Confidential Computing Manager Azure Managed Application

Introduction

Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing. 

With CCM Azure managed application users can create and manage confidential computing applications from inside the Azure portal.

This article describes the steps to deploy the Fortanix Confidential Computing Manager (CCM) on the Microsoft Azure portal.

Prerequisites: Getting Started Video:

  • A private Docker registry to push converted application image(s)

  • An Azure subscription

Deploy CCM Managed Application on Azure

  1. Go to the Microsoft Azure portal - https://portal.azure.com/

    1.png

    Figure 1: Azure portal

  2. In the Search Bar, search "Fortanix Confidential Computing Manager" and you will find the Marketplace listing for Fortanix CCM. Click Fortanix Confidential Computing Manager on Azure.

    2.png

    Figure 2: Search CCM

  3. This will open the page to create the CCM Managed application. Click Create.

    CCMAzure3.png

    Figure 3: Create the CCM managed application

  4. Fill in all the required fields.

    1. In the Managed Application Details section, the Managed Resource Group field will have a default value that the user can modify if required.

    2. In the Region field, select either Australia East, Australia SoutheastEast USWest US 2West EuropeNorth Europe, Canada Central, Canada East, or East US 2 EUAP (more regions will be added as Azure adds Managed Application support to more regions).

    CCMAzure4.png

    Figure 4: Create the CCM managed application

    Click Review + create to create the Fortanix CCM managed application.
     

  5. Review the details and once the validation passes, select the I agree to the terms and conditions above check box, and then click Create to create the managed application.

    CCMAzure5.png

    Figure 5: Create CCM managed application

  6. The Fortanix CCM deployment will start and notifies that the deployment is in progress.

    CCMAzure6.png

    Figure 6: Deployment in progress

  7. When the deployment is complete, click Go to resource button to go to the deployed CCM managed application's "Overview" page to enroll the compute node.

    CCMAzure7.png

    Figure 7: Deployment complete

    CCMAzure8_1.png

    Figure 8: Deployed CCM managed application

Enroll Compute Node in Fortanix CCM

  1. Click Confidential Computing Manager from the left navigation menu. Log in to Fortanix CCM and create an account as you see in Figure 9.
    For more details on how to sign up, log in and create an account in CCM refer to users-guide-logging-in.

    NOTE

    When using Fortanix CCM Azure managed application, users cannot log in using Azure Active Directory (AD) authentication.

    CCMAzure9a.png

    Figure 9: CCM Logging in

  2. Get the Join Token from the CCM Management Console by clicking the ENROLL NODE button and in the ENROLL NODE window click the COPY button to copy the join token.

    CCMAzure10a.png

    Figure 10: Get the join token

  3. Now to enroll a node agent, click the Confidential Computing Node Agent tab and click Add to add a CCM node agent.

    CCMAzure11a.png

    Figure 11: Add node agent

  4. In the CCM node agent form, fill all the required fields. Paste the join token that you copied in Step 2 in the Join Token field. Click Review + submit button to confirm.
    For more details on how to enroll a CCM compute node, refer to users-guide-enroll-a-compute-node-using-azure-marketplace.

    CreateNodeAgentAzure.png

    Figure 12: Node agent creation

    NOTE

    • If an invalid Join token is provided, then the Compute Node will still be added in the Azure Managed Application successfully, but it will not be enrolled in the Fortanix Confidential Computing Manager. In such cases, Fortanix recommends that users delete the Compute Node and create it again.

    • Creating multiple Compute Nodes with the same name will fail as Azure does not allow multiple resources with the same name within the same resource group. Fortanix recommends that users carefully choose the Node Name.

  5. Once the validation passes, click Submit to complete the node agent creation.

    CreateNodeAgentAzureValidation.png

    Figure 13: Node agent creation confirm

  6. To check the deployment status, go to the Overview tab, and click Managed resource group link.

    CCMAzure14a.png

    Figure 14: Node enrolled

    CCMAzure14_2.png

    Figure 15: Managed resource group link

  7. Now you will notice that the deployment status is still in progress and will take a few minutes for the node agent to be successfully enrolled.

    CCMAzure15.png

    Figure 16: Node agent enrollment in progress

  8. Once the node agent enrollment is successful, the status changes to "Succeeded".

    CCMAzure16.png

    Figure 17: Node enrollment success

  9. Now in the CCM managed application, go to the Compute Nodes pages and you will notice that the node is in an Active state and enrolled successfully.

    CCMAzure17b.png

    Figure 18: Node in active state

Delete CCM Compute Nodes

  1. The user also has the option to delete a CCM node agent from the Confidential Computing Node Agent page. To do this, select the node agent and click the Delete button on the top bar.

    CCMAzure18a.png

    Figure 19: Delete node agent

  2. The node agent is successfully deleted.

    CCMAzure19.png

    Figure 20: Node agent deleted

    NOTE

    This will delete a Compute Node from the Azure Managed Application, but it will still appear in the Compute Nodes tab in Fortanix Confidential Computing Manager.

Running an Application on Fortanix CCM

The Fortanix Confidential Computing Manager (CCM) environment is designed with the goal of protecting any application. To run the image of an application on a compute node, refer to the article Running an Application.