- Knowledge Base
- Microsoft Azure
- Virtual Machines
- Enable Confidential Computing for Azure Virtual Machines
Ensure that the Confidential Computing feature is enabled for your Azure virtual machine (VM) instances in order to add protection to your sensitive data in use by keeping it encrypted in memory within hardware-based Trusted Execution Environments (TEEs). This prevents unauthorized access even from the cloud provider.
excellence
Enabling the Confidential Computing security feature for Azure Virtual Machine (VM) instances is crucial for protecting sensitive data in use by encrypting it in memory within a hardware-based Trusted Execution Environment (TEE). This isolation helps prevent unauthorized access from the hypervisor, operating system, and even the cloud operator itself, enhancing data privacy and security for your most critical workloads.
Audit
To determine if Confidential Computing is enabled for your Azure virtual machines (VMs), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Virtual machine for Value, then choose Apply to list the Azure virtual machines (VMs) available in the selected subscription.
05 Click on the name (link) of the virtual machine (VM) that you want to examine.
06 In the resource navigation panel, choose Overview, and select the Properties tab to access the general configuration information available for the selected VM instance.
07 Under Security, check the Security type property value to determine the level of security configured for your virtual machine. If the Security type property value is not set to Confidential virtual machines, the Confidential Computing feature is not enabled for the selected Azure virtual machine (VM) instance.
08 Repeat steps no. 5 - 7 for each Azure virtual machine provisioned in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run vm list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group of each virtual machine (VM) instance provisioned in the selected Azure subscription:
az vm list --output table --query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested virtual machine identifiers:
Name ResourceGroup ----------------------- ------------------------------ cc-project5-web-server cloud-shell-storage-westeurope cc-project5-app-server cloud-shell-storage-westeurope
06 Run vm show command (Windows/macOS/Linux) with the name of the Azure virtual machine (VM) that you want to examine and the associated resource group as identifier parameters, to determine the level of security configured for the selected virtual machine instance:
az vm show --name cc-project5-web-server --resource-group cloud-shell-storage-westeurope --query '{"securityType":securityProfile.securityType}'
07 The command output should return the name of the security level configured for the selected VM instance:
{ "securityType": null }
If the "securityType" property value is not set to "ConfidentialVM", the Confidential Computing security feature is not enabled for the selected Azure virtual machine (VM) instance.
08 Repeat steps no. 6 and 7 for each Azure virtual machine deployed within the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
Enabling Confidential Computing for your existing Azure virtual machine (VM) instances is not supported. To turn on the feature, you have to re-create your Azure VM instances with the appropriate configuration by performing the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Virtual machines blade available at https://portal.azure.com/#view/Microsoft_Azure_ComputeHub/ComputeHubMenuBlade/~/virtualMachinesBrowse.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 Click on the name (link) of the virtual machine (VM) that you want to re-create.
05 In the resource navigation panel, choose Overview and collect the virtual machine configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for VM instance redeployment.
06 Navigate back to the Virtual machines blade, choose Create, select Azure virtual machine, and perform the following actions to launch a new confidential virtual machine:
- For Basics, choose the appropriate subscription and resource group, provide a unique name for the new virtual machine (VM), select the Azure region where the instance resource will be deployed, set the administrator account and TCP ports for inbound access, and choose the VM size and operating system image (both VM size and OS image must be compatible with Confidential Computing). For Security type, choose Confidential virtual machines to enable Confidential Computing for the new virtual machine (VM) instance. Choose Next : Disks > to continue the setup process.
- For Disks panel, choose the boot (OS) disk type and size necessary for the new virtual machine and select Create and attach a new disk if you need to create and attach one or more data disks to your virtual machine. Choose Next : Networking > to continue the setup.
- For Networking, configure the network access control and load balancing for the VM instance according to the networking information collected at step no. 4. Choose Next : Management > to continue.
- For Management, configure the monitoring and management options for your new virtual machine. Choose Next : Monitoring > to continue the setup.
- For Monitoring, configure the monitoring options for your new VM such as health monitoring, diagnostics and alerts. Choose Next : Advanced > to continue the setup process.
- For Advanced, add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init (must match the source VM instance configuration). Choose Next : Tags > to continue.
- For Tags, use the Name, Value and Resource fields to create tags that will help organize the identity of the VM. Choose Next : Review + create > to continue the setup.
