Azure

DCesv5 and ECesv5-series confidential virtual machines (VMs) are available in the Azure portal and via the CLI and ARM templates. These VMs are powered by 4th Gen Intel Xeon Scalable processors with Intel Trust Domain Extensions (Intel TDX) and enable organizations to bring confidential workloads to the cloud without code changes to applications.

Getting Started

You can deploy these VMs in Europe West, Central US and East US 2.

Quickstart: Create confidential VM on in the Azure portal

You can use the Azure portal to create a based on an Azure Marketplace image quickly. There are multiple with AMD SEV-SNP and Intel TDX technology.

Prerequisites

• An Azure subscription. Free trial accounts don't have access to the VMs used in this tutorial. One option is to use a .

• If you're using a Linux-based confidential VM, use a BASH shell for SSH or install an SSH client, such as .

• If Confidential disk encryption with a customer-managed key is required, please run below command to opt in service principal Confidential VM Orchestrator to your tenant.

  Azure CLICopy

  Copy

  Connect-AzureAD -Tenant "your tenant ID"
  New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"

Create confidential VM

To create a confidential VM in the Azure portal using an Azure Marketplace image:

1. Sign in to the .

2. Select or search for Virtual machines.

3. On the Virtual machines page menu, select Create > Virtual machine.

4. On the tab Basics, configure the following settings:

   a. Under Project details, for Subscription, select an Azure subscription that meets the .

   b. For Resource Group, select Create new to create a new resource group. Enter a name, and select OK.

   c. Under Instance details, for Virtual machine name, enter a name for your new VM.

   d. For Region, select the Azure region in which to deploy your VM.

   Note

   Confidential VMs are not available in all locations. For currently supported locations, see which .

   e. For Availability options, select No infrastructure redundancy required for singular VMs or for multiple VMs.

   f. For Security Type, select Confidential virtual machines.

   g. For Image, select the OS image to use for your VM. Select See all images to open Azure Marketplace. Select the filter Security Type > Confidential to show all available confidential VM images.

   h. Toggle images. Confidential VMs only run on Generation 2 images. To ensure, under Image, select Configure VM generation. In the pane Configure VM generation, for VM generation, select Generation 2. Then, select Apply.

   i. For Size, select a VM size. For more information, see .

   j. For Authentication type, if you're creating a Linux VM, select SSH public key . If you don't already have SSH keys, .

   k. Under Administrator account, for Username, enter an administrator name for your VM.

   l. For SSH public key, if applicable, enter your RSA public key.

   m. For Password and Confirm password, if applicable, enter an administrator password.

   n. Under Inbound port rules, for Public inbound ports, select Allow selected ports.

   o. For Select inbound ports, select your inbound ports from the drop-down menu. For Windows VMs, select HTTP (80) and RDP (3389). For Linux VMs, select SSH (22) and HTTP (80).

   Note

   It's not recommended to allow RDP/SSH ports for production deployments.

5. On the tab Disks, configure the following settings:

   1. Under Disk options, enable Confidential OS disk encryption if you want to encrypt your VM's OS disk during creation.

   2. For Key Management, select the type of key to use.

   3. If Confidential disk encryption with a customer-managed key is selected, create a Confidential disk encryption set before creating your confidential VM.

   4. If you want to encrypt your VM's temp disk, please refer to the .

6. (Optional) If necessary, you need to create a Confidential disk encryption set as follows.

   1. selecting the Premium pricing tier that includes support for HSM-backed keys and enable purge protection. Alternatively, you can create an .

   2. In the Azure portal, search for and select Disk Encryption Sets.

   3. Select Create.

   4. For Subscription, select which Azure subscription to use.

   5. For Resource group, select or create a new resource group to use.

   6. For Disk encryption set name, enter a name for the set.

   7. For Region, select an available Azure region.

   8. For Encryption type, select Confidential disk encryption with a customer-managed key.

   9. For Key Vault, select the key vault you already created.

   10. Under Key Vault, select Create new to create a new key.

       Note

       If you selected an Azure managed HSM previously, instead.

   11. For Name, enter a name for the key.

   12. For the key type, select RSA-HSM

   13. Select your key size

   n. Under Confidential Key Options select Exportable and set the Confidential operation policy as CVM confidential operation policy.

   o. Select Create to finish creating the key.

   p. Select Review + create to create new disk encryption set. Wait for the resource creation to complete successfully.

   q. Go to the disk encryption set resource in the Azure portal.

   r. Select the pink banner to grant permissions to Azure Key Vault.

   Important

   You must perform this step to successfully create the confidential VM.

7. As needed, make changes to settings under the tabs Networking, Management, Guest Config, and Tags.

8. Select Review + create to validate your configuration.

9. Wait for validation to complete. If necessary, fix any validation issues, then select Review + create again.

10. In the Review + create pane, select Create.

Connect to confidential VM

Connect to Windows VMs

Connect to Linux VMs

To connect to a confidential VM with a Linux OS, see the instructions for your computer's OS.

Before you begin, make sure you have your VM's public IP address. To find the IP address:

2. Select or search for Virtual machines.

3. On the Virtual machines page, select your confidential VM.

4. On your confidential VM's overview page, copy the Public IP address.
5. Open your SSH client, such as PuTTY.

6. Enter your confidential VM's public IP address.

7. Connect to the VM. In PuTTY, select Open.

8. Enter your VM administrator username and password.

   Note

   If you're using PuTTY, you might receive a security alert that the server's host key isn't cached in the registry. If you trust the host, select Yes to add the key to PuTTY's cache and continue connecting. To connect just once, without adding the key, select No. If you don't trust the host, select Cancel to abandon your connection.

Clean up resources

After you're done with the quickstart, you can clean up the confidential VM, the resource group, and other related resources.

2. Select or search for Resource groups.

3. On the Resource groups page, select the resource group you created for this quickstart.

4. On the resource group's menu, select Delete resource group.

5. In the warning pane, enter the resource group's name to confirm the deletion.

6. Select Delete.