# Azure

DCesv5 and ECesv5-series confidential virtual machines (VMs) are available in the Azure portal and via the CLI and ARM templates. These VMs are powered by 4th Gen Intel Xeon Scalable processors with Intel Trust Domain Extensions (Intel TDX) and enable organizations to bring confidential workloads to the cloud without code changes to applications.&#x20;

**Getting Started**&#x20;

You can deploy these VMs in Europe West, Central US and East US 2.

## Quickstart: Create confidential VM on in the Azure portal <a href="#quickstart-create-confidential-vm-on-in-the-azure-portal" id="quickstart-create-confidential-vm-on-in-the-azure-portal"></a>

You can use the Azure portal to create a [confidential VM](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview) based on an Azure Marketplace image quickly. There are multiple [confidential VM options on AMD and Intel](https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-machine-solutions-amd) with AMD SEV-SNP and Intel TDX technology.

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

* An Azure subscription. Free trial accounts don't have access to the VMs used in this tutorial. One option is to use a [pay as you go subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/).
* If you're using a Linux-based confidential VM, use a BASH shell for SSH or install an SSH client, such as [PuTTY](https://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html).
* If Confidential disk encryption with a customer-managed key is required, please run below command to opt in service principal `Confidential VM Orchestrator` to your tenant.

  Azure CLICopy

  ```azurecli
  Connect-AzureAD -Tenant "your tenant ID"
  New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"
  ```

### Create confidential VM <a href="#create-confidential-vm" id="create-confidential-vm"></a>

To create a confidential VM in the Azure portal using an Azure Marketplace image:

1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Select or search for **Virtual machines**.
3. On the **Virtual machines** page menu, select **Create** > **Virtual machine**.
4. On the tab **Basics**, configure the following settings:

   a. Under **Project details**, for **Subscription**, select an Azure subscription that meets the [prerequisites](https://learn.microsoft.com/en-us/azure/confidential-computing/quick-create-confidential-vm-portal#prerequisites).

   b. For **Resource Group**, select **Create new** to create a new resource group. Enter a name, and select **OK**.

   c. Under **Instance details**, for **Virtual machine name**, enter a name for your new VM.

   d. For **Region**, select the Azure region in which to deploy your VM.

   &#x20;Note

   Confidential VMs are not available in all locations. For currently supported locations, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).

   e. For **Availability options**, select **No infrastructure redundancy required** for singular VMs or [**Virtual machine scale set**](https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview) for multiple VMs.

   f. For **Security Type**, select **Confidential virtual machines**.

   g. For **Image**, select the OS image to use for your VM. Select **See all images** to open Azure Marketplace. Select the filter **Security Type** > **Confidential** to show all available confidential VM images.

   h. Toggle [Generation 2](https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2) images. Confidential VMs only run on Generation 2 images. To ensure, under **Image**, select **Configure VM generation**. In the pane **Configure VM generation**, for **VM generation**, select **Generation 2**. Then, select **Apply**.

   i. For **Size**, select a VM size. For more information, see [supported confidential VM families](https://learn.microsoft.com/en-us/azure/confidential-computing/virtual-machine-options).

   j. For **Authentication type**, if you're creating a Linux VM, select **SSH public key** . If you don't already have SSH keys, [create SSH keys for your Linux VMs](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys).

   k. Under **Administrator account**, for **Username**, enter an administrator name for your VM.

   l. For **SSH public key**, if applicable, enter your RSA public key.

   m. For **Password** and **Confirm password**, if applicable, enter an administrator password.

   n. Under **Inbound port rules**, for **Public inbound ports**, select **Allow selected ports**.

   o. For **Select inbound ports**, select your inbound ports from the drop-down menu. For Windows VMs, select **HTTP (80)** and **RDP (3389)**. For Linux VMs, select **SSH (22)** and **HTTP (80)**.

   &#x20;Note

   It's not recommended to allow RDP/SSH ports for production deployments.
5. On the tab **Disks**, configure the following settings:
   1. Under **Disk options**, enable **Confidential OS disk encryption** if you want to encrypt your VM's OS disk during creation.
   2. For **Key Management**, select the type of key to use.
   3. If **Confidential disk encryption with a customer-managed key** is selected, create a **Confidential disk encryption set** before creating your confidential VM.
   4. If you want to encrypt your VM's temp disk, please refer to the [following documentation](https://aka.ms/CVM-tdisk-encrypt).
6. (Optional) If necessary, you need to create a **Confidential disk encryption set** as follows.

