Confidential Computing Manager Azure Managed Application

Introduction

Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing. 

With CCM Azure managed application users can create and manage confidential computing applications from inside the Azure portal