Microsoft introduces preview of confidential containers on Azure Container Instances (ACI)
Published May 24 2022 08:00 AM 9,572 Views

Microsoft has announced a limited preview of confidential containers support on Azure Container Instances (ACI). Confidential containers on ACI provides a fully managed serverless offering allowing customers to easily lift-and-shift Linux containers on Azure. Confidential containers on ACI are the first in the market serverless offering that helps running Linux containers in a hardware-based trusted execution environment with AMD SEV-SNP technology. With confidential containers on ACI, customers can easily run existing containerized workloads in a verifiable hardware-based Trusted Execution Environment (TEE).  To get access in the upcoming limited preview, please sign up at


Azure confidential computing (ACC) protects data in use by processing it only within a protected area of the CPU, which helps protect data from cloud operators, malicious admins, and privileged software. This data in use protection adds further defense in depth on top of existing solutions in Azure for protecting data on the network and in storage. Meanwhile, customers are continuously looking for reduced overhead on infrastructure management and ACI is a popular choice for customers wanting to run containers quickly and simply on Azure without deploying and managing Virtual Machines (VMs). Confidential containers on ACI enable customers to achieve hardware-based data in use encryption and verifiable assurance through guest attestation while leveraging the benefits of a fully managed serverless containers platform.


Hardware based Trusted Execution Environment (TEE) and Isolation

Confidential containers on ACI supports applications built on Linux based images and provide hardware-based isolation per container group. Confidential containers on ACI are deployed in a container group with a Hyper-V isolated TEE including a memory encryption key that is generated and managed by an AMD EPYC SEV-SNP capable processor. Customers can deploy a set of containers in a single container group within the same TEE that encrypts the data while in use in memory and helps guard against attacks from other container groups or malicious OS, Hypervisor components. The TEE also provides memory integrity protection guarding against attacks like replay and memory remapping. Hyper-V based isolation deployment mechanisms with a dedicated SEV-SNP enlightened Linux kernel per container group to further protect your deployments


Remote Guest Attestation


AC-Attestationflow.jpg Attestation allows the relying party to verify that the service is running in a TEE before sensitive data for processing. Confidential containers allow services in the container group to fetch the AMD SEV-SNP hardware report and use it as part of the attestation flow. This capability can be extended to your workloads to verify that your apps are running in a TEE before a data decryption key is exchanged or client to server contract is established.


Deployment Experience

During preview ARM templates can be used for your deployments. Confidential containers are deployed by modifying a few lines in the typical ACI deployments. Below is a simple demo on how customers can run a Python application that can read a TEE attestation report and show it as a web page. 




We are excited to bring confidential serverless offerings with full lift & shift container support while continuing to innovate in this fast-emerging confidential computing and cloud native space. Join our preview list by signing up at 


Helpful Links

Version history
Last update:
‎May 25 2022 09:46 AM
Updated by: