Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Confidential Computing (ACC) enables organizations to securely process and collaborate on sensitive data, such as personal data or protected health information (PHI). ACC provides built-in protection against unauthorized access by securing data in use through Trusted Execution Environments (TEEs). This allows for secure real-time analytics and collaborative machine learning across organizational boundaries.
Understanding the architecture
Azure Database for PostgreSQL supports Azure Confidential Computing through Trusted Execution Environments (TEEs), which are hardware-based, isolated memory regions within the CPU. Data processed inside the TEE is protected from access by the operating system, hypervisor, or other applications.
- Code runs in plaintext within the TEE but remains encrypted outside the enclave.
- Data is encrypted at rest, in transit, and use.
- Protected from access by the OS, hypervisor, or other applications.
Processors
Azure Confidential Computing is supported in Azure Database for PostgreSQL by selecting a supported confidential virtual machine (VM) SKU when creating a new server. There are two processors to choose from:
- AMD SEV-SNP
- Intel TDX
Virtual machine SKUs
The SKUs supporting Azure Confidential Computing (ACC) for Azure Database for PostgreSQL are:
| SKU Name | Processor | vCores | Memory (GiB) | Max IOPS | Max I/O Bandwidth (MBps) |
|---|---|---|---|---|---|
| Dcadsv5 | AMD SEV-SNP | 2-96 | 8-384 | 3750-80000 | 48-1200 |
| Dcedsv5 | Intel TDX | 2-96 | 8-384 | 3750-80000 | 85-2600 |
| Ecadsv5 | AMD SEV-SNP | 2-96 | 16-672 | 3750-80000 | 48-1200 |
| Ecedsv5 | Intel TDX | 2-128 | 16-1024 | 3750-80000 | 48-1200 |
Deployment
You can deploy Azure Database for PostgreSQL with ACC using various methods, such as the Azure portal, Azure CLI, ARM templates, Bicep, Terraform, Azure PowerShell, REST API, etc.
For this example, we're using the Azure portal.
Go to Azure portal to deploy an Azure Database for PostgreSQL.
On the Basics tab,
- Enter your details.
- Select UAE North as the region.
- Select Configure Server under Compute + Storage.
On the Compute and Storage tab,
- Select your Compute Tier and Compute Processor.
Select Compute Size and select a confidential compute SKU and the size based on your needs.
Deploy your server.
Compare
Let's compare Azure Confidential Compute virtual machines vs. Azure Confidential Computing.
| Feature | Confidential Compute VMs | ACC for Azure Database for PostgreSQL |
|---|---|---|
| Hardware root of trust | Yes | Yes |
| Trusted launch | Yes | Yes |
| Memory isolation and encryption | Yes | Yes |
| Secure key management | Yes | Yes |
| Remote attestation | Yes | No |
Limitations and considerations
Be sure to evaluate the limitations carefully before deploying in a production environment.
- Confidential Computing is only available in the UAE North.
- High Availability isn't supported for Confidential Compute SKUs.
- Point-in-time Restore (PITR) from nonconfidential compute SKUs to confidential ones isn't allowed.
- Compute scaling operation between confidential and nonconfidential compute options.