Loading...

Expanding Azure Confidential Computing with new AMD-based confidential VMs

Expanding Azure Confidential Computing with new AMD-based confidential VMs

Announcing the public preview of Azure confidential VMs powered by AMD EPYC™ processors

 

Today we are announcing the public preview of Azure DCasv5/ECasv5 confidential virtual machines (VMs) powered by 3rd Gen AMD EPYC™ processors with SEV-SNP.

 

These new VMs offer an easy way to deploy confidential workloads without requiring changes to existing applications or code. They are enabled on the same hardware configuration as general-purpose virtual machines and offer performance characteristics enabling customers to run general-purpose workloads while achieving their desired confidentiality and performance requirements. AMD recently published various benchmarks of these Azure confidential VMs.

 

Built on innovative new hardware

 

Azure’s new AMD-based confidential VMs are designed to deliver confidentiality not only between different cloud customers, but also between customers and the cloud itself.

 

These hardware-encrypted virtual machines feature integrity-protected full state encryption and advanced hardware security based on the AMD advanced security feature Secure Encrypted Virtualization (SEV), and particularly Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP).

 

Collectively, AMD SEV-SNP hardens guest protections to deny the hypervisor and other host management code access to VM memory and state, protecting against cloud operator access. Combined with Azure full-disk encryption and Azure Managed HSM, customer code and data are encrypted in use, in transit, and at rest using encryption keys which are protected and can be controlled by the customer. The VM in its entirety benefits from a strong hardware-enforced boundary.

 

Furthermore, by utilizing built-in attestation capabilities, customers will have checks and controls to be their own real-time auditors. This enables verifying the security posture of these virtual machines using cryptographic proofs and measurements chaining to the AMD hardware root-of-trust.

 

Additional benefits include UEFI secure boot enforcement and a virtual TPM instance dedicated to each VM. vTPM protects keys and enables attestation, which customers can leverage to establish trust in their VM and its underlying stack.

 

A spectrum of confidential choices: from single-click to customized policies

 

Azure confidential VMs powered by AMD EPYC processors will offer a wide range of security options to suit different business and security needs.

 

Customers can harness a new full-disk encryption scheme for their virtual machines, which is  supported by the latest versions of Microsoft Windows BitLocker and Canonical’s Ubuntu OS. This feature stores the disk encryption key in the TPM and predictively seals it to the platform’s known good state — capturing its anticipated boot measurements.

 

Once encrypted, the OS disk can only be decrypted if the underlying platform is properly configured, and its trusted boot components remain intact. This ensures that features such as SEV-SNP are enabled, and that firmware and OS code have not been tampered with. The cryptographic keys protecting the machine’s security state, including its TPM, can be generated, owned, and managed by either Azure or the customer. During public preview, we will roll out Customer Managed Keys (CMK), which customers can manage through Azure Managed HSM or Azure Key Vault.

 

Together with additional security switches, we have built these confidential VMs in recognition of the wide spectrum of security-minded cloud professionals – from those seeking simple and highly secured cloud compute, to those responsible for their organizations’ most regulated and confidential data flows.

 

Ushering in a new wave of confidential computing

 

As the next wave of cloud computing increasingly focuses on scale, security, and performance, Azure’s new AMD EPYC CPU-based confidential VMs offer a compelling reason for organizations of all types and sizes to tap into confidential computing. With confidential VMs, organizations can achieve elevated data privacy while extending their cloud deployments using the tools they want and workloads they need. This ushers in a new wave of seamless confidential computing where state-of-the-art security and compute reinforce one another.

 

You can get going right away with Azure AMD EPYC CPU-based confidential VMs in both West US and North Europe regions. You can deploy them using Azure Portal and ARM APIs. Supported OS images include Windows Server 2019, Windows Server 2022, and Ubuntu 20.04. To get started, follow the instructions in this QuickStart guide. To learn more and stay up to date with Confidential VMs, visit the documentation page here.

Published on:

Learn more
Azure Confidential Computing Blog articles
Azure Confidential Computing Blog articles

Azure Confidential Computing Blog articles

Share post:

Related posts

Azure Developer CLI (azd) – November 2024

This post announces the November release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) – November 2024 appeared...

2 days ago

Microsoft Purview | Information Protection: Auto-labeling for Microsoft Azure Storage and Azure SQL

Microsoft Purview | Information Protection will soon offer Auto-labeling for Microsoft Azure Storage and Azure SQL, providing automatic l...

3 days ago

5 Proven Benefits of Moving Legacy Platforms to Azure Databricks

With evolving data demands, many organizations are finding that legacy platforms like Teradata, Hadoop, and Exadata no longer meet their needs...

4 days ago

November Patches for Azure DevOps Server

Today we are releasing patches that impact our self-hosted product, Azure DevOps Server. We strongly encourage and recommend that all customer...

4 days ago

Elevate Your Skills with Azure Cosmos DB: Must-Attend Sessions at Ignite 2024

Calling all Azure Cosmos DB enthusiasts: Join us at Microsoft Ignite 2024 to learn all about how we’re empowering the next wave of AI innovati...

4 days ago

Getting Started with Bicep: Simplifying Infrastructure as Code on Azure

Bicep is an Infrastructure as Code (IaC) language that allows you to declaratively define Azure resources, enabling automated and repeatable d...

6 days ago

How Azure AI Search powers RAG in ChatGPT and global scale apps

Millions of people use Azure AI Search every day without knowing it. You can enable your apps with the same search that enables retrieval-augm...

9 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy