Azure Migrate: Migration to Confidential Virtual Machines (CVMs)

Azure Migrate now supports the migration of both Generation 1 and Generation 2 virtual machines (VMs) from on-premises or other cloud platforms to Azure Confidential Virtual machine (CVM) in Private Preview. 

Customers can seamlessly migrate their VMs to Confidential Virtual Machines (CVMs) using the Simplified Agent-Based Migration method or the VMware Agentless Migration flow.

What is Confidential Computing?

Confidential Computing enhances data security by protecting data in use through hardware-based, attested Trusted Execution Environments (TEEs). These secure and isolated environments prevent unauthorized access or modification of applications and data while they are being processed.

Key Benefits of Confidential Computing:

• Enhanced Data Security: Confidential computing protects data in use by performing computations in a hardware-based, attested Trusted Execution Environment (TEE). This secure and isolated environment prevents unauthorized access or modification of applications and data while they are in use.
• Reducing the Attack Surface: Azure already encrypts data at rest and in transit. Confidential computing adds an extra layer of protection by safeguarding data in use, including cryptographic keys.
• Improved Privacy: When Azure confidential computing is enabled, it prevents unauthorized access to data in use, even from the cloud operator. This ensures that sensitive information remains private and secure.
• Compliance with Regulations: Confidential computing helps organizations manage sensitive and regulated data more securely, which can aid in compliance with various data protection regulations.

Azure Migrate Support for Confidential Virtual Machines (CVMs)

Azure Migrate supports migration to CVMs for specific operating systems and scenarios. Here's what you need to know:

         Supported Operating Systems

• • Windows Server: 2019, 2022
  • Ubuntu: 20.04 LTS, 22.04 LTS

         Supported Virtual Machine Generations

• • Generation 1: Utilizes Master Boot Record (MBR) disks with standard BIOS partition tables.
  • Generation 2: Operates with GUID Partition Table (GPT) disks and Unified Extensible Firmware Interface (UEFI).

Pre-Requisites for Migration

Before migrating Source VMs to CVMs, ensure the following:

      For Windows VMs:

• • Update the source VM with the latest windows patches.
  • Uninstall any paravirtual drivers installed on the source VM.

      For Ubuntu VMs:

• • Uninstall any paravirtual drivers installed on the source VM.

Disk Requirements for Generation 1 (Windows):

• • The disk uses the MBR partitioning scheme.
  • There is sufficient unoccupied space for GPT conversion:
  • 16 KB + 2 sectors at the start of the disk.
  • 16 KB + 1 sectors at the end of the disk.
  • A maximum of three primary partitions in the MBR partition table.
  • No extended or logical partitions exist on the disk.
  • The system partition is active with a valid BCD store containing an OS entry.

     Run the following command to validate disk readiness for migration:

     C:\Windows\System32>MBR2GPT.exe /validate /allowFullOS

Agent Based Migration Scenario

For discovery and assessment follow the following articles:

• Discover physical servers with Azure Migrate Discovery and assessment - Azure Migrate | Microsoft Learn
• Assess physical servers for migration to Azure with Azure Migrate - Azure Migrate | Microsoft Learn

Please use the simplified agent-based appliance to migrate to CVM. Installation of mobility agent is required before starting replication using simplified agent-based migration appliance. Please follow the following documentation.

• Review the hardware requirement here for simplified appliance - Support requirements for Azure Site Recovery replication appliance - Azure Site Recovery | Microsoft Learn
• Follow these steps for installation of simplified Azure Site Recovery appliance on Virtual Machine - Deploy Azure Site Recovery replication appliance - Modernized - Azure Site Recovery | Microsoft Learn
• Follow these steps to install mobility agent - About the Mobility service for disaster recovery of VMware VMs and physical servers with Azure Site Recovery - Azure Site Recovery | Microsoft Learn

Select Confidential Virtual Machine in the Virtual Machine Tab during migration. The machines that are eligible for Migration to CVM will be available and rest will be greyed out.

Conclusion

Azure Migrate's support for Confidential Virtual Machines (CVMs) represents a significant step forward in secure and efficient VM migration. Whether you’re dealing with sensitive workloads or adhering to stringent regulatory requirements, Azure's confidential computing capabilities ensure a robust solution for protecting your data during migration.