Create a Confidential VM Instance

Confidential computing is a disruptive innovation that divides computation and data. The data is encrypted at any time, even when used by an application. This reduces the exposure of the data to the cloud provider, hypervisor, or any other unauthorized person trying to gain access to it. Azure and Google Cloud provide confidential VMs, which use confidential computing to negotiate data in memory with unknown keys to the cloud provider.

This knowledge base will demonstrate the development of a confidential VM instance in Azure and Google Cloud.

Create a Confidential VM on Azure

You can create a confidential VM on Azure using the Azure portal or Azure CLI. Here are the steps to create one via the portal:

1. So, first open your browser and go to the Azure portal site. On the main page, find and click on the Virtual Machines service.

2. Click Create > Virtual Machine to start creating a new VM.

3. On the Basics tab, configure the virtual machine settings, such as resource group, VM name, region, image, size, authentication type, etc. Select a Security Type of "Confidential Virtual Machines" and a Generation 2 image, as confidential VMs only support Gen2 VMs.

4. You can optionally enable Confidential disk encryption on the Disks tab with a customer-managed key. This encrypts the OS and data disks using a key stored in Azure Key Vault.

5. Review and create the VM. Once deployed, the confidential VM will be ready to use.

Some key things to note about Azure confidential VMs:

• They support AMD SEV-SNP and Intel TDX confidential computing technologies

• Supported VM sizes include DCasv5, DCesv5, ECasv5, ECesv5 series

• The OS that is supported in the current version is Ubuntu, RHEL, SLES, Windows 10/11, Windows Server 2019/2022 

• Disk encryption of a confidential nature can be enabled for the disks. This encrypts disks with a key from Azure Key Vault.

Create a Confidential VM on Google Cloud

Google Cloud also allows the creation of confidential VMs, called Confidential VMs, that use AMD SEV confidential computing. Here are the steps to create one via the Google Cloud console:

1. Sign in to the Google Cloud console and navigate to the VM Instances service.

2. Click Create Instance to start creating a new VM.

3. In the Confidential VM service section, click Enable. This will update some settings, such as machine type and region, to be compatible with confidential VMs.

4. Expand the Advanced Configurations section. For the CPU platform, choose AMD Milan or use AMD SEV later.

5. Review and create the VM. Once deployed, the confidential VM will be ready to use.

Some key things to note about Google Cloud Confidential VMs:

• They support AMD SEV confidential computing technology

• Supported machine types include C2D, N2D, and C3D (preview)

• Supported OSes include Ubuntu, RHEL, SLES, Debian, CentOS

• Confidential disk encryption is enabled by default and uses Google-managed keys

Comparing Azure and Google Cloud Confidential VMs

Here is a comparison of the critical features of confidential VMs on Azure and Google Cloud:

Azure and Google Cloud offer confidential VMs, which utilize confidential computing to ensure data is encrypted while in memory with keys that are unknown to the providers. This safeguards data from the cloud hosting provider, the hypervisor, or the notorious hackers.

The key differences are:

• Azure supports both AMD SEV-SNP and Intel TDX, while Google Cloud only supports AMD SEV

• Azure has a broader range of supported VM sizes and OSes

• Azure allows optional confidential disk encryption using a customer-managed key, while Google Cloud enables it with a Google-managed key by default.

• Azure enables secure boot by default when disk encryption is enabled.

Ultimately, both cloud providers offer confidential VMs that can help enhance data protection for sensitive workloads. The choice between Azure and Google Cloud will depend on existing cloud usage, supported VM sizes and OSes, and critical management preferences.