- For Review + create, review the resource configuration details, wait for setup validation to complete, then choose Create to create your new confidential virtual machine (VM) instance.
- In the Generate new key pair confirmation box, choose Download private key and create resource to download and save the private key generated for the new virtual machine.
- Once the resource deployment is complete, choose Go to resource to access your new confidential VM instance.
07 (Optional) You can terminate the source virtual machine (VM) in order to stop incurring charges for that VM resource. To delete the source instance, perform the following operations:
- Navigate back to the Virtual machines blade at https://portal.azure.com/#view/Microsoft_Azure_ComputeHub/ComputeHubMenuBlade/~/virtualMachinesBrowse.
- Select the Azure virtual machine that you want to terminate and choose Delete.
- On the Delete Resources panel, type delete for confirmation and choose Delete to terminate the selected VM instance.
08 Repeat steps no. 4 - 6 to enable Confidential Computing for other virtual machine (VM) instances available within the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run vm show command (Windows/macOS/Linux) to describe the configuration information for the virtual machine (VM) instance that you want to re-create (i.e., source VM instance):
az vm show --name cc-project5-web-server --resource-group cloud-shell-storage-westeurope
05 The command output should return the requested configuration information. Collect the configuration information such as location, operating system, VM generation and size, networking and disk details. The information collected at this step is required for virtual machine redeployment:
{ "additionalCapabilities": null, "applicationProfile": null, "availabilitySet": null, "billingProfile": null, "capacityReservation": null, "evictionPolicy": null, "extendedLocation": null, "extensionsTimeBudget": null, "hardwareProfile": { "vmSize": "Standard_B1ls", "vmSizeProperties": null }, ... "plan": null, "platformFaultDomain": null, "proximityPlacementGroup": null, "resourceGroup": "CLOUD-SHELL-STORAGE-WESTEUROPE", "scheduledEventsProfile": null, "securityProfile": null, "tags": null, "type": "Microsoft.Compute/virtualMachines", "userData": null, "virtualMachineScaleSet": null, "vmId": "abcdabcd-1234-abcd-1234-abcd1234abcd", "zones": null }
06 Run vm create command (Windows/macOS/Linux) to launch a new Azure virtual machine (VM) instance with Confidential Computing, using the configuration information returned at the previous step. To enable the Confidential Computing feature for the new VM instance, set the --security-type configuration parameter to ConfidentialVM, as shown in the example below. Both VM size and OS image must be compatible with Confidential Computing:
az vm create --name cc-project5-confidential-server --location westeurope --resource-group cloud-shell-storage-westeurope --image Ubuntu2404 --size Standard_DC4as_v5 --authentication-type ssh --admin-username azureuser --generate-ssh-keys --enable-vtpm true --enable-secure-boot true --os-disk-security-encryption-type DiskwithVMGuestState --os-disk-secure-vm-disk-encryption-set cc-project5-disk-encryption-set --security-type ConfidentialVM
07 The command output should return the general information available for the new confidential virtual machine (VM) instance:
{ "fqdns": "", "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Compute/virtualMachines/cc-project5-confidential-server", "identity": { "principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd", "tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd", "type": "SystemAssigned", "userAssignedIdentities": null }, "location": "westeurope", "macAddress": "AA-BB-CC-11-22-33", "powerState": "VM running", "privateIpAddress": "10.0.0.8", "publicIpAddress": "xxx.xxx.xxx.xxx", "resourceGroup": "cloud-shell-storage-westeurope", "zones": "" }
08 (Optional) You can terminate the source virtual machine instance in order to stop incurring charges for that VM resource. To delete the source VM instance, run **vm delete**command (Windows/macOS/Linux) as shown in the following example:
az vm delete --name cc-project5-web-server --resource-group cloud-shell-storage-westeurope
09 Type y (yes) and press Enter to confirm the virtual machine (VM) deletion:
Are you sure you want to perform this operation? (y/n): y
10 Repeat steps no. 4 – 7 to enable Confidential Computing for other virtual machine (VM) instances available in the selected Azure subscription.
11 Repeat steps no. 3 – 10 for each subscription available in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- About Azure confidential VMs
- Quickstart: Create confidential VM on in the Azure portal
- Quickstart: Create Intel SGX VM in the Azure portal
- Deploy a virtual machine scale set using a hardened Linux image
- Azure confidential virtual machines FAQ
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az vm show
- az vm show
- az vm create