For organizations in regulated industries — financial services, healthcare, government, defense — the security conversation around data has always revolved around two states: data at rest and data in transit. Encrypt your storage. Encrypt your network traffic. Check, check.
But there's a third state that's been much harder to address: data in use. What happens to your events while they're being actively processed by the streaming infrastructure? While they're in memory on the broker, being indexed, being replicated? That's the gap that confidential computing closes.
Today, we're announcing confidential computing support for Azure Event Hubs Dedicated clusters, available now in Korea Central and UAE North.
Event Hubs already provides a comprehensive security model: Entra ID authentication, RBAC, TLS 1.2+ in transit, encryption at rest with Microsoft-managed or customer-managed keys, private endpoints, and network isolation.
Confidential computing completes the picture. It uses hardware-based Trusted Execution Environments (TEEs) — an industry standard defined by the Confidential Computing Consortium, of which Microsoft is a founding member — to protect your event data while it's being actively processed. The TEE creates an encrypted boundary at the silicon level, preventing unauthorized access even from privileged software or compromised infrastructure operators.
Your data is now protected across all three states: at rest, in transit, and in use.
Why This Is a Natural Fit for Dedicated
Event Hubs Dedicated already provides single-tenant, hardware-isolated clusters. Your resources aren't shared with any other customer. Confidential computing extends that isolation model to the compute layer itself — the dedicated hardware your events run on now operates inside a Trusted Execution Environment.
And the best part for your engineering teams: confidential computing requires zero changes to your applications. Your producers and consumers continue to use the same Event Hubs SDK or Apache Kafka® APIs. Connection strings, authentication, partition strategies — nothing changes. You create a new Dedicated cluster with confidential computing enabled, provision your namespaces on it, and the protection is transparent from that point forward.
Defense in Depth
Confidential computing is most powerful when combined with other Event Hubs security capabilities. For maximum data protection, pair it with customer-managed keys backed by Azure Key Vault Managed HSM:
| Layer | Protection |
|---|---|
| Data in use | Confidential computing (TEE) — New |
| Data in transit | TLS 1.2+, always-on |
| Data at rest | Customer-managed keys in Managed HSM |
| Identity | Microsoft Entra ID + RBAC + managed identities |
| Network | Private endpoints, VNet rules, IP firewall |
| Infrastructure | Single-tenant dedicated clusters |
| Governance | Azure Policy enforcement |
With this combination, your encryption keys are stored in FIPS 140-2 Level 3 validated hardware security modules, your data is encrypted with keys only you control, and your compute is isolated at the hardware level. No single party — including the cloud provider — can access unencrypted data.
You can also use Azure Policy to enforce that all Dedicated clusters in your organization have confidential computing enabled, ensuring consistent security posture across your environment.
What You Need to Know
- Tier: Dedicated only.
- Regions: Korea Central and UAE North.
- New clusters required: Confidential computing must be enabled at cluster creation time. You cannot enable it on existing clusters. If you're running a Dedicated cluster today and want this capability, you'll need to create a new cluster with confidential computing enabled and provision your namespaces on it.
- Impact to applications: None. Zero code changes required. Your producers and consumers connect to the new namespace the same way they always have.
Get Started
If you're already running an Event Hubs Dedicated cluster and need confidential computing, the path is straightforward: create a new Dedicated cluster with confidential computing enabled in a supported region, then create your namespaces on that new cluster. Since your applications require zero code changes, this is an infrastructure migration — not an application migration. We recommend validating with a non-production workload first to confirm your applications behave identically.
If you're evaluating Event Hubs Dedicated for a new workload with strict security requirements, confidential computing gives you one more reason to choose the Dedicated tier: hardware-level protection you can point to when your compliance team asks "how is the data protected while it's being processed?"
For step-by-step instructions — including portal walkthrough, Bicep templates, ARM templates, and Azure Policy definitions — see the full documentation:
Microsoft