Microsoft Confidential Compute Updates - Q4 2022
Within this blog, We want to give an overview of all the feature in Q4 2022 that becomes available in General Availability, Technical Preview or End of Support by Microsoft. This information can be found at Microsoft Azure Updates.
Features are now supported by Microsoft (GA):
- [General available] Ephemeral OS disk support for confidential virtual machines
As part of our commitment to delivering the best possible value for Azure confidential computing, we're announcing the support to create confidential VMs using Ephemeral OS disks. This enables customers using stateless workloads to benefit from the trusted execution environments (TEEs). Trusted execution environments protect data being processed from access outside the trusted execution environments. To learn more: - [General available] Confidential VM option for SQL Server on Azure Virtual Machines
With the confidential VM option for SQL Server on Azure Virtual Machines, you can now run your SQL Server workloads on the latest AMD-backed confidential virtual machines. This ensures that both the data in use (the data processed inside the memory of the SQL Server) as well as the data at rest stored on your VM’s drives, are inaccessible to unauthorized users from the outside of the VM. This can be done without the need to change the code of your SQL Server applications or your database schemas, including stored procedures. Read the documentation for more information. - [General available] AMD confidential VM guest attestation
Today we are announcing the general availability of the guest attestation feature for AMD SEV-SNP based confidential VMs. Guest attestation enables verifying the trustworthiness (good state) of the trusted execution environment on which the guest VM is executing. It lets you do the following:- Use the guest attestation feature to verify that a confidential VM is running on a hardware-based trusted execution environment (TEE) with security features (isolation, integrity, secure boot) enabled;
- Allow application deployment decisions (whether to launch a sensitive workload) based on the hardware state returned by the library call;
- Use remote attestation artifacts (token and claims) received from another system (on a confidential VM) to enable relying parties to gain trust to make transactions with the other system;
- Receive recommendations and alerts of unhealthy confidential VMs in Microsoft Defender for Cloud. For more information, read the documentation and the blog post.
- [General available] AMD-based confidential VMs for Azure Kubernetes Service
Azure Kubernetes Service (AKS) provides the capability for organizations to deploy containers at scale. We are expanding the Azure confidential computing portfolio to enable AMD-based confidential VM node pools in AKS, adding defense-in-depth to Azure's already hardened security profile. With the general availability of confidential virtual machines featuring AMD 3rd Gen EPYC™ processors, with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, organizations get VMs with isolated, encrypted memory, and genuine confidentiality attestation rooted to the hardware. AKS is now equipped to have confidential and non-confidential node pools on a single cluster. This means that applications processing sensitive data can reside in a VM-level Trusted Execution Environment (TEE) node pool with memory encryption keys generated from the chipset itself. Confidential node pools on AKS enable a seamless transition of Linux container workloads to Azure without the overhead of changing code. Click here to learn more about the confidential VMs backup.
Features are not yet supported by Microsoft (GA)
- [Public Preview] Azure Backup support for confidential VMs using Platform Managed Keys
Azure Backup now allows to backup confidential VMs without confidential OS disk encryption and confidential VMs having confidential OS disk encryption using Platform Managed Keys. Feature details:- Backup is supported in all regions where confidential VMs are currently available;
- Backup of confidential VMs is only supported using EnhancedPolicy;
- Cross-region Restore and Item Level Restore are unsupported;
- Backup of confidential VMs having confidential OS disk encryption using Customer Managed Key is currently unsupported.
- [Public Preview] Azure Managed Confidential Consortium Framework
We are announcing the preview of Azure Managed Confidential Consortium Framework, a new Azure service that lets you use the open-source Confidential Consortium Framework for building and managing multi-party applications that require decentralized trust and governance in a trusted network. For ease of use and performance, each network utilizes Azure confidential computing’s trusted execution environments (TEEs) for centralized computation. To learn more about the Azure Managed Confidential Consortium Framework, read the blog post. To learn more about the open-source Confidential Consortium Framework, read the documentation.