Deploy SQL Server to an Azure confidential VM

Applies to: SQL Server on Azure VM

In this article, learn how to deploy SQL Server to an Azure confidential VM.

Overview

Azure confidential VMs provide a strong, hardware-enforced boundary that hardens the protection of the guest OS against host operator access. Choosing a confidential VM size for your SQL Server on Azure VM provides an extra layer of protection, enabling you to confidently store your sensitive data in the cloud and meet strict compliance requirements.

Azure confidential VMs leverage AMD processors with SEV-SNP technology that encrypt the memory of the VM using keys generated by the processor. This helps protect data while it's in use (the data that is processed inside the memory of the SQL Server process) from unauthorized access from the host OS. The OS disk of a confidential VM can also be encrypted with keys bound to the Trusted Platform Module (TPM) chip of the virtual machine, reinforcing protection for data-at-rest.

Azure confidential VMs are available in both the general purpose and memory optimized VM size series.

Recommendations for disk encryption are different for confidential VMs than for the other VM sizes. See disk encryption to learn more.

Deploy SQL Server to a confidential VM

For detailed steps to deploy a confidential VM, review the Quickstart: Deploy a SQL Server on Azure VM.

To deploy a SQL Server VM to a confidential Azure VM, select the following values when deploying a SQL Server VM:

  1. Choose a supported region. To validate region supportability, look for the ECadsv5-series or DCadsv5-series in VM products Available by Azure region.
  2. Set the Security type to Confidential virtual machines. If this option is grayed out, it's likely the chosen region doesn't currently support confidential VMs. Choose a different region from the drop-down.
  3. Choose a supported confidential SQL Server image. To change the SQL Server image, select See all images and then filter by Security type = Confidential VMs to identify all SQL Server images that support confidential VMs.
  4. Choose a supported VM size. To see all available sizes, select See all sizes to identify all the VM sizes that support confidential VMs, as well as the sizes that don't.
  5. (Optional) Configure confidential disk encryption. Follow the steps in the Disk section of the Quickstart.

Identify available images

To view all SQL Server images that support confidential VMs, begin to deploy a SQL Server virtual machine from the Azure portal, and then select See all images under Images on the Basics tab to open the Azure Marketplace. Type sql in the search box, and then filter the options by choosing Security type = Confidential to view all SQL Server images that support confidential VMs.

Limitations

  • Currently, only the following list of bre-built SQL Server images support Azure confidential VMs. If you wish to use a different combination of SQL Server version/edition/operating system with Confidential VMs, you can deploy an image of your choice and then self-install SQL Server.
    • SQL Server 2022 Enterprise / Developer / Standard / Web on Windows Server 2022 - x64 Gen 2
    • SQL Server 2019 Enterprise on Windows Server 2022 Database Engine Only - x64 Gen 2.
    • SQL Server 2017 Enterprise on Windows Server 2019 Database Engine Only - x64 Gen 2
  • Confidential VMs aren't currently available in all regions. To validate region supportability, look for the ECadsv5-series or DCadsv5-series in VM products Available by Azure region.

Next steps

In this article, you learned to deploy SQL Server to a confidential virtual machine in the Azure portal. To learn more about how to migrate your data to the new SQL Server, see the following article.