Protecting sensitive data isn’t just about encryption anymore. The real question is, “How do you keep it secure while it’s being processed?” That’s where Azure Confidential Computing (ACC) steps in. We’re excited to announce that ACC CVMs are now generally available for Azure Database for PostgreSQL. By running your flexible server deployments on Confidential Virtual Machines CVMs, customers gain hardware-based protection for data in use, ensuring that even during processing, your data remains protected from unauthorized access.

Benefits of CVMs for Azure Database for PostgreSQL

With ACC’s CVMs, your flexible server runs inside a Trusted Execution Environment (TEE). This is a hardware-backed enclave that encrypts memory and isolates it from the host OS, hypervisor, and even Azure operators. This means your data is protected at rest, in transit, and in use.

Security features of CVMs

• End-to-End Encryption and Isolation
  CVMs enforce memory encryption using AMD SEV-SNP or Intel TDX chip sets. OS is encrypted before first boot and backed by virtual TPM. All connections are protected with Transport Layer Security (TLS) 1.2+ and data remains isolated from the host and hypervisor.
• Customer Managed Keys (CMK) or Hardware Security Modules (HSM)
  This enables double encryption and gives customers’ full control over their security posture—including key rotation, revocation, and granular access policies tailored to organization’s needs.
• Identity and Access Governance
  Integrate with Microsoft Entra ID for managed identities and role-based access control (RBAC). Apply Row-Level Security (RLS) to restrict access to specific data rows based on user roles.
• Network and Platform Hardening
  Deploy using Private Endpoints and VNet integration to isolate traffic and reduce exposure. Reinforce Zero Trust principles with tools like Azure Policy, Defender for Cloud, and Customer Lockbox to enable just-in-time access and strict governance.
• Visibility and Compliance
  Track activity and performance using Azure Monitor, Log Analytics, and Power BI. CVMs support compliance with major standards including GDPR, HIPAA, FedRAMP High, and more, helping customers meet regulatory and sovereignty requirements with confidence.

Workloads that Demand Confidentiality

CVMS are designed for customers that demand confidentiality, assurance, and compliance:

• Sovereign customers: Governments and entities with data residency mandates.
• Regulated industries: Finance, healthcare, and public sector workloads that require strict compliance.
• SaaS & multi‑tenant services: Stronger tenant isolation and confidentiality guarantee.
• Zero trust architectures: Reduce insider and platform risk with hardware enforced boundaries.
• Any privacy-sensitive workload: IP, PII/PHI, or analytics that need maximum assurance.

Getting Started

1. Create a new Azure Database for PostgreSQL flexible server in the Azure Portal
2. Under Compute + Storage, select Configure server
3. On the Compute and Storage tab, select your Compute Tier (General Purpose or Memory Optimized) and Compute Processor.
4. Select Compute size and select CVM SKU (DC/EC families) and the size based on your needs.

1. Set up your standard security controls - Private Endpoint, VNet, Entra ID, RBAC, Defender for Cloud.
2. Deploy and connect your app.

FAQ

Do I need to change my app or drivers?
No. Azure Confidential Computing (ACC) operates at the VM layer. Your PostgreSQL experience remains the same.

Is there an extra cost?
You pay for the compute/storage SKUs you choose. There’s no separate feature surcharge to “turn on” ACC. CVM prices may differ from non‑confidential SKUs; use the pricing calculator to estimate your monthly cost.

Are all my favorite Flexible Server features available?
At GA, the feature set is broadly the same. Current limitations include:

• Point-in-time restore (PITR) from confidential ↔ nonconfidential servers.
• Azure Backup integration for long-term retention (LTR)
• We currently only support V5 CVM SKUs

Which Azure regions can I use ACC for Azure Database for PostgreSQL?
CVM SKUs are available in UAE North and West Europe. More regions will be added based on demand.

Learn More

• Azure Confidential Computing - Azure Database for PostgreSQL | Microsoft Learn
• Trusted Execution Environment (TEE) | Microsoft Learn
• About Azure confidential VMs | Microsoft Learn