How does Attestation Provider get identity of a VM ?

Question

I have created a Confidential VM and would like to know the steps to follow to attest the VM so that I can establish a secure channel with VM for communication.
I would like to know the usage of Attestation Provider and also about the process to request an attestation token.

Q1. should the attestation request be sent to the attestation provider by the VM itself ? Is there a need to use some application running inside the VM to send the attestation request to Attestation Provider ?
Q2. How is the attestation provider able to get the identity of a Confidential VM (based on AMD SEV-SNP) ?
Q3. Is the a vTPM which comes along with Confidential VM (based on AMD SEV-SNP) mandatory to use or is it optional ?
Q4. Is attestation even necessary to SSH into the virtual machine using the private key I have which was obtained during the creation of Confidential VM ?

Answer 1

@Nitish

During the preview, Confidential VMs undergo attestation during their boot phase. This process is opaque to the user and takes place by the cloud operating system in conjunction with the Microsoft Azure Attestation and Azure Key Vault services. When the product launches in General Availability, Confidential VMs will extend to also let customers perform attention for their VMs. This will be done using tooling and documentation which will be published later this year. Until then, similar to trusted launch VMs, customers can use the vTPM in their VMs to perform attestation of their VM’s firmware and OS as described here.

Hope this helps.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.