Azure Confidential Computing for Secure Workloads

Azure Confidential Computing is a game-changer for secure workloads. It uses dedicated hardware to create a secure environment for data processing, ensuring that sensitive information remains confidential.

This approach is particularly useful for organizations handling highly sensitive data, such as financial institutions or healthcare providers. With Azure Confidential Computing, they can rest assured that their data is protected from unauthorized access.

By leveraging the Intel SGX (Software Guard Extensions) technology, Azure Confidential Computing creates a trusted execution environment (TEE) that separates sensitive data from the rest of the system. This ensures that even if the system is compromised, the sensitive data remains confidential.

Azure provides a range of virtualization options for confidential computing, including virtual machines (VMs) and containers. These options meet the definition of confidential computing, helping organizations prevent unauthorized access or modification of code and data while in use.

Azure supports hardened technologies like AMD SEV-SNP, Intel TDX, and Intel SGX for confidential computing. These technologies provide robust hardware-based isolation between virtual machines, hypervisor, and host management code.

You can run confidential VMs on DCasv5 and ECasv5 VMs, which enable lift-and-shift of existing workloads and help protect data from the cloud operator with VM-level confidentiality. Alternatively, you can use DCesv5 and ECesv5 VMs, which also provide VM-level confidentiality.

Here are some key features of Azure's confidential VMs:

Azure's confidential VMs also support AMD SEV-SNP, which provides memory encryption and full OS disk encryption using CPU-protected keys and vTPM. This allows you to make your applications confidential without changing any code.

Virtualization is a powerful tool that allows you to run multiple operating systems on a single physical machine, increasing efficiency and reducing costs. Azure provides a range of virtualization options, including virtual machines and containers.

Azure supports hardened technologies like AMD SEV-SNP, Intel TDX, and Intel SGX, which provide confidential computing capabilities. These technologies help prevent unauthorized access or modification of code and data while in use.

Confidential VMs are a key feature of Azure's virtualization capabilities. They provide robust hardware-based isolation between virtual machines, hypervisor, and host management code. This ensures that your data remains secure and confidential.

You can use confidential VMs with AMD SEV-SNP, Intel TDX, or Intel SGX. Each of these options provides a different level of security and isolation. For example, confidential VMs using AMD SEV-SNP provide memory encryption with CPU-protected keys and full OS disk encryption with keys sealed in vTPM.

Here are some key benefits of confidential VMs:

Azure Confidential GPU VMs are also available in limited preview, providing an additional layer of security for AI workloads. These VMs use Nvidia A100 Tensor Core GPUs and are ideal for maintaining the confidentiality and integrity of AI workloads in use.

Virtual Desktop (AVD) allows for a complete Windows 11 desktop and application experience in a virtual environment.

Azure Virtual Desktop (AVD) on Confidential VMs enables secure remote access with Windows Hello and Windows 11 multi-session capabilities.

You can gain the benefits of the Cloud in a virtualized environment while operating in a confidential setting.

With a virtualized environment, you can autoscale confidential VMs as demand changes.

Azure confidential computing offers robust security and encryption features to protect sensitive data. Confidential temp disk encryption extends the protection of confidential disk encryption to the temp disk, leveraging in-VM symmetric key encryption technology.

Temp disks on CVMs contain the page file, which can contain sensitive data. Without encryption, data on these disks may be accessible to the host.

To protect data in use, Azure confidential computing encrypts data in memory in hardware-based trusted execution environments. This helps prevent data access by cloud providers, administrators, and users.

You can choose between a confidential VM with Confidential OS disk encryption before VM deployment that uses platform-managed keys (PMK) or a customer-managed key (CMK), or a confidential VM without Confidential OS disk encryption before VM deployment.

Secure Boot is enabled by default when confidential OS disk encryption is selected, requiring trusted publishers to sign OS boot components.

Protecting sensitive workloads is crucial in today's digital landscape. Azure confidential computing offers a robust solution to safeguard your data in use.

You can protect data privacy and security on your most sensitive workloads by leveraging Azure's confidential compute offerings. This includes hardware, services, SDKs, and deployment tools.

Azure confidential computing encrypts data in memory in hardware-based trusted execution environments, ensuring that data is processed only after the cloud environment is verified. This prevents data access by cloud providers, administrators, and users.

To combine datasets confidentially, you can upload encrypted data to a secure enclave in a virtual machine (VM) and perform algorithms on datasets from multiple sources.

Migrating to the cloud while retaining full control of your data is possible with Azure confidential computing. You can specify the hardware and software that have access to your data and code, and verifiably enforce this guarantee.

Here are the key benefits of Azure confidential computing:

Azure confidential VMs use both the OS disk and a small encrypted virtual machine guest state (VMGS) disk of several megabytes.

The VMGS disk contains the security state of the VM's components, including the vTPM and UEFI bootloader.

From July 2022, encrypted OS disks will incur higher costs, so it's essential to check the pricing guide for managed disks for the most up-to-date information.

Azure Confidential Computing offers a range of features and support to help you get started. Confidential VMs don't support Azure Backup, Azure Site Recovery, or Shared disks, among other features.

You can, however, use Guest attestation, a key capability that provides security features like isolation, integrity, and secure boot. This allows you to make application deployment decisions based on a desired good state.

Here are some key features and support options to keep in mind when working with Azure Confidential Computing:

Confidential VM node pools on AKS are also available, allowing for seamless Linux deployments on AMD SEV-SNP-protected nodes.

Now that you've explored the features and support, it's time to think about what's next.

You can upgrade your plan at any time to access more advanced features, including priority support.

If you're experiencing issues with your account, you can contact our support team directly via email or phone. They're available 24/7 to help resolve any problems.

To get the most out of your subscription, be sure to take advantage of our online resources, such as tutorials and user guides.

OS support is crucial for Azure confidential VMs, and you've got several options to choose from. Azure confidential VMs support a range of operating systems, including Linux and Windows.

Linux options include Ubuntu and Red Hat Enterprise Linux (RHEL), with specific versions such as Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and RHEL 9.4. Windows options include Windows 10, Windows 11, and various versions of Windows Server, including Windows Server Datacenter and Windows Server 2019 Datacenter.

Here are the specific OS options supported by Azure confidential VMs:

With so many options available, you can choose the one that best fits your needs and ensure your VM is secure and isolated from the underlying cloud infrastructure.

Confidential VMs support a range of VM sizes, each designed to meet specific needs.

The General Purpose VM sizes without local disk are DCasv5-series and DCesv5-series. These sizes are ideal for general-purpose workloads that don't require high-performance storage.

For General Purpose VMs with local disk, you can choose from DCadsv5-series and DCedsv5-series. These sizes are perfect for workloads that require local storage for faster performance.

Memory Optimized VM sizes without local disk are ECasv5-series and ECesv5-series. These sizes are designed for memory-intensive workloads that require high memory capacity.

Similarly, Memory Optimized VM sizes with local disk are ECadsv5-series and ECedsv5-series. These sizes are ideal for workloads that require a combination of high memory and local storage.

One notable size is the NVIDIA H100 Tensor Core GPU powered NCCadsH100v5-series, designed specifically for workloads that require high-performance computing and AI capabilities.

Regions play a crucial role in determining where your Confidential VMs can run.

Confidential VMs are limited to running on specialized hardware available in specific VM regions, so be sure to choose the right one for your needs.

These regions are where the magic happens, providing a secure environment for your sensitive data.

The specialized hardware available in these regions is designed specifically for Confidential VMs, ensuring the highest level of security and performance.

This means you can rest assured that your data is safe and secure, no matter where it's located.

Pricing for Azure confidential VMs depends on the size of your VM.

For more information, see the Pricing Calculator.

Encrypted OS disks will incur higher costs, starting from July 2022.

You can check the pricing guide for managed disks for more details.

A small encrypted virtual machine guest state (VMGS) disk might incur a monthly storage cost, despite its small size.

Confidential VMs have some limitations when it comes to feature support. They don't support Azure Backup.

Confidential VMs also don't support Azure Site Recovery, which is a service that helps you recover your VMs in case of a disaster.

You'll also find that Confidential VMs have limited Azure Compute Gallery support.

Another thing to keep in mind is that Confidential VMs don't support shared disks.

Accelerated Networking is also not supported on Confidential VMs.

Live migration is not available on Confidential VMs.

Screenshots under boot diagnostics are also not supported on Confidential VMs.