-09-09 11:01:57 -04:00			`# Azure trusted launch VMs`

			Constellation supports Azure trusted launch VMs. These are VMs with instance type `Standard_D_v4` and `Standard_E_v4`.

			`:::caution`

			`Trusted launch VMs don't provide [runtime encryption](../overview/confidential-kubernetes.md).`
			`For highest security, use Confidential VMs.`

			`:::`

			Run `constellation config instance-types` to show all supported instance types.

			`## VM images`

			`Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). So you need to import the VM image into your cloud subscription.`

			`The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three numbers if you want to download an image for a different version.`

			After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
			`You can use a script to do this:`
			```bash
			`wget https://github.com/edgelesssys/constellation/blob/main/hack/importAzure.sh`
			`chmod +x importAzure.sh`
			`AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh`
			```

			`The script creates the following resources:`
			1. A new image gallery with the default name `constellation-import`
			2. A new image definition with the default name `constellation`
			3. The actual image with the provided version. In this case `2.0.0`

			Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.

			`:::info`

			`The [constellation create](create.md) command will issue a warning because manually imported images aren't recognized as production grade images:`

			```shell-session
			`Configured image doesn't look like a released production image. Double check image before deploying to production.`
			```

			`Please ignore this warning.`

			`:::`