You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PowerShell cmdlets in the Az.Compute module need improvements to fully support Azure Compute Community Galleries. While the existing Get-AzGallery* cmdlets have Community Gallery parameter sets (via -GalleryPublicName and -Community parameters), there are gaps in VM creation workflows and documentation that prevent users from easily working with Community Gallery images.
No -CommunityGalleryImageId parameter exists at all. The only workaround is using -ImageReferenceId with a /CommunityGalleries/... path, which relies on undocumented internal path detection in VirtualMachineStrategy.cs. A first-class -CommunityGalleryImageId parameter should be added.
New-AzVmss
Same gap as New-AzVM — needs a -CommunityGalleryImageId parameter for VMSS creation from community gallery images
Set-AzVMSourceImage
The -Id parameter always sets ImageReference.Id on the SDK model. It has no community gallery support — it needs a -CommunityGalleryImageId parameter that correctly sets ImageReference.CommunityGalleryImageId instead. Currently users cannot use the advanced New-AzVMConfig pipeline for community gallery images.
New-AzGalleryImageVersion
Does not properly serialize TargetRegion encryption/securityProfile for ConfidentialVM scenarios. The hashtable-based TargetRegion produces "osDiskImage": {} — the securityProfile is silently dropped during serialization (see #28657).
Example Workflows
Discover and use a Community Gallery image to create a VM:
# List community galleryGet-AzGallery-Location "eastus"-GalleryPublicName "myGallery-GUID"-Community
# List community gallery imagesGet-AzGalleryImageDefinition-Location "eastus"-GalleryPublicName "myGallery-GUID"# List community gallery image versionsGet-AzGalleryImageVersion-Location "eastus"-GalleryPublicName "myGallery-GUID"-GalleryImageDefinitionName "myImage"# Create VM from community gallery image (proposed - parameter does not exist yet)$communityImageId="/CommunityGalleries/myGallery-GUID/Images/myImage/Versions/1.0.0"New-AzVM-ResourceGroupName "myRG"-Name "myVM"-Location "eastus"-CommunityGalleryImageId $communityImageId# Advanced pipeline (proposed - Set-AzVMSourceImage needs -CommunityGalleryImageId)$vmConfig=New-AzVMConfig-VMName "myVM"-VMSize "Standard_D2s_v3"$vmConfig=Set-AzVMSourceImage-VM $vmConfig-CommunityGalleryImageId "/CommunityGalleries/myGallery-GUID/Images/myImage/Versions/1.0.0"New-AzVM-ResourceGroupName "myRG"-Location "eastus"-VM $vmConfig
Create gallery image version with ConfidentialVM encryption (currently broken - see #28657):
# This should work but currently fails because the TargetRegion hashtable's# encryption.osDiskImage.securityProfile is silently dropped during serialization,# producing "osDiskImage": {} in the REST request body.New-AzGalleryImageVersion-ResourceGroupName "myRG"`-GalleryName "myGallery"`-GalleryImageDefinitionName "myConfidentialImage"`-Name "1.0.0"`-Location "eastus"`-SourceImageId "/subscriptions/.../images/myImage"`-TargetRegion @(
@{
Name="eastus"RegionalReplicaCount=1StorageAccountType="Standard_LRS"Encryption=@{
OSDiskImage=@{
SecurityProfile=@{
confidentialVMEncryptionType="EncryptedVMGuestStateOnlyWithPmk"secureVMDiskEncryptionSetId="/subscriptions/.../diskEncryptionSets/myDES"
}
}
}
}
)
Current Gaps
No -CommunityGalleryImageId on New-AzVM — There is no first-class parameter for community gallery images on New-AzVM. The only workaround is -ImageReferenceId with a /CommunityGalleries/... path, which relies on undocumented internal path prefix detection in VirtualMachineStrategy.cs. This forces users to discover the workaround through trial and error.
Set-AzVMSourceImage has no community gallery support — The -Id parameter always sets ImageReference.Id, not ImageReference.CommunityGalleryImageId. This means the advanced New-AzVMConfig pipeline cannot be used for community gallery images at all.