   1. [Create an Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/quick-create-portal) selecting the **Premium** pricing tier that includes support for HSM-backed keys and enable purge protection. Alternatively, you can create an [Azure Key Vault managed Hardware Security Module (HSM)](https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli).
   2. In the Azure portal, search for and select **Disk Encryption Sets**.
   3. Select **Create**.
   4. For **Subscription**, select which Azure subscription to use.
   5. For **Resource group**, select or create a new resource group to use.
   6. For **Disk encryption set name**, enter a name for the set.
   7. For **Region**, select an available Azure region.
   8. For **Encryption type**, select **Confidential disk encryption with a customer-managed key**.
   9. For **Key Vault**, select the key vault you already created.
   10. Under **Key Vault**, select **Create new** to create a new key.

       &#x20;Note

       If you selected an Azure managed HSM previously, [use PowerShell or the Azure CLI to create the new key](https://learn.microsoft.com/en-us/azure/confidential-computing/quick-create-confidential-vm-arm) instead.
   11. For **Name**, enter a name for the key.
   12. For the key type, select **RSA-HSM**
   13. Select your key size

   n. Under Confidential Key Options select **Exportable** and set the Confidential operation policy as **CVM confidential operation policy**.

   o. Select **Create** to finish creating the key.

   p. Select **Review + create** to create new disk encryption set. Wait for the resource creation to complete successfully.

   q. Go to the disk encryption set resource in the Azure portal.

   r. Select the pink banner to grant permissions to Azure Key Vault.

   &#x20;Important

   You must perform this step to successfully create the confidential VM.
7. As needed, make changes to settings under the tabs **Networking**, **Management**, **Guest Config**, and **Tags**.
8. Select **Review + create** to validate your configuration.
9. Wait for validation to complete. If necessary, fix any validation issues, then select **Review + create** again.
10. In the **Review + create** pane, select **Create**.

### Connect to confidential VM <a href="#connect-to-confidential-vm" id="connect-to-confidential-vm"></a>

There are different methods to connect to [Windows confidential VMs](https://learn.microsoft.com/en-us/azure/confidential-computing/quick-create-confidential-vm-portal#connect-to-windows-vms) and [Linux confidential VMs](https://learn.microsoft.com/en-us/azure/confidential-computing/quick-create-confidential-vm-portal#connect-to-linux-vms).

#### Connect to Windows VMs <a href="#connect-to-windows-vms" id="connect-to-windows-vms"></a>

To connect to a confidential VM with a Windows OS, see [How to connect and sign on to an Azure virtual machine running Windows](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/connect-logon).

#### Connect to Linux VMs <a href="#connect-to-linux-vms" id="connect-to-linux-vms"></a>

To connect to a confidential VM with a Linux OS, see the instructions for your computer's OS.

Before you begin, make sure you have your VM's public IP address. To find the IP address:

1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Select or search for **Virtual machines**.
3. On the **Virtual machines** page, select your confidential VM.
4. On your confidential VM's overview page, copy the **Public IP address**.

   For more information about connecting to Linux VMs, see [Quickstart: Create a Linux virtual machine in the Azure portal](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal).
5. Open your SSH client, such as PuTTY.
6. Enter your confidential VM's public IP address.
7. Connect to the VM. In PuTTY, select **Open**.
8. Enter your VM administrator username and password.

   &#x20;Note

   If you're using PuTTY, you might receive a security alert that the server's host key isn't cached in the registry. If you trust the host, select **Yes** to add the key to PuTTY's cache and continue connecting. To connect just once, without adding the key, select **No**. If you don't trust the host, select **Cancel** to abandon your connection.

### Clean up resources <a href="#clean-up-resources" id="clean-up-resources"></a>

After you're done with the quickstart, you can clean up the confidential VM, the resource group, and other related resources.

1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Select or search for **Resource groups**.
3. On the **Resource groups** page, select the resource group you created for this quickstart.
4. On the resource group's menu, select **Delete resource group**.
5. In the warning pane, enter the resource group's name to confirm the deletion.
6. Select **Delete**.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/intel-tdx/getting-started/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.