Azure confidential VMsprovide a strong, hardware-enforced boundary that hardens the protection of the guest OS. Choosing a confidential VM size for your SQL Server on Azure VM provides an extra layer of security, allowing you to confidently store your sensitive data in the cloud and meet strict compliance requirements.
Azure confidential VMs leverage the AMD SEV-SNPtechnology that encrypts the memory of the VM using keys generated and safeguarded by a dedicated secure processor inside the AMD CPU. The hypervisor and other host management is denied access to the memory of the VM. This provides an extra layer of protection for your data in use - the data that is loaded to the memory of SQL Server for query processing. The cleartext of that data is not accessible to host operators through memory dumps or physical access to the host machine.
With Azure confidential VMs, you can also reinforce the protection of your data at rest (in database files) by enabling confidential OS disk encryption and encrypting data disks using BitLocker with keys stored on the OS disk. This makes the protected disk content accessible only to the VM.
Getting started with SQL Server on Azure confidential VMs is easy - the setup is similar to when you create a regular SQL VM. Just make sure to set the following in the Basics tab when creating the VM in Azure Portal:
In theImagelist, you need to choose a SQL image that supports Azure confidential VMs, for exampleSQL Server 2019 Enterprise on Windows Server 2022 Database Engine Only. To see other SQL images supporting confidential VMs, click See all images, type SQL in the search box and setSecurity type = Confidential.
Leave the size at the default ofStandard_EC2ads_v5. SelectSee all sizesto identify all the VM sizes that support confidential VMs, as well as the sizes that do not.
For more information on SQL Server in Azure confidential VMs and related technologies, see: