Quickstart: Deploy confidential VM with ARM template
Article
You can use an Azure Resource Manager template (ARM template) to create an Azure confidential VM quickly. Confidential VMs run on both AMD processors backed by AMD SEV-SNP and Intel processors backed by Intel TDX to achieve VM memory encryption and isolation. For more information, see Confidential VM Overview.
This tutorial covers deployment of a confidential VM with a custom configuration.
Prerequisites
An Azure subscription. Free trial accounts don't have access to the VMs used in this tutorial. One option is to use a pay as you go subscription.
You can deploy a confidential VM template that has optional OS disk confidential encryption through a platform-managed key.
To create and deploy your confidential VM using an ARM template through the Azure CLI:
Sign in to your Azure account in the Azure CLI.
az login
Set your Azure subscription. Replace <subscription-id> with your subscription identifier. Make sure to use a subscription that meets the prerequisites.
az account set --subscription <subscription-id>
Set the variables for your confidential VM. Provide the deployment name ($deployName), the resource group ($resourceGroup), the VM name ($vmName), and the Azure region ($region). Replace the sample values with your own information.
When you create a confidential VM through the Azure Command-Line Interface (Azure CLI), you need to define a custom parameter file. To create a custom JSON parameter file:
Sign in to your Azure account through the Azure CLI.
Create a JSON parameter file. For example, azuredeploy.parameters.json.
Edit the JSON code in the parameter file as needed. For example, update the OS image name (osImageName) or the administrator username (adminUsername).
Configure your security type setting (securityType). Choose VMGuestStateOnly for no OS disk confidential encryption. Or, choose DiskWithVMGuestState for OS disk confidential encryption with a platform-managed key. For Intel TDX SKUs and Linux-based images only, customers may choose the NonPersistedTPM security type to deploy with an ephemeral vTPM. For the NonPersistedTPM security type use the minimum "apiVersion": "2023-09-01" under Microsoft.Compute/virtualMachines in the template file.
Save your parameter file.
Example Windows parameter file
Use this example to create a custom parameter file for a Windows-based confidential VM.
Deploy confidential VM template with OS disk confidential encryption via customer-managed key
Sign in to your Azure account through the Azure CLI.
az login
Set your Azure subscription. Replace <subscription-id> with your subscription identifier. Make sure to use a subscription that meets the prerequisites.
az account set --subscription <subscription-id>
Grant confidential VM Service Principal Confidential VM Orchestrator to tenant
For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role. Install Microsoft Graph SDK to execute the commands below.
Set up your Azure key vault. For how to use an Azure Key Vault Managed HSM instead, see the next step.
Create a resource group for your key vault. Your key vault instance and your confidential VM must be in the same Azure region.
$resourceGroup = <key vault resource group>
$region = <Azure region>
az group create --name $resourceGroup --location $region
Create a key vault instance with a premium SKU and select your preferred region. The standard SKU is not supported.
$KeyVault = <name of key vault>
az keyvault create --name $KeyVault --resource-group $resourceGroup --location $region --sku Premium --enable-purge-protection
Make sure that you have an owner role in this key vault.
Give Confidential VM Orchestrator permissions to get and release the key vault.
$cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json
az keyvault set-policy --name $KeyVault --object-id $cvmAgent.Id --key-permissions get release
(Optional) If you don't want to use an Azure key vault, you can create an Azure Key Vault Managed HSM instead.
Give Confidential VM Orchestrator permissions to managed HSM.
$cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json
az keyvault role assignment create --hsm-name $hsm --assignee $cvmAgent.Id --role "Managed HSM Crypto Service Release User" --scope /keys/$KeyName
Create a new key using Azure Key Vault. For how to use an Azure Managed HSM instead, see the next step.
Prepare and download the key release policy to your local disk.
$desName = <name of DES>
az disk-encryption-set create -n $desName `
-g $resourceGroup `
--key-url $encryptionKeyURL
Assign key access to the DES.
desIdentity=$(az disk-encryption-set show -n $desName -g $resourceGroup --query [identity.principalId] -o tsv)
az keyvault set-policy -n $hsm `
-g $resourceGroup `
--object-id $desIdentity `
--key-permissions wrapkey unwrapkey get
Deploy your confidential VM with the customer-managed key.
Get the resource ID for the DES.
$desID = (az disk-encryption-set show -n $desName -g $resourceGroup --query [id] -o tsv)
Deploy your confidential VM using a confidential VM ARM template for Intel TDX and a deployment parameter file (for example, azuredeploy.parameters.win2022.json) with the customer-managed key.
$deployName = <name of deployment>
$vmName = <name of confidential VM>
$cvmArmTemplate = <name of confidential VM ARM template file>
$cvmParameterFile = <name of confidential VM parameter file>
az deployment group create `
-g $resourceGroup `
-n $deployName `
-f $cvmArmTemplate `
-p $cvmParameterFile `
-p diskEncryptionSetId=$desID `
-p vmName=$vmName
Connect to your confidential VM to make sure the creation was successful.
Learn how you can use guest attestation for assurance that your software inside an Azure confidential virtual machine runs on the expected hardware platform.