Microsoft Azure Confidential VMs Will Roll Out This December
Microsoft #Microsoft
The partnership with Intel allows for hardware-enforced security and confidentiality on 4th Gen Xeon processors.
Image: monticellllo/Adobe Stock
Organizations using Microsoft Azure will have access to confidential virtual machines in Azure on Dec. 1, allowing greater privacy and compliance. The DCesv5 and ECesv5-series confidential VMs run on 4th Gen Intel Xeon Scalable processors with Intel Trust Domain Extensions (TDX).
The new confidential VMs will be accessible in Microsoft Azure regions Europe West, Europe North, Central U.S. and East U.S. 2.
What do the new Microsoft Azure confidential virtual machines offer?
Confidential virtual machines are suitable for regulated environments and high-security cloud tenants, Intel said. In addition, confidential VMs:
SEE: Windows 10 users can now try out the AI assistant Microsoft Copilot.
Intel points out that confidential computing may be particularly important to organizations in healthcare, finance, retail, government services and industrial or edge deployments.
“Hardware-based Confidential Computing is one of our top focus areas for protecting data that is actively in-use in the memory and CPU, complimenting protections for data at-rest and data in-flight,” Greg Lavender, chief technology officer at Intel, wrote in the announcement post. “Microsoft Azure was an early adopter of Confidential Computing with application isolation using Intel SGX, and now extends its capabilities with Virtual Machine isolation …”
Capabilities and technical details
Intel’s Azure DCesv5-series has up to 96 vCPUs and ranges from 4 to 384 GB of memory. The Intel Azure ECesv5 family has up to 128 vCPU and options up to 768 GiB of memory. Both are up to 20% faster than 3rd Gen Intel Xeon virtual machines, Intel and Microsoft stated, and they support remote disks as well as up to 2.8 TB of local disk storage.
Must-read security coverage
Intel Trust Domain Extensions expands the capabilities of Intel Software Guard Extensions, which is a current option for securing Azure instances. In particular, TDX adds more options for confidential computing.
The new confidential VMs add boot-time attestation and confidential disk encryption with enterprise key management options for platform-managed keys and customer-managed keys, Microsoft said.
In addition, new confidential VMs offer options for organizations that want to further separate their duties from their cloud provider, with ephemeral vTPM capability and disk integrity tooling.
Microsoft expands Linux partnership
Microsoft works with the Confidential Computing Consortium to provide encryption and Windows support for virtual machines. As of Nov. 15, Canonical Ubuntu Server 22.04 LTS is available today with support for Full Disk Encryption.
Microsoft expects USE Linux Enterprise Server and Red Hat Enterprise Linux to follow soon.
Competitors to DCesv5 and ECesv5-series confidential VMs
Other organizations with products in the same space as Microsoft and Intel’s confidential VMs include: