Expanding Azure Confidential Computing with new AMD-based confidential VMs

Announcing the public preview of Azure confidential VMs powered by AMD EPYC™ processors

Today we are announcing the public preview of Azure DCasv5/ECasv5 confidential virtual machines (VMs) powered by 3rd Gen AMD EPYC™ processors with SEV-SNP.

These new VMs offer an easy way to deploy confidential workloads without requiring changes to existing applications or code. They are enabled on the same hardware configuration as general-purpose virtual machines and offer performance characteristics enabling customers to run general-purpose workloads while achieving their desired confidentiality and performance requirements. AMD recently published various benchmarks of these Azure confidential VMs.

Built on innovative new hardware

Azure’s new AMD-based confidential VMs are designed to deliver confidentiality not only between different cloud customers, but also between customers and the cloud itself.

These hardware-encrypted virtual machines feature integrity-protected full state encryption and advanced hardware security based on the AMD advanced security feature Secure Encrypted Virtualization (SEV), and particularly Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP).

Collectively, AMD SEV-SNP hardens guest protections to deny the hypervisor and other host management code access to VM memory and state, protecting against cloud operator access. Combined with Azure full-disk encryption and Azure Managed HSM, customer code and data are encrypted in use, in transit, and at rest using encryption keys which are protected and can be controlled by the customer. The VM in its entirety benefits from a strong hardware-enforced boundary.

Furthermore, by utilizing built-in attestation capabilities, customers will have checks and controls to be their own real-time auditors. This enables verifying the security posture of these virtual machines using cryptographic proofs and measurements chaining to the AMD hardware root-of-trust.

Additional benefits include UEFI secure boot enforcement and a virtual TPM instance dedicated to each VM. vTPM protects keys and enables attestation, which customers can leverage to establish trust in their VM and its underlying stack.

A spectrum of confidential choices: from single-click to customized policies

Azure confidential VMs powered by AMD EPYC processors will offer a wide range of security options to suit different business and security needs.

Customers can harness a new full-disk encryption scheme for their virtual machines, which is  supported by the latest versions of Microsoft Windows BitLocker and Canonical’s Ubuntu OS. This feature stores the disk encryption key in the TPM and predictively seals it to the platform’s known good state — capturing its anticipated boot measurements.

Once encrypted, the OS disk can only be decrypted if the underlying platform is properly configured, and its trusted boot components remain intact. This ensures that features such as SEV-SNP are enabled, and that firmware and OS code have not been tampered with. The cryptographic keys protecting the machine’s security state, including its TPM, can be generated, owned, and managed by either Azure or the customer. During public preview, we will roll out Customer Managed Keys (CMK), which customers can manage through Azure Managed HSM or Azure Key Vault.

Together with additional security switches, we have built these confidential VMs in recognition of the wide spectrum of security-minded cloud professionals – from those seeking simple and highly secured cloud compute, to those responsible for their organizations’ most regulated and confidential data flows.

Ushering in a new wave of confidential computing

As the next wave of cloud computing increasingly focuses on scale, security, and performance, Azure’s new AMD EPYC CPU-based confidential VMs offer a compelling reason for organizations of all types and sizes to tap into confidential computing. With confidential VMs, organizations can achieve elevated data privacy while extending their cloud deployments using the tools they want and workloads they need. This ushers in a new wave of seamless confidential computing where state-of-the-art security and compute reinforce one another.

You can get going right away with Azure AMD EPYC CPU-based confidential VMs in both West US and North Europe regions. You can deploy them using Azure Portal and ARM APIs. Supported OS images include Windows Server 2019, Windows Server 2022, and Ubuntu 20.04. To get started, follow the instructions in this QuickStart guide. To learn more and stay up to date with Confidential VMs, visit the documentation page here.