Announcing the general availability of Azure Boost
Published Nov 15 2023 08:00 AM 13.9K Views
Microsoft

We’re excited today to announce the general availability of Azure Boost, a system designed by Microsoft that offloads server virtualization processes traditionally performed by the hypervisor and host OS onto purpose-built software and hardware, enabling faster storage and networking performance for Azure VM customers.

 

Going forward, every new Azure virtual machine (VM) series will benefit from Azure Boost technologies, making the networking and storage components of your virtual workloads run even faster, whether you have deployed general purpose compute workloads or specialized AI clusters.

 

Azure Boost was engineered by a team of Microsoft hardware and software engineers to enhance the performance, security, and reliability of Microsoft Azure, and is already being used at Microsoft datacenters around the world, delivering benefits to millions of customers VMs in production today.

 

To learn more, watch the product overview video, read the documentation, or experience Azure Boost benefits today by provisining Azure Boost enabled VMs sizes listed in the documentation.  Continue reading to learn more about the benefits of using Azure Boost.

 

Pictured below: the Azure Boost Card 

Azure Boost covered.jpg

 

Below we take a deeper look at three ways you can benefit from leveraging Azure Boost.

 

  1. Azure Boost networking and maintenance improvements
  2. Azure Boost storage acceleration
  3. Azure Boost security enhancements

 

Azure Boost networking and maintenance improvements

As customers embark on their cloud journey, they seek superior performance, robust security, reliable service with maximum up time, consistently low jitter, and minimal disruption from platform servicing events. Further demonstrating Azure is the optimal cloud for running mission-critical workloads, Azure Boost is specifically designed architected to lessen the impact on customers when Azure maintenance activities occur. reinforcing our commitment to customers that Azure is the optimal cloud for running mission-critical workloads.

 

Azure Boost maintenance encompasses both the hardware and software on the card, including a secure Linux OS and networking drivers, as well as the top-of-rack switch topology. Each component of the system can be updated without significantly affecting customer throughput, reducing the duration of impact to less than one second for networking updates and less than three seconds for system-level updates in most common cases.

 

Dual top-of-rack topology allows Azure to maintain our switching infrastructure without measurable impact on existing customer workloads.

 

Additionally, Azure Boost introduces Microsoft’s proprietary programmable networking interface: MANA (Microsoft Azure Network Adapter). Using MANA allows Azure VM customers to achieve up to 200Gbps networking throughput on select VM sizes. Not less importantly, MANA helps to ensure forward compatibility for Azure VM customers by shielding them from future impacts when the underlying platform changes occur.

 

Azure Boost storage acceleration

One of the primary advantages of Azure Boost is its ability to enhance the throughput of Azure Managed Disks and local storage. This enhancement is enabled by offloading of the storage processing tasks to Azure Boost’s dedicated programmable hardware. Furthermore, Azure Boost optimizes performance by utilizing industry-standard Non-Volatile Memory Express (NVMe) interfaces, which are designed to capitalize on the low latency and internal parallelism of solid-state storage drives.

 

Accelerating Azure Managed Disks performance

Azure’s continued investments in VM-level storage throughput optimizations led to incremental improvements in the acceleration of Azure Managed Disks, resulting in industry-leading storage performance. During Microsoft Ignite, we have successfully demonstrated a throughput of up to 12.5GB/s and 650k IOPS for supported VM sizes.

 

Here’s a look at Azure’s journey of performance enhancements:

Max_Uritsky_1-1699942043988.png

 

Enhancing Azure Local Disks performance and security

The Azure Boost SSD augments the performance of local SSDs by delivering an enhancement of up to 3.8 million IOPS and a throughput of 17.2GB/s.

 

Additional enhancements provided by Azure Boost SSD:

  • Encryption at rest - Azure Boost SSD incorporates hardware-accelerated encryption at rest support. This helps to ensure that each customer’s data is encrypted with a distinct key and will be securely purged when the VM is terminated.
  • SSD live migration - In the event of a live migration of a source VM to a different node, the data residing on the Azure Boost SSDs will be automatically and securely transferred to the target VM without manual intervention.

Note: Azure Boost SSD is offered in select preview VM sizes only.

 

Azure Boost security enhancements

Azure Boost delivers another innovation in the security space—isolating customer VMs from the network, and the network from customer VMs—by leveraging state-of-the-art security techniques.

 

Security architecture components

Designed to enhance Azure workload security, Azure Boost includes the following security components:

  • An independent hardware root of trust - Cerberus fulfils NIST 800-193 certification.
  • Azure Boost system on chip (SoC) – dedicated, Linux based system conducting management operations for the control plane.
  • Configurable field-programable gate array (FPGA) – programable network and storage acceleration capabilities for the data plane.

Azure Boost SoCs pair with each host and work in tandem to create a more secure hosting infrastructure.

 

Max_Uritsky_2-1699942043992.png

 

 

Security integrity

Following Azure security principles, Azure Boost Integrity foundation architecture is using:

  • Hardware attestation by external hardware providers, ensuring the trustworthiness of the hardware and software components.
  • SELinux, a flexible form of Mandatory Access Control (MAC), where security policies are configured and enforced centrally, and not overridable by other processes, including those with root privilege.
  • Hardware Root of Trust, a robust, cryptographic provenance validation of the hardware.
  • Attestation (Azure’s Attestation Service) that provides a cryptographic signal to indicate whether Code Integrity is enabled and whether any violations have occurred.
  • Code Integrity, kernel-level protection that requires all binaries to be production signed and supported by file system protection, including integrity write protection.
  • Secure Boot - low-level firmware and software verification.

 

The Azure Boost system implements a secure and trustworthy configuration, supporting Azure Boost integrity from initialization through to runtime. Cerberus functions as the Hardware Root of Trust, providing attestation that the underlying firmware of critical hardware components within Azure Boost aligns with a trusted state. Furthermore, the attestation process, provided by Azure’s Attestation Service, guarantees the activation of Integrity Policy Enforcement and the verification of executable integrity through Code Integrity. The Attestation Service delivers a cryptographic signal to denote the operational status of Code Integrity and to report any potential violations.

 

This comprehensive security approach aids in mitigating the exploitation of software vulnerabilities, thereby constraining potential system damage, data exfiltration, privilege escalation, and persistence.

 

Security beyond runtime

Azure Boost aligns with ecosystem specifications and segregates cryptographic primitives helping to ensure robust security, reliability, and efficacy in safeguarding customers’ data and sensitive information. It employs isolation techniques to prevent unauthorized access and potential security threats. Furthermore, Azure Boost adheres to Federal Information Processing Standards (FIPS) certification, thereby ensuring that customers’ workloads conform to industry benchmarks for security, interoperability, compliance, credibility, and trustworthiness. This adherence to FIPS standards underscores the commitment to maintaining an elevated level of cryptographic security in protecting sensitive information.

 

What’s next?

Watch our product overview video and read the documentation to learn more, and follow us on the road to the next generation of infrastructure.

Experience Azure Boost benefits today trying out Azure Boost enabled VM sizes listed in the documentation.

 

2 Comments
Version history
Last update:
‎Nov 14 2023 11:28 AM
Updated by: