Solutions on Azure for Intel SGX

You can deploy Intel Software Guard Extension (Intel SGX) virtual machines (VM) for use in Azure confidential computing.

Current available sizes and regions

To get a list of Intel SGX VM sizes, use the Azure Command-Line Interface (Azure CLI). Install the Azure CLI if you haven't already done so. Then, run the following command to list the Intel SGX sizes with region and availability zone information.

az vm list-skus `
    --size Standard_DC `
    --all `
    --output table

Dedicated host requirements

Deploying a Standard_DC8_v2, Standard_DC48s_v3, or Standard_DC48ds_v3 series VM occupies the full host. Other tenants or subscriptions don't share the host. This family of VM SKUs provides the isolation you might need to meet compliance and security regulatory requirements. Normally, you might need a dedicated host service to meet these requirements.

For these VM sizes, the physical host server allocates all available hardware resources, including EPC memory, to your virtual machine only. This deployment isn't the same as the Azure Dedicated Host service in other VM families.

Deployment considerations

Consider the following factors when you plan your Intel SGX VM deployment on Azure.

Azure subscription

To deploy a confidential computing VM instance, consider a pay-as-you-go subscription or other purchase option. Azure free accounts don't have a high enough quota for the necessary number of Azure compute cores.

Pricing and regional availability

Find the pricing for DCsv2, DCsv3, and DCdsv3 VMs on the Azure VMs pricing page. Check the table of products available by region for availability in different Azure regions.

Cores quota

You might need to increase the cores quota in your Azure subscription from the default value. Your subscription might also limit the number of cores that you can deploy in certain VM size families, including DCsv2-Series. You can request a quota increase at no charge. Default limits might be different based on your subscription category.

If you have large-scale capacity needs, contact Azure Support. Azure quotas are credit limits, not capacity guarantees. Whatever your quota, you're only charged for cores that you use.

Resizing

Because of their specialized hardware, you can only resize Intel SGX VM instances within the same size family. For example, you can only resize a DCsv2-series VM from one DCsv2-series size to another.

Image

To provide Intel SGX support on confidential compute instances, all deployments must run on Generation 2 images. Azure confidential computing supports workloads running on Ubuntu 20.04 Gen 2, Windows Server 2019 Gen 2 and Ubuntu 22.04 Gen 2. For more information about supported and unsupported scenarios, see support for Generation 2 VMs on Azure.

Storage

DCsv2-series VMs support Standard SSD and Premium SSD, except for DC8_v2.

DCsv3 and DCdsv3-series VMs support Standard SSD, Premium SSD, and Ultra Disk.

High availability and disaster recovery considerations

When you use Azure VMs, you're responsible for creating a high availability (HA) and disaster recovery solution to avoid any downtime.

Azure confidential computing doesn't support zone-redundancy through Azure availability zones at this time. For the highest availability and redundancy for confidential computing, use Availability Sets. Because of hardware restrictions, Availability Sets for confidential computing instances can only have a maximum of 10 update domains.

Deployment with Azure Resource Manager (ARM) Template

Azure Resource Manager is the deployment and management service for Azure. You can use the service's management layer to create, update, and delete resources in your Azure subscription. There are management features such as access control, locks, and tags. Use these features to secure and organize your resources after deployment.

To learn about Azure Resource Manager templates (ARM templates), see the Templates overview.

To deploy using ARM templates, see Virtual machines in an Azure Resource Manager template. Make sure to specify the correct properties for vmSize and your imageReference.

VM sizes

Specify one of the following sizes in your ARM template in the VM resource. This string is vmSize in properties.

  [
        "Standard_DC1s_v2",
        "Standard_DC2s_v2",
        "Standard_DC4s_v2",
        "Standard_DC8_v2",
        "Standard_DC1s_v3",
        "Standard_DC2s_v3",
        "Standard_DC4s_v3",
        "Standard_DC8s_v3",
        "Standard_DC16s_v3",
        "Standard_DC24s_v3",
        "Standard_DC32s_v3",
        "Standard_DC48s_v3",
        "Standard_DC1ds_v3",
        "Standard_DC2ds_v3",
        "Standard_DC4ds_v3",
        "Standard_DC8ds_v3",
        "Standard_DC16ds_v3",
        "Standard_DC24ds_v3",
        "Standard_DC32ds_v3",
        "Standard_DC48ds_v3",
      ],

Gen2 OS image

Under properties, you also have to specify an image under storageProfile. Use only one of the following images for your imageReference.

  "2019-datacenter-gensecond": {
    "offer": "WindowsServer",
    "publisher": "MicrosoftWindowsServer",
    "sku": "2019-datacenter-gensecond",
    "version": "latest"
  },
  "20_04-lts-gen2": {
    "offer": "0001-com-ubuntu-server-focal",
    "publisher": "Canonical",
    "sku": "20_04-lts-gen2",
    "version": "latest"
  }
  "22_04-lts-gen2": {
    "offer": "0001-com-ubuntu-server-jammy",
    "publisher": "Canonical",
    "sku": "22_04-lts-gen2",
    "version": "latest"
  },

Next step