Migrating On-prem Windows & Linux VMs to Azure Confidential Virtual Machines via Azure Migrate

1. Executive Summary

Enterprise cloud adoption increasingly prioritizes trust boundaries that extend beyond traditional infrastructure isolation. While encryption at rest and in transit are foundational, modern organizations must also ensure that data in use (data actively processed in CPU or system memory) remains protected.
Azure Confidential Computing (ACC) mitigates emerging threats by enabling hardware-backed Trusted Execution Environments (TEEs). These environments isolate VM memory, CPU state, and I/O paths from Azure’s hypervisor, host operating system, and even privileged Azure administrators.
Azure Confidential Virtual Machines (CVMs) bring ACC to general-purpose workloads without requiring application modification, providing:

• Memory encryption (per-VM keys)
• Isolation from the hypervisor and cloud fabric
• Secure VM boot with platform attestation
• Cryptographically enforced key release from Azure Managed HSM
• Lift-and-shift compatibility using Azure Migrate

This whitepaper offers a complete lifecycle framework for secure migration, including governance models, deep technical implementation guidance, and operational readiness.

2. Business Drivers & Compliance Alignment

2.1 Risk & Threat Landscape

2.2 Business Outcomes

• Strongest possible protection for mission-critical workloads
• Accelerates regulated workload migration
• Supports Zero Trust goals: assume breach, verify explicitly
• Reduces privileged-access risk and insider threat profiles

3. Solution Architecture Overview

3.1 End-to-End Architecture Diagram

The diagram represents an End-to-End Architecture for migrating workloads from an on-premises environment to Azure using Azure Migrate, with a strong focus on security and confidentiality. Here’s a detailed explanation of each section:

On-Premises Environment:

• Components:
  • Windows Servers
  • Linux Servers
• These are your existing workloads that need to be migrated.
• Azure Migrate Appliance:
  • Acts as a bridge between on-premises servers and Azure.
  • Uses a private connection for secure data transfer.

Azure Landing Zone:

This is the target environment in Azure where migrated workloads will reside. It includes:

Private Endpoints

• Azure Migrate – For migration orchestration.
• Cache Storage Account (Blob) – Temporary storage for replication data.
• Managed HSM (Hardware Security Module) – For cryptographic key management.

Private DNS Zones

• privatelink.blob.core.windows.net
• privatelink.managedhsm.azure.net

These ensure name resolution for private endpoints without exposing them publicly.

Migration Workflow:

• Azure Migrate Project:
  • Discover on-premises servers.
  • Replicate workloads to Azure.
• Cached Replication Data → Private Blob Storage:
  • Replication data is stored securely in a private blob before cutover.
• Test Migration:
  • Performed in an isolated VNet to validate functionality before production cutover.

Production Cutover:

• Migrated workloads run as Confidential VMs in Azure.
• Security Enhancements:
  • SEV-SNP or TDX TEE: Hardware-based Trusted Execution Environments for isolation.
  • Confidential OS + Data Disk via DES HSM Key: Ensures encryption and integrity.
  • Attestation-Gated Boot via Managed HSM: Verifies VM integrity before booting.

4. Azure Components 

5. Confidential VM Requirements

5.1 Hardware Requirements

AMD SEV-SNP (DCasv6, ECasv6)

• Memory encryption with per-VM keys
• Nested page table protection
• RMP validation preventing host tampering
• Guest attestation report with measurement register integrity

Intel TDX (DCesv6, ECesv6)

• Encryption + integrity-protected guest memory
• Hardware-isolated module to validate TEE launch
• Boot measurement and module verification

5.2 VM Configuration Requirements

• Generation 2 (Gen2) virtual machine
• UEFI + Secure Boot
• vTPM enabled
• Confidential VM security type enabled via Azure Migrate or ARM templates

5.3 Disk Requirements

• OS will be Confidential Disk
• Data disks encrypted via Disk Encryption Set (DES)
• DES bound to RSA-HSM keys
• Managed HSM with purge protection
• Key Release Policy requiring attestation
• Disk should always be Premium for all Confidential VMs, required for performance and compatibility with confidential disk encryption

6. End-to-End Migration Framework

A nine-phase sequential model aligned with CAF, Azure architecture best practices, and enterprise migration standards.

Phase 1: Azure Migrate - Connectivity, Private Endpoints & DNS

Azure Migrate Requirements & Setup
Prerequisites:

• Azure subscription with contributor/owner access
• Resource Group for Azure Migrate project and resources
• Replication Appliance pre-requisites
  • Deploy Windows server 2022 as the replication appliance.

    Component	Requirement
    CPU cores	16
    RAM	32 GB
    Number of disks	2, including the OS disk - 80 GB and a data disk - 620 GB

Setup Steps:

1. Deploy Azure Migrate appliance on-premises
2. Register appliance with Azure Migrate project
3. Discover on-premises VMs (Windows/Linux)
   • Click Discover → Choose a discovery method:
     • Agent-based: Install the Azure Migrate agent on the source VMs.
     • Agentless (vSphere/Hyper-V): Use credentials to discover VMs.
   • Ensure all VMs to be migrated are discovered.
   • Click Assess → Configure assessment:
     • Target VM size: Choose Confidential VM-compatible sizes for CVMs.
     • Target Azure region.
     • Disk recommendations: Premium SSD or Premium SSD v2 for CVMs.
4. Validate connectivity to private endpoints, including:
   • Cache storage accounts
   • Managed HSM
5. Cache Storage Account:
   • Cache storage accounts can use ZRS for redundancy.
   • If ASR replication is required, use a separate LRS cache storage account.
   • All storage must be private endpoint-enabled and encrypted with CMKs from Azure Managed HSM.
6. Verify VMs appear in Azure Migrate project are ready for replication

