Microsoft Confidential Compute Updates - Q1 2024

calendarJan 29, 2024 · 4 min read · General Available Public Preview Data HSM Confidential Compute Encryption  ·
Share on: linkedincopy

Within this blog, We want to give an overview of all the feature in Q1 2024 that becomes available in General Availability and/or Technical Preview by Microsoft. This information can be found at Microsoft Azure Updates and Azure Confidential Computing Blog.

Features are now supported by Microsoft (GA):

  • [General available] Azure Virtual Network encryption now in additional regions
    With Virtual Network encryption, customers can enable encryption of traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network and between regionally and globally peered virtual networks. This new feature enhances the existing encryption in transit capabilities in Azure. Azure Virtual Network encryption is available in the following additional regions: West Us, West US 2, East US 2, US East, Europe North, Europe West, France Central, India Central, UAE North, East Asia, Japan West, Japan East. For more click, here.
  • [General available] Azure Managed HSM Backup/Restore when Storage is Behind a Private Endpoint
    Microsoft is excited to announce the General Availability of support for Azure Key Vault Managed HSM backup/restore when the storage account is behind a private endpoint. We are giving customers a new way to back up and restore using a user assigned managed identity. This method allows customers to backup/restore regardless of whether public access is enabled or disabled. Further, by becoming a Microsoft Trusted Service, we have enhanced the backup and restore flow by allowing for private endpoint connection to Azure Storage accounts while backing up and restoring Managed HSM resources. This helps reduce the risk of exposure to public internet and helps address compliance needs. For more click, here.
  • [General available] Azure Managed HSM Backup/Restore when Storage is Behind a Private Endpoint
    We are excited to announce the General Availability of support for Azure Key Vault Managed HSM backup/restore when the storage account is behind a private endpoint. We are giving customers a new way to back up and restore using a user assigned managed identity. This method allows customers to backup/restore regardless of whether public access is enabled or disabled. Further, by becoming a Microsoft Trusted Service, we have enhanced the backup and restore flow by allowing for private endpoint connection to Azure Storage accounts while backing up and restoring Managed HSM resources. This helps reduce the risk of exposure to public internet and helps address compliance needs. To learn more, click here.

Features are not yet supported by Microsoft (GA)

  • [Public Preview] Confidential containers on ACI
    Confidential containers on ACI, now available in public preview, enables you to run containers in a trusted execution environment (TEE) that provides hardware-based confidentiality and integrity protections for your container workloads. The TEE is currently supported by AMD Secure Nested Paging hardware. Confidential containers on ACI is supported as a new SKU that you can select when deploying your workload and will provide you with the following benefits for workloads processing highly sensitive data:
    • Ability to lift and shift workloads to a confidential environment without needing to take any dependencies on any confidential computing libraries;
    • In-memory encryption of data with a hardware based dedicated key per container group helping to guard against attacks from a malicious OS, or Hypervisor components;
    • Support for remote attestation to enabling a relying party to verify that a service is running in a TEE before processing any sensitive data. As part of confidential containers on ACI an agent will validate the authenticity of the hardware and application components which can be verified through a remote attestation service before any sensitive data is released to the TEE. For more information, read the blog announcement and the documentation.
  • [Public Preview] VBS enclaves for Always Encrypted in Azure SQL Database
    Virtualization-based security (VBS) enclaves are a new addition to the Always Encrypted feature family. They bring the benefits of Always Encrypted with secure enclaves, such as rich confidential queries and in-place cryptographic operations, to all your Azure SQL Database offerings, independent from the underlying hardware. VBS enclaves enable you with the flexibility to protect your sensitive data and match the specific performance needs, budget, and regional availability requirements of your workloads. Click here to learn more.