Azure

Confidential Virtual Machines (Confidential VMs) are an offering within Azure Confidential Computing, designed for customers with demanding security and confidentiality requirements.

The Azure Confidential Virtual Machine AMD-SNP template offers Confidential VMs based on AMD processors with SEV-SNP technology. These VMs provide a hardware-enforced boundary to help meet customer security needs. Customers can use confidential VMs for migration without making changes to the code, with the platform protecting their VM's state from being read or modified.

The template requires two prerequisites:

  • Active subscription to deploy this template

  • Owner or write permissions on the subscription in which the confidential VM should be deployed to

There's no hard dependency of Sovereign Landing Zone (SLZ), however we have implemented and tested this template under the SLZ confidential management group where existing confidential policies are enforced.

Note:

Common known issues and FAQ are listed in our Known Issues and FAQ page. If you cannot find an answer in the known issues page, then please log issues to GitHub issues

Deploy Azure Confidential Virtual Machine AMD-SNP template

  1. Open PowerShell 7.x.

  2. Clone repo cloud for sovereignty apps

    git clone https://github.com/Azure/cloud-for-sovereignty-quickstarts
  3. Create a subscription if you don't have an existing one.

  4. Run the following commands to authenticate to Azure and to set the subscription for which you want this deployment to be hosted.

    Login-AzAccount
    
    Connect-AzAccount -Subscription <your-subscription-id-from-previous-step>
  5. Navigate to cloud-for-sovereignty-quickstarts\workloadAccelerators\confidentialVirtualMachine\scripts\parameters\ and open confidentialVirtualMachine.parameters in a text editor, for example VS Code.

    cd .\cloud-for-sovereignty-quickstarts\workloadAccelerators\confidentialVirtualMachine\scripts\parameters\
    code .
  6. Update the parameters and save the file. Use table Parameters for assistance.

  7. Change directory to scripts and run deployment PowerShell command to deploy the template.

    cd ..
    .\confidentialVirtualMachineAccelerator.ps1
  8. A successful deployment finishes with the following statements:

    >>> Confidential VM deployment successful
  9. Confirm deployment completion by connecting to the Azure Portal

    • Connect to Azure Portal and search for your subscription in the main "Search resources, services, and docs"

    • Type your subscription name that you have provided above

    • Once you have identified your subscription, verify in Deployments the last deployment succeeded.

    • Navigate to Resource Groups and find {parDeploymentPrefix}-rg

    • Inspect all resources created.

  10. Confirm deployment completion by connecting to the Confidential VM

    • Connect to your VM through the Connect/Bastion link on its page in the Azure Portal.

    • Find the VM in the Azure portal, click the Connect/Go to Bastion, then enter the login credentials for the VM and selet Connect. See Connect to VM Screen 1 and Connect to VM Screen 2 for illustration. You provided the admin username in the parameters file parAdminUsername, and you provided the password in the parameter parAdminPasswordOrKey

  11. As the subnet was established in this deployment, remember to apply the same subnet value back to Sovereign Landing Zone using the parCustomSubnets parameter if you choose to deploy the application based on it. Failing to do so may result in an "InUseSubnetCannotBeDeleted" error when rerunning the Sovereign Landing Zone deployment script. Below is the parCustomSubnets parameter example in Sovereign Landing Zone:

    "parCustomSubnets":{
    "type":"array",
    "usedBy":"all and platform",
    "value":[
        {
            "name":"AdminVmSubnet",
            "ipAddressRange":"10.20.100.0/24"
        }
    ],
    "description":"List of other subnets to deploy on the hub VNET and their CIDR ranges."
    }

Parameters

Descriptions and accepted values for all parameters within the confidentialVirtualMachine.parameters.json file are described as follows:

We provide default values for most available parameters, but you must set the parameters that are required. Refer to the table or to parameter definitions in the bicep script for allowed values. All parameters marked with * are required. Per JSON syntax, strings are delimited by quotes, whereas numeric values and boolean values aren't.

Required parameters

Optional parameters

Adding parameters to override optional ones

In case you want to override an available optional parameter from the table with a value that isn't in the parameter file, just add a JSON fragment corresponding to the value already there, for example:

  "parAdminUsername": {
    "value": "AdminUser"
  },

Last updated