At Microsoft Ignite 2025 in San Francisco, Microsoft and Red Hat are unveiling a major milestone in cloud security: the general availability of Confidential Containers on Azure Red Hat OpenShift (ARO).
Confidential Containers on ARO will roll out in the coming weeks following Ignite 2025 across supported Azure regions.
This new capability extends Azure’s Confidential Computing innovations to Red Hat OpenShift environments, enabling customers to protect their most sensitive workloads with data-in-use encryption—ensuring that information remains secure even while it is being processed and verified for integrity through workload attestation in a zero-trust environment.
Meeting the Demand for Confidential Cloud Workloads
As organizations scale mission-critical workloads in the cloud, concerns about data privacy, compliance, and regulatory exposure have become central to cloud strategy. Many tightly regulated industries—such as financial services, healthcare, and government—require strong data protection measures that block unauthorized access, including from cloud or cluster administrators.
ARO Confidential Containers address these challenges by combining hardware-based isolation with the full developer experience of OpenShift. Running workloads inside Trusted Execution Environments (TEEs) built on AMD SEVSNP or Intel TDX, the solution provides complete data protection in use, at rest, and in transit—without sacrificing performance or flexibility.
Innovation without Compromise
With ARO 4.15 and later, customers can now:
- Run containerized applications in secure, hardware-isolated environments.
- Validate and continuously verify workload integrity through built-in attestation, ensuring trusted execution in zero-trust environments.
- Deploy confidential and non-confidential workloads side by side in the same OpenShift cluster.
- Simplify security automation using OpenShift’s Sandboxed Containers Operator.
- Achieve zero trust confidentiality for cloud, hybrid, or on-premises deployments.
These capabilities make ARO the first fully managed OpenShift service on any public cloud to deliver container native confidential execution with built in integration to Confidential VMs.
Protected by Hardware. Verified by Design.
ARO Confidential Containers operate in Confidential Virtual Machines (CVMs) via peer pod technology, isolating each container from the host and other workloads in the cluster.
Each environment undergoes an attestation process before launch, verifying that only untampered, trusted code executes — a cornerstone of workload integrity and zero-trust assurance. A secure network tunnel connects the ARO node to the Confidential Pod, ensuring encrypted communication end to end.
This architectural approach enforces a zero-trust model—data stays private even from infrastructure operators and administrators—while maintaining compatibility with existing container images and CI/CD processes.
Key Benefits
|
Category |
Value |
|
Security |
Hardware-level isolation protects data and code from privileged access. |
|
Compliance |
Meets regulatory requirements such as HIPAA and GDPR. |
|
Hybrid Consistency |
Uniform security model across Azure, hybrid, and on premises deployments. |
|
Performance |
Optimized Confidential VMs minimize processing overhead. |
|
Simplicity |
Enable Confidential Containers from the OpenShift console with minimal configuration effort. |
|
Workload Integrity |
Built-in attestation verifies code and data integrity before execution, reinforcing zero-trust confidence. |
Designed for High Value Use Cases
- Regulatory Compliance — Process and store sensitive data under strict privacy mandates.
- Secure DevOps Environments (future vision) Isolate development, testing, and production environments within protected enclaves.
- Confidential Analytics — Safely process proprietary or regulated data where confidentiality is essential.
Global Availability
Confidential Containers are now available in major Azure regions including Central India, East US, Japan East, North Europe, Southeast Asia, Switzerland North, UAE North, West Europe, and West US. Customers can choose from AMD SEV-SNP or Intel TDX based CVMs for general purpose or memory optimized workloads. See product availability page for the most up to date information.
Learn More at Microsoft Ignite 2025
A lightning talk about Azure Red Hat OpenShift Confidential Containers will take place at the Red Hat booth during Microsoft Ignite 2025 in San Francisco. Attendees can hear directly from Microsoft and Red Hat experts about how this new capability advances data protection and zero trust computing across hybrid environments.
Get Started
For deployment details, visit Red Hat’s documentation (Deploying on Azure).
Contact your Microsoft or Red Hat representative to discuss how Confidential Containers can help strengthen your organization’s cloud security and compliance posture. These capabilities combine hardware isolation with workload attestation, giving customers a verified foundation for confidential computing at scale.
Resources:
- Confidential Containers on ARO Arcade Demo
- Microsoft Learn: Confidential Containers on ARO
- Red Hat Documentation: Deploying Confidential Containers on Azure
- Chapter 2. Deploying Red Hat build of Trustee for workloads running on Azure
- Microsoft Azure Red Hat OpenShift Pitch Deck
- Accelerating ARO Opportunities Learning Path
Microsoft