Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Service Bus Premium supports confidential computing to protect your messaging data in use. Confidential computing uses hardware-based trusted execution environments (TEEs) to provide enhanced data protection, preventing unauthorized access to your messages while they're being processed.
When you enable confidential computing on a Service Bus Premium namespace, your data benefits from hardware-level isolation in addition to existing encryption at rest and in transit. This capability helps organizations that handle sensitive or regulated data meet strict security and compliance requirements.
Benefits
Confidential computing for Azure Service Bus provides the following advantages:
- No code changes required: Enable confidential computing at the namespace level without modifying your applications or messaging patterns.
- Defense in depth: Combines with existing Service Bus security features like customer-managed keys, private endpoints, and managed identities.
- Messaging-specific protection: Your queues, topics, and subscriptions benefit from hardware-level isolation during message processing.
Regional availability
Confidential computing for Azure Service Bus is available in select regions.
| Region |
|---|
| Korea Central |
| UAE North |
Limitations
The following limitations apply to confidential computing for Azure Service Bus:
- Confidential computing is available only on the Premium tier.
- You must enable confidential computing during namespace creation. You can't enable it on existing namespaces.
Enable confidential computing by using the Azure portal
Go to the Azure portal and open the Service Bus namespace creation page.
Select Premium for the pricing tier.
Select a supported region as the location.
For Confidential compute, select Enabled.
Fill in the remaining required fields for your namespace configuration.
Select Review + create, and then select Create to deploy the namespace with confidential computing enabled.
Enable confidential computing by using a template
You can enable confidential computing programmatically by including the platformCapabilities property in your deployment template.
The following Bicep file creates a Service Bus Premium namespace with confidential computing enabled:
@description('Name of the Service Bus namespace')
param namespaceName string
@description('Location for the namespace. Must be a region that supports confidential computing.')
@allowed([
'koreacentral'
'uaenorth'
])
param location string = 'uaenorth'
resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2025-05-01-preview' = {
name: namespaceName
location: location
sku: {
name: 'Premium'
tier: 'Premium'
capacity: 1
}
properties: {
platformCapabilities: {
confidentialCompute: {
mode: 'Enabled'
}
}
}
}
Combine confidential computing with customer-managed keys
For maximum data protection, combine confidential computing with customer-managed keys backed by Azure Key Vault Managed HSM. This combination ensures that:
- Your data is protected in use by confidential computing.
- Your encryption keys are stored in validated hardware security modules.
- You maintain full control over your encryption keys.
Use Azure Policy to enforce confidential computing
Create an Azure Policy definition to enforce that all Premium Service Bus namespaces in your organization have both confidential computing and customer-managed keys enabled. This approach ensures consistent security configuration across your Azure environment.
The following policy definition denies or audits the creation of Premium Service Bus namespaces that don't meet these security requirements:
{
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Deny or Audit"
},
"allowedValues": [
"Deny",
"Audit"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ServiceBus/namespaces"
},
{
"field": "Microsoft.ServiceBus/namespaces/sku.tier",
"equals": "Premium"
},
{
"anyOf": [
{
"anyOf": [
{
"not": {
"field": "Microsoft.ServiceBus/namespaces/encryption.keySource",
"equals": "Microsoft.KeyVault"
}
},
{
"not": {
"field": "Microsoft.ServiceBus/namespaces/encryption.keyVaultProperties[*].keyVaultUri",
"contains": ".managedhsm.azure.net/"
}
},
{
"anyOf": [
{
"field": "identity.type",
"equals": "None"
},
{
"field": "identity.type",
"exists": false
}
]
}
]
},
{
"not": {
"field": "Microsoft.ServiceBus/namespaces/platformCapabilities.confidentialCompute.mode",
"equals": "Enabled"
}
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
To use this policy, create a custom policy definition in Azure Policy and assign it to the appropriate scope, such as a management group, subscription, or resource group.
Note
When combining confidential computing with customer-managed keys, use a user-assigned managed identity. This requirement exists because the identity must be granted access to the Managed HSM before creating the namespace. A system-assigned identity only exists after the namespace is created.