Introduction to Confidential VMs in Azure Virtual Desktop

The landscape of cloud computing is evolving rapidly, with a strong emphasis on security and privacy. One of the groundbreaking features in this domain is the introduction of Confidential Virtual Machines (VMs) for Azure Virtual Desktop. This technology is designed to enhance the security of data and applications while they are processed in the cloud.

This was recently released into public preview for both Intel and AMD processors.

What are Confidential VMs?

Confidential VMs, a part of Azure’s suite of security tools, offer additional protection for data in use. This technology leverages hardware-based Trusted Execution Environments (TEEs) to isolate and process sensitive data. It ensures that data is encrypted in memory and inaccessible to the Azure infrastructure, including the hypervisor and other tenants.

Benefits for Azure Virtual Desktop

1. Enhanced Security: Confidential VMs protect against various threats, including those from malicious insiders and sophisticated cyber-attacks. Encrypting data in use ensures that sensitive information remains confidential, even if the underlying infrastructure is compromised.
2. Compliance Assurance: Many industries have stringent regulatory requirements around data privacy. Confidential VMs help meet these compliance requirements by providing an auditable assurance that data is protected throughout its lifecycle.
3. Seamless Integration: These VMs integrate seamlessly with Azure Virtual Desktop, allowing organizations to leverage familiar tools and processes. This integration ensures that the transition to using confidential computing is smooth and does not disrupt existing workflows.

The Intel processors are powered by 4th Generation Intel Xeon processors with Intel Trust Domain Extensions (Intel TDX). These new VMs are up to 20% faster than previous 3rd generation Intel Xeon VMs. At the time of writing, the Intel VMs are only available in Europe West, Central US or East US 2.

The AMD processors use Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) which was introduced in the 3rd Generation AMD EPYC Processors.

Supported VM Skus

The VM SKUs are available in public preview, but only within certain regions.

Size Family	TEE	Description
DCasv5-series	AMD SEV-SNP	General purpose CVM with remote storage. No local temporary disk.
DCesv5-series	Intel TDX	General purpose CVM with remote storage. No local temporary disk.
DCadsv5-series	AMD SEV-SNP	General purpose CVM with local temporary disk.
DCedsv5-series	Intel TDX	General purpose CVM with local temporary disk.
ECasv5-series	AMD SEV-SNP	Memory-optimized CVM with remote storage. No local temporary disk.
ECesv5-series	Intel TDX	Memory-optimized CVM with remote storage. No local temporary disk.
ECadsv5-series	AMD SEV-SNP	Memory-optimized CVM with local temporary disk.
ECedsv5-series	Intel TDX	Memory-optimized CVM with local temporary disk.
ECiesv5-series	Intel TDX	Isolated memory-optimized CVM with local temporary disk.
ECiedsv5-series	Intel TDX	Isolated memory-optimized CVM with local temporary disk.

Creating Confidential VMs in Azure Virtual Desktop

Select the Confidential Virtual Machines Security type when creating your host pool in Azure Virtual Desktop. Then, it will automatically select your available SKUs and tick the “Confidential compute encryption” tick box.

Confidential VM Support in Nerdio

We recently added support for Confidental VMs in Nerdio as well. To enable a hostpool to use Confidental VMs go to VM Deployment and then select the Security Type as Confidental.

Summary

Confidential VMs are a great solution if you require the highest security and code integrity on your Virtual Machines in Azure. Combined with Gen2 VMs, TPM’s and Secure Boot you can take your security protection to the next level to protect yourselves from hackers and Cyber Attacks.

There will be a slight hit on performance, the time it takes to create the VMs, and regional availability as it runs on certain types of hardware.