Frequently asked questions about Confidential Computing Nodes on Azure Kubernetes Service (AKS)

This article addresses frequent questions about Intel SGX based confidential computing nodes on Azure Kubernetes Service (AKS). If you have any further questions, email


Are the confidential computing nodes on AKS available for production use?

Yes, for Intel SGX enclave nodes.

Can I enable Accelerated Networking with Azure confidential computing AKS Clusters?

Yes, DCSv3 VM nodes support accelerated networking. DCSv2 Virtual machines do not.

What version of Intel SGX Driver version is on the AKS Image for confidential nodes?

Currently, Azure confidential computing DCSv2/DCSv3 VMs are installed with Intel SGX DCAP 1.33.2

Can I inject post install scripts/customize drivers to the Nodes provisioned by AKS?

No. AKS-Engine based confidential computing nodes support confidential computing nodes that allow custom installations and have full control over your Kubernetes control plane.

Can I run ACC Nodes with other standard AKS SKUs (build a heterogenous node pool cluster)?

Yes, you can run different node pools within the same AKS cluster including ACC nodes. To target your enclave applications on a specific node pool, consider adding node selectors or applying EPC limits. Refer to more details on the quick start on confidential nodes here.

Can I run Windows Nodes and windows containers with ACC?

Not at this time. Contact the product team at if you have Windows nodes or container needs.

Can I still schedule and run non-enclave containers on confidential computing nodes?

Yes. The VMs also have a regular memory that can run standard container workloads. Consider the security and threat model of your applications before you decide on the deployment models.

What is the VM SKU I should be choosing for confidential computing nodes?

DCSv2/DCsv3 SKUs. More about DCSv2 and DCSv3 are available in the supported regions

Can I provision AKS with DCSv2 Node Pools through Azure portal?

Yes. Azure CLI could also be used as an alternative as documented here.

What Ubuntu version and VM generation is supported?

18.04 on Gen 2.

What are the known current limitations of the product?

  • Supports Ubuntu 18.04 Gen 2 VM Nodes only
  • No Windows Nodes Support or Windows Containers Support
  • EPC Memory based Horizontal Pod Autoscaling is not supported. CPU and regular memory-based scaling is supported.
  • Dev Spaces on AKS for confidential apps are not currently supported

Can I provision AKS with DCSv2/DCSv3 Node Pools through Azure portal?

Yes. Azure CLI could also be used as an alternative as documented here.

Development & Deploy

Can I bring my existing containerized applications and run it on AKS with Azure Confidential Computing?

Yes you will bring SGX wrapper software to run in an Intel SGX enclave, review the confidential containers page for more details on platform enablers.

Should I be using a Docker base image to get started on enclave applications?

Various enablers (ISVs and OSS projects) provide ways to enable confidential containers. Review the confidential containers page for more details and individual references to implementations.

Confidential Container Concepts

What is attestation and how can we do attestation of apps running in enclaves?

Attestation is the process of demonstrating and validating that a piece of software has been properly instantiated on the specific hardware platform. It also ensures its evidence is verifiable to provide assurances that it is running in a secure platform and has not been tampered with. Read more on how attestation is done for enclave apps.

What if my container size is more than available EPC memory?

The EPC memory applies to the part of your application that is programmed to execute in the enclave. The total size of your container is not the right way to compare it with the max available EPC memory. In fact, DCSv2 machines with SGX, allow maximum VM memory of 32 GB where your untrusted part of the application would utilize. However, if your container consumes more than available EPC memory, then the performance of the portion of the program running in the enclave might be impacted.

To better manage the EPC memory in the worker nodes, consider the EPC memory-based limits management through Kubernetes. Follow the example below as reference.


The following example pulls a public container image from Docker Hub. We recommend that you set up a pull secret to authenticate using a Docker Hub account instead of making an anonymous pull request. To improve reliability when working with public content, import and manage the image in a private Azure container registry. Learn more about working with public images.

apiVersion: batch/v1
kind: Job
  name: sgx-test
    app: sgx-test
        app: sgx-test
      - name: sgxtest
        image: oeciteam/sgx-test: 1.0
   10 # This limit will automatically place the job into confidential computing node. Alternatively, you can target deployment to node pools
      restartPolicy: Never
  backoffLimit: 0

What happens if my enclave consumes more than maximum available EPC memory?

Total available EPC memory is shared between the enclave applications in the same VMs or worker nodes. If your application uses EPC memory more than available, then the application performance might be impacted. For this reason, we recommend you setting toleration per application in your deployment yaml file to better manage the available EPC memory per worker nodes as shown in the examples above. Alternatively, you can always choose to move up on the worker node pool VM sizes or add more nodes.

Why can't I do forks () and exec to run multiple processes in my enclave application?

Currently, Azure confidential computing DCsv2 SKU VMs support a single address space for the program executing in an enclave. Single process is a current limitation designed around high security. However, confidential container enablers may have alternate implementations to overcome this limitation.

Do I have to mount the driver volumes in my deployment yaml?

No. Product provides ACC Add On that includes the (confcom) will help you with this. Read more on the deployment details here.

Can we change the current Intel SGX DCAP diver version on AKS?

No. To perform any custom installations, we recommend you choose AKS-Engine Confidential Computing Worker Nodes deployments.

Will only signed and trusted images be loaded in the enclave for confidential computing?

Not natively during enclave initialization but yes through attestation process signature can be validated. Ref here.

Is container signing possible to bring code integrity protection to confidential containers?

Confidential containers allow you to sign the enclave code but not the docker container itself. With enclave code (which is typically your core application code in Java, Python etc.) signing you can verify through attestation the MRSIGNER details of the enclave code before you can trust the code and the execution environment through attestation flow.

Next Steps

Review the confidential containers page for more details about confidential containers.