Blog Post

Azure SQL Blog
2 MIN READ

Migrate your sensitive data to SQL Server on Azure confidential VMs

Jakub Szymaszek's avatar
Oct 12, 2022

Azure confidential VMs provide a strong, hardware-enforced boundary that hardens the protection of the guest OS. Choosing a confidential VM size for your SQL Server on Azure VM provides an extra layer of security, allowing you to confidently store your sensitive data in the cloud and meet strict compliance requirements.

 

Azure confidential VMs leverage the AMD SEV-SNP technology that encrypts the memory of the VM using keys generated and safeguarded by a dedicated secure processor inside the AMD CPU. The hypervisor and other host management is denied access to the memory of the VM. This provides an extra layer of protection for your data in use - the data that is loaded to the memory of SQL Server for query processing. The cleartext of that data is not accessible to host operators through memory dumps or physical access to the host machine.

 

With Azure confidential VMs, you can also reinforce the protection of your data at rest (in database files) by enabling confidential OS disk encryption and encrypting data disks using BitLocker with keys stored on the OS disk. This makes the protected disk content accessible only to the VM. 

 

Azure confidential VMs are available in both the general purpose and memory optimized VM size series.

 

Getting started with SQL Server on Azure confidential VMs is easy - the setup is similar to when you create a regular SQL VM. Just make sure to set the following in the Basics tab when creating the VM in Azure Portal:

  • Choose a region that support Azure confidential VMs. Look forECadsv5-series or DCadsv5-series in VM products Available by Azure region.
  • For Security type, choose Confidential virtual machines.
  • In the Image list, you need to choose a SQL image that supports Azure confidential VMs, for exampleSQL Server 2019 Enterprise on Windows Server 2022 Database Engine Only. To see other SQL images supporting confidential VMs, click See all images, type SQL in the search box and set Security type = Confidential.
  • Leave the size at the default of Standard_EC2ads_v5. Select See all sizes to identify all the VM sizes that support confidential VMs, as well as the sizes that do not.

 

 

For more information on SQL Server in Azure confidential VMs and related technologies, see:

Updated Oct 07, 2022
Version 1.0
No CommentsBe the first to comment