The partnership with Intel allows for hardware-enforced security and confidentiality on 4th Gen Xeon processors.
Organizations using Microsoft Azure will have access to confidential virtual machines in Azure on Dec. 1, allowing greater privacy and compliance. The DCesv5 and ECesv5-series confidential VMs run on 4th Gen Intel Xeon Scalable processors with Intel Trust Domain Extensions (TDX).
The new confidential VMs will be accessible in Microsoft Azure regions Europe West, Europe North, Central U.S. and East U.S. 2.
What do the new Microsoft Azure confidential virtual machines offer?
Confidential virtual machines are suitable for regulated environments and high-security cloud tenants, Intel said. In addition, confidential VMs:
- Keep data private and encrypted behind a hardware-enforced boundary: Organizations can maintain the privacy of their data while working on multi-party analysis, which usually includes mixing data from multiple places for AI applications or moving sensitive databases and applications to the cloud.
- Help strengthen compliance and data sovereignty plans: Confidential workloads can be transferred to the cloud without any code needing to be changed.
- Help set up hardware-based isolation and access controls: Hardware isolation completely separates proprietary applications and data from that of other Azure customers, enhancing existing logical isolation controls.
SEE: Windows 10 users can now try out the AI assistant Microsoft Copilot.
Intel points out that confidential computing may be particularly important to organizations in healthcare, finance, retail, government services and industrial or edge deployments.
“Hardware-based Confidential Computing is one of our top focus areas for protecting data that is actively in-use in the memory and CPU, complimenting protections for data at-rest and data in-flight,” Greg Lavender, chief technology officer at Intel, wrote in the announcement post. “Microsoft Azure was an early adopter of Confidential Computing with application isolation using Intel SGX, and now extends its capabilities with Virtual Machine isolation …”
Capabilities and technical details
Intel’s Azure DCesv5-series has up to 96 vCPUs and ranges from 4 to 384 GB of memory. The Intel Azure ECesv5 family has up to 128 vCPU and options up to 768 GiB of memory. Both are up to 20% faster than 3rd Gen Intel Xeon virtual machines, Intel and Microsoft stated, and they support remote disks as well as up to 2.8 TB of local disk storage.
Intel Trust Domain Extensions expands the capabilities of Intel Software Guard Extensions, which is a current option for securing Azure instances. In particular, TDX adds more options for confidential computing.
The new confidential VMs add boot-time attestation and confidential disk encryption with enterprise key management options for platform-managed keys and customer-managed keys, Microsoft said.
In addition, new confidential VMs offer options for organizations that want to further separate their duties from their cloud provider, with ephemeral vTPM capability and disk integrity tooling.
Microsoft expands Linux partnership
Microsoft works with the Confidential Computing Consortium to provide encryption and Windows support for virtual machines. As of Nov. 15, Canonical Ubuntu Server 22.04 LTS is available today with support for Full Disk Encryption.
Microsoft expects USE Linux Enterprise Server and Red Hat Enterprise Linux to follow soon.
Competitors to DCesv5 and ECesv5-series confidential VMs
Other organizations with products in the same space as Microsoft and Intel’s confidential VMs include:
- AMD’s Secure Encrypted Virtualization, which runs both Azure and Google Cloud’s Confidential VMs.
- The AWS Nitro System.
- Alibaba Cloud’s Enclave feature.
- IBM Cloud’s Hyper Protect virtual servers for Linux.
- Google Cloud’s Confidential VMs provided by AMD EPYC processors.