Get 69% Off on Cloud Hosting : Claim Your Offer Now!
Confidential computing is a disruptive innovation that divides computation and data. The data is encrypted at any time, even when used by an application. This reduces the exposure of the data to the cloud provider, hypervisor, or any other unauthorized person trying to gain access to it. Azure and Google Cloud provide confidential VMs, which use confidential computing to negotiate data in memory with unknown keys to the cloud provider.
This knowledge base will demonstrate the development of a confidential VM instance in Azure and Google Cloud.
You can create a confidential VM on Azure using the Azure portal or Azure CLI. Here are the steps to create one via the portal:
So, first open your browser and go to the Azure portal site. On the main page, find and click on the Virtual Machines service.
Click Create > Virtual Machine to start creating a new VM.
On the Basics tab, configure the virtual machine settings, such as resource group, VM name, region, image, size, authentication type, etc. Select a Security Type of "Confidential Virtual Machines" and a Generation 2 image, as confidential VMs only support Gen2 VMs.
You can optionally enable Confidential disk encryption on the Disks tab with a customer-managed key. This encrypts the OS and data disks using a key stored in Azure Key Vault.
Review and create the VM. Once deployed, the confidential VM will be ready to use.
Some key things to note about Azure confidential VMs:
They support AMD SEV-SNP and Intel TDX confidential computing technologies
Supported VM sizes include DCasv5, DCesv5, ECasv5, ECesv5 series
The OS that is supported in the current version is Ubuntu, RHEL, SLES, Windows 10/11, Windows Server 2019/2022
Disk encryption of a confidential nature can be enabled for the disks. This encrypts disks with a key from Azure Key Vault.
Google Cloud also allows the creation of confidential VMs, called Confidential VMs, that use AMD SEV confidential computing. Here are the steps to create one via the Google Cloud console:
Sign in to the Google Cloud console and navigate to the VM Instances service.
Click Create Instance to start creating a new VM.
In the Confidential VM service section, click Enable. This will update some settings, such as machine type and region, to be compatible with confidential VMs.
Expand the Advanced Configurations section. For the CPU platform, choose AMD Milan or use AMD SEV later.
Review and create the VM. Once deployed, the confidential VM will be ready to use.
Some key things to note about Google Cloud Confidential VMs:
They support AMD SEV confidential computing technology
Supported machine types include C2D, N2D, and C3D (preview)
Supported OSes include Ubuntu, RHEL, SLES, Debian, CentOS
Confidential disk encryption is enabled by default and uses Google-managed keys
Here is a comparison of the critical features of confidential VMs on Azure and Google Cloud:
Feature |
Azure |
Google Cloud |
Confidential computing tech |
AMD SEV-SNP, Intel TDX |
AMD SEV |
Supported VM sizes |
DCasv5, DCesv5, ECasv5, ECesv5 series |
C2D, N2D, C3D (preview) |
Supported OSes |
Ubuntu, RHEL, SLES, Windows 10/11, Windows Server 2019/2022 |
Ubuntu, RHEL, SLES, Debian, CentOS |
Confidential disk encryption |
Optional: use the customer-managed key in the Key Vault |
Enabled by default, uses Google-managed key |
Secure boot |
Enabled by default when disk encryption is enabled |
Not mentioned |
Azure and Google Cloud offer confidential VMs, which utilize confidential computing to ensure data is encrypted while in memory with keys that are unknown to the providers. This safeguards data from the cloud hosting provider, the hypervisor, or the notorious hackers.
The key differences are:
Azure supports both AMD SEV-SNP and Intel TDX, while Google Cloud only supports AMD SEV
Azure has a broader range of supported VM sizes and OSes
Azure allows optional confidential disk encryption using a customer-managed key, while Google Cloud enables it with a Google-managed key by default.
Azure enables secure boot by default when disk encryption is enabled.
Ultimately, both cloud providers offer confidential VMs that can help enhance data protection for sensitive workloads. The choice between Azure and Google Cloud will depend on existing cloud usage, supported VM sizes and OSes, and critical management preferences.
Let’s talk about the future, and make it happen!
By continuing to use and navigate this website, you are agreeing to the use of cookies.
Find out more