New-AzGalleryImageVersion ConfidentialVM serialization bug — The hashtable-based TargetRegion encryption is not properly serialized. encryption.osDiskImage.securityProfile is silently dropped, producing empty JSON ("osDiskImage": {}) sent to the API ([Bug] Az.Compute - New-AzGalleryImageVersion fails when GalleryImageDefinition's SecurityType=ConfidentialVM #28657). The documentation also has incorrect property names (e.g., CVMEncryptionType instead of confidentialVMEncryptionType).
Documentation gaps — Community Gallery usage with Get-AzGallery* cmdlets via -GalleryPublicName / -Community is poorly documented. Examples and help text need improvement.
Description of the new feature
PowerShell cmdlets in the Az.Compute module need improvements to fully support Azure Compute Community Galleries. While the existing
Get-AzGallery*cmdlets have Community Gallery parameter sets (via-GalleryPublicNameand-Communityparameters), there are gaps in VM creation workflows and documentation that prevent users from easily working with Community Gallery images.Related Issues
References
Proposed implementation details (optional)
Existing Cmdlets with Community Gallery Support
The following cmdlets already support Community Gallery via the
-GalleryPublicNameparameter and-Communityswitch:Get-AzGalleryGet-AzGallery -Location <location> -GalleryPublicName <name> -CommunityGet-AzGalleryImageDefinitionGet-AzGalleryImageDefinition -Location <location> -GalleryPublicName <name>Get-AzGalleryImageVersionGet-AzGalleryImageVersion -Location <location> -GalleryPublicName <name> -GalleryImageDefinitionName <image>Cmdlets That Need Updates
New-AzVM-CommunityGalleryImageIdparameter exists at all. The only workaround is using-ImageReferenceIdwith a/CommunityGalleries/...path, which relies on undocumented internal path detection inVirtualMachineStrategy.cs. A first-class-CommunityGalleryImageIdparameter should be added.New-AzVmssNew-AzVM— needs a-CommunityGalleryImageIdparameter for VMSS creation from community gallery imagesSet-AzVMSourceImage-Idparameter always setsImageReference.Idon the SDK model. It has no community gallery support — it needs a-CommunityGalleryImageIdparameter that correctly setsImageReference.CommunityGalleryImageIdinstead. Currently users cannot use the advancedNew-AzVMConfigpipeline for community gallery images.New-AzGalleryImageVersionTargetRegionencryption/securityProfile for ConfidentialVM scenarios. The hashtable-basedTargetRegionproduces"osDiskImage": {}— thesecurityProfileis silently dropped during serialization (see #28657).Example Workflows
Discover and use a Community Gallery image to create a VM:
Create gallery image version with ConfidentialVM encryption (currently broken - see #28657):
Current Gaps
-CommunityGalleryImageIdonNew-AzVM— There is no first-class parameter for community gallery images onNew-AzVM. The only workaround is-ImageReferenceIdwith a/CommunityGalleries/...path, which relies on undocumented internal path prefix detection inVirtualMachineStrategy.cs. This forces users to discover the workaround through trial and error.Set-AzVMSourceImagehas no community gallery support — The-Idparameter always setsImageReference.Id, notImageReference.CommunityGalleryImageId. This means the advancedNew-AzVMConfigpipeline cannot be used for community gallery images at all.New-AzGalleryImageVersionConfidentialVM serialization bug — The hashtable-basedTargetRegionencryption is not properly serialized.encryption.osDiskImage.securityProfileis silently dropped, producing empty JSON ("osDiskImage": {}) sent to the API ([Bug] Az.Compute - New-AzGalleryImageVersion fails when GalleryImageDefinition's SecurityType=ConfidentialVM #28657). The documentation also has incorrect property names (e.g.,CVMEncryptionTypeinstead ofconfidentialVMEncryptionType).Get-AzGallery*cmdlets via-GalleryPublicName/-Communityis poorly documented. Examples and help text need improvement.