Required Private Endpoints:

Private DNS Zones:

• privatelink.blob.core.windows.net
• privatelink.managedhsm.azure.net
• privatelink.azurewebsites.net

Connectivity Requirements:

• ExpressRoute or Site-to-Site VPN
• No public endpoints allowed
• Azure Migrate Appliance must resolve all private FQDNs

Phase 2: OS Readiness Assessment

Windows Workloads
MBR to GPT Validation:
C:\Windows\System32>MBR2GPT.exe /validate /allowFullOS

Requirements:

• No dynamic disks
• VSS and WinRM operational
• Drivers must support Gen2 migration
• OS disk ≤128GB

Validation Commands:

• Get-Volume
• Get-PhysicalDisk
• Get-WindowsOptionalFeature -Online -FeatureName SecureBoot

Linux Workloads
Requirements:

• UUIDs used in /etc/fstab
• Avoid multi-PV LVM expansion across disks
• Ensure kernel supports SEV-SNP or TDX
• Ensure UEFI bootloader integrity

Validation Commands:

• lsblk
• blkid
• cat /etc/fstab
• dmesg | grep -i sev

Phase 3: Network Security & Firewall Matrix

All connections route via private endpoints.

Phase 4: CMK Encryption & Managed HSM Governance

Managed HSM Creation:

• Enable purge protection
• Configure RBAC-only access
• Disable all public access

Key Creation:

az keyvault key create --exportable true --hsm-name <HSM> --kty RSA-HSM --name cvmKey --policy "./public_SKR_policy.json"

Disk Encryption Set (DES) Creation:

az disk-encryption-set create --name <DES> --resource-group <RG> --key-url <HSM Key URL> --identity-type SystemAssigned

Role Assignment to DES:

• Managed HSM Crypto Service Encryption User
• Key Release Policy requiring attestation

Phase 5: Confidential VM Orchestrator (CVO)

The Confidential VM Orchestrator is a built-in Azure service principal used by Azure Compute to securely manage disk encryption keys for Confidential VMs (CVMs). During boot, it validates the VM’s attestation evidence (SEV-SNP or TDX) and requests the Managed HSM to release the disk encryption key only to a verified CVM. It requires only Managed HSM Crypto Service Encryption User permissions. This ensures that customer-managed keys (CMKs) are released exclusively to attested CVMs and never to the hypervisor or platform operators.

Responsibilities:

• Validate the Trusted Execution Environment (TEE) measurement.
• Approve or deny key release based on attestation.
• Enforce cryptographic linkage between the VM and HSM key, ensuring keys are only accessible to legitimate CVMs.

Identity Setup:

New-MgServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0

Role Assignment:

az keyvault role assignment create --hsm-name <HSM> --assignee <CVO ID> --role "Managed HSM Crypto Service Release User" --scope /keys

Phase 6: Replication Enablement (Credential-Less)

Configuration Steps:

1. Go to the Azure portal → Search for Azure Migrate.
2. Select your Azure Migrate project
3. Navigate to Replicate.
4. Select Credential-less replication.
5. Choose the target subscription and resource group.
6. Select Confidential VM-compatible size for the VMs.
7. Assign Disk Encryption Sets (DES) for each disk.
8. Validate private endpoint connectivity to ensure replication can access the target subnet securely.
9. Begin Initial Sync + Delta Replication:
   • All OS/data disks for CVMs must be Premium SSD or Premium SSD v2.

Phase 7: Test Migration (Isolated Validation)

Validation Checklist:

• VM boots successfully without intervention
• CVM security type = Confidential
• CMK encryption applied on all disks
• Attestation logs verified on first boot
• Applications tested and functional
• No unexpected public endpoints
• NIC, routing, NSGs, UDRs verified

Phase 8: Production Cutover

Cutover Sequence:

1. Announce downtime
2. Freeze transactions
3. Run Planned Failover
4. Validate immediately:
   • Boot integrity
   • Disk encryption
   • Guest Attestation Extension
   • security type is Confidential
5. Switch application traffic
6. Decommission source systems

Phase 9: Post-Migration Hardening & Governance

Azure Policy Enforcement:

• Allowed VM SKUs → CVM only
• Enforce CMK-only disk encryption
• Deny public IP creation
• Require private endpoints
• Restrict Managed HSM access

Logging & Monitoring:

• Managed HSM logs
• Attestation logs
• Azure Monitor
• Defender for Cloud (CVM coverage)
• Microsoft Sentinel (optional)

Operational Governance:

• HSM key rotation schedule
• Quarterly attestation validation
• DES lifecycle management
• Zero-trust identity auditing
• “Break glass” procedure definition

7. Confidential VM Limitations & Workarounds

OS Disk Size Limit:

• Confidential disk encryption is only supported for OS disks at this stage. No support for Data Disks.
• Confidential disk encryption with CMK is not supported for disks larger than 128 GB.
  • Workaround:
    • Perform migration using SSE (Server-Side Encryption) with Platform-Managed Keys (PMK).
    • Stop and deallocate the VM post-migration.
    • Update encryption settings of OS disk to use SSE Disk Encryption Set (DES) using CMK for encryption.

Operating System Support:

• Windows 2019 and later supported
• RHEL 9.4 and later supported
• Ubuntu 22.04+ supported (depending on SKU)
• For full list, check the CVM OS Support Matrix

For additional details on limitations, please refer CVM Limitations

8. Conclusion

Azure Confidential Virtual Machines represent a generational shift in cloud security providing encryption, isolation, and attestation at the hardware boundary. Combined with Azure Migrate, DES/CMK encryption, Managed HSM, private networking, and robust governance, enterprises can securely modernize mission-critical workloads without application rewrites.