VBS enclaves for Always Encrypted in Azure SQL Database elastic pools – preview
Published Jul 11 2023 12:25 AM 2,816 Views

A few months ago we announced the support for virtualization-based security (VBS) enclaves in Azure SQL Database. This announcement brings numerous advantages, including robust confidential queries and seamless cryptographic operations, to all Azure SQL Database offerings, independent from the underlying hardware. You can use the feature with any compute tier (provisioned or serverless), purchasing model (vCore or DTU), compute size and region that aligns with your workload needs. And, since VBS enclaves are available in existing hardware offerings, there is no additional cost.


In addition to this preview, we are excited to announce the preview of VBS enclaves in Azure SQL Database elastic pools!


An Azure SQL Database elastic pool enables software as a service (SaaS) developers to optimize the price performance ratio for a group of databases, within a prescribed budget, while delivering performance elasticity for each database. By incorporating Always Encrypted with VBS enclaves in elastic pools, you can combine robust data protection with the cost-effectiveness that elastic pools offer. This integration ensures that your databases are secure while maintaining an efficient allocation of resources.


Enabling VBS enclaves on an elastic pool

Create a new elastic pool with a VBS enclave with the New-AzSqlElasticPool (PowerShell cmdlet) or az sql elastic-pool create (Azure CLI). The following example creates an elastic pool with a VBS enclave using PowerShell.


New-AzSqlElasticPool ` 
    -ComputeGeneration Gen5 `
    -Edition 'GeneralPurpose' `
    -ElasticPoolName $ElasticPoolName `
    -ResourceGroupName $resourceGroupName `
    -ServerName $serverName `
    -VCore 2 `
    -PreferredEnclaveType 'VBS' 


To enable a VBS enclave for an existing database, use the Set-AzSqlElasticPool (PowerShell cmdlet) or az sql elastic-pool update (Azure CLI). Here's an example:


Set-AzSqlElasticPool `
    -ResourceGroupName $resourceGroupName `
    -ServerName $serverName `
    -ElasticPoolName $ElasticPoolName `
    -PreferredEnclaveType 'VBS' 


Adding a database to an elastic pool

Any database you add to the elastic pool will inherit the enclave property from the elastic pool, like the database SLO. Hence, if you add a database without VBS enclaves enabled to an elastic pool with VBS enabled, this new database becomes part of elastic pool and VBS enclaves will be enabled on this database. Adding a database with VBS enclaves enabled to an elastic pool without VBS enclaves is not supported.

Once your elastic pool has access to a VBS enclave, and you have added your databases, you can start using it for in-place encryption or to run rich confidential queries. See Tutorial: Getting started with Always Encrypted with secure enclaves for step-by-step instructions.


We’d love to hear your feedback – please contact us at alwaysencryptedpg@microsoft.com

Version history
Last update:
‎Jul 11 2023 12:25 AM
Updated by: