Enterprises using Microsoft Azure will have access to confidential virtual machines on Azure starting December 1, enabling higher privacy and compliance. The DCesv5 and ECesv5 series of confidential virtual machines run on the fourth-generation Intel Xeon Scalable processors with Intel Trusted Domain Extensions (TDX).

The new confidential virtual machines will be available in Microsoft Azure regions West Europe, North Europe, Central US, and East US 2.

What do the new Microsoft Azure confidential virtual machines offer?

According to Intel, confidential virtual machines are suitable for regulated environments and highly secure cloud tenants. In addition, confidential virtual machines:

• Keep data private and encrypt it within hardware-enforced boundaries: Enterprises can maintain the privacy of their data during multi-party analysis, which often involves aggregating data from multiple sources for AI applications or migrating sensitive databases and applications to the cloud.

• Help strengthen compliance and data sovereignty plans: Confidential workloads can be moved to the cloud without any code changes.

• Help establish hardware-based isolation and access control: Hardware isolation completely separates proprietary applications and data from the data of other Azure customers, enhancing existing logical isolation controls.

Intel points out that confidential computing may be particularly important for enterprises in sectors such as healthcare, finance, retail, government services, and industrial or edge deployments.

"Hardware-based confidential computing is a top priority area for us to protect data actively used in memory and CPU, complementing protection of data at rest and in transit," wrote Greg Lavender, Intel's Chief Technology Officer, in a blog post. "Microsoft Azure is an early adopter of confidential computing, using Intel SGX for application isolation, and now extending its capabilities through virtual machine isolation."

Capabilities and Technical Details

Intel's Azure DCesv5 series can provide up to 96 vCPUs and memory ranging from 4GB to 384GB. The Intel Azure ECesv5 series offers up to 128 vCPUs and memory options of up to 768GiB. Intel and Microsoft claim that both are 20% faster than the third-generation Intel Xeon virtual machines, and they support remote disks as well as local disk storage of up to 2.8TB.

Intel's Trusted Domain Extensions expand the capabilities of Intel Software Guard Extensions, which are the current options for protecting Azure instances. In particular, TDX adds more options for confidential computing.

The new confidential virtual machines add boot-time attestation and confidential disk encryption with options for both platform-managed keys and customer-managed keys, Microsoft says.

In addition, the new confidential virtual machines also offer options for enterprises that want to further separate their responsibilities from cloud providers, including temporary vTPM capability and disk integrity tools.

Microsoft Expands Linux Partnerships

Microsoft is partnering with the Confidential Computing Consortium to provide encryption for virtual machines and Windows support. As of November 15, Canonical Ubuntu Server 22.04 LTS now supports full disk encryption.

Microsoft expects that USE Linux Enterprise Server and Red Hat Enterprise Linux will follow suit soon.

Competitors of the DCesv5 and ECesv5 series of confidential virtual machines

Other companies in the same field as Microsoft and Intel's confidential virtual machines include:

• AMD's Secure Encrypted Virtualization, which powers confidential virtual machines on Azure and Google Cloud.
• AWS Nitro System.
• Alibaba Cloud's Enclave feature.
• IBM Cloud's Hyper Protect Linux virtual servers.
• Google Cloud's confidential virtual machines, powered by AMD EPYC processors.