Edit

Create an enclave in the Azure portal

An enclave is an isolated Azure Virtual Network that belongs to a community and hosts one or more workloads. Workloads in an enclave are isolated from other enclaves in the same community unless you explicitly enable connectivity by creating endpoints and connections.

In this how-to guide, you create an enclave in the Azure portal.

Prerequisites

  • To access Azure Enclave, you need an Azure subscription. If you don't already have a subscription, create a free account before you begin.
  • Before you can create an enclave, you must create a community using the Azure portal.
  • If you use on-premises or custom DNS, plan how resources in the enclave resolve private endpoints for Azure Storage, Key Vault, and Log Analytics.

Sign in to Azure

Sign in to the Azure portal.

Create an enclave

Enclave deployments can take several minutes to complete. After deployment completes, open your enclave and verify that Status is Succeeded.

  1. Enter Azure Enclave in the search.

  2. Under Services, select Azure Enclave.

  3. In the Azure Enclave page, select Enclaves in the left menu.

    Screenshot showing the Azure Enclave portal page with the enclaves list selected.

  4. On the Enclaves page, select Create.

  5. Enter details for your enclave on the Basics tab:

    • Subscription: Select an existing subscription.
    • Resource group: Create a new resource group or select an existing resource group.
    • Enclave name: Enter a name for the enclave, for example, My-Enclave.
    • Region: Select the Azure region where the enclave is created.
    • Select a community: Select an existing community.
    • Dedicated hub: Select the dedicated hub to use for this enclave.

    Screenshot showing the enclave basics settings page during enclave creation in the portal.

  6. Select Next. On the Network tab, select the network size, choose whether enclave subnet communication is allowed by default, create subnets, and enable Azure Bastion as needed. For planning guidance, see Azure Virtual Network concepts and best practices and Plan virtual networks.

    Screenshot showing the enclave networking settings page during enclave creation in the portal.

    Note

    Azure Enclave automatically allocates the next best-fit block of network address space based on the existing networks allocated to the target community.

  7. Select Next. On the Maintenance mode tab, choose whether to request maintenance mode when the enclave is created. Maintenance mode allows privileged changes to managed resources that are critical to enclave security. Learn more about maintenance mode.

    Screenshot showing the enclave maintenance mode settings page during enclave creation in the portal.

  8. Select Next and on the Approvals tab, decide which approval settings to apply to your enclave.

    Screenshot showing the enclave approvals settings page during enclave creation in the portal.

  9. Select Next and on the Policy management tab and customize your settings as needed.

    Screenshot showing the enclave policy management settings page during enclave creation in the portal.

  10. Select Next. On the Monitoring tab, select where enclave logs are stored.

    Screenshot showing the enclave monitoring settings page during enclave creation in the portal.

  11. Select Next. On the Enclave administration tab, select the users and groups that should have privileged access to the managed resource group for the enclave.

    Screenshot showing the enclave administration settings page during enclave creation in the portal.

  12. Select Next. On the Workload permissions tab, select the users and groups that should have privileged access to workload resource groups that you create for their resources.

    • RBAC Inheritance
      • Enabled: Standard Azure RBAC inheritance is enabled for Workload resources.
      • Disabled: Only permissions defined under workload admin settings apply to workload resources.
    • Reader Access
      • Allowed: Standard RBAC inheritance is enabled for read permissions only over workload resources.
      • Denied: Read access is denied unless explicitly defined under workload admin settings.
    • Workload Access Controls: Define role assignments and deny assignment exclusions over workload resource group(s).

    Screenshot showing the enclave workload permissions settings page during enclave creation in the portal.

  13. Select Next, and then create any tags for your enclave.

  14. Select Next, and then select Review + create, validate that the details for your enclave are correct, and then select Create.

    Screenshot showing created enclave on its overview page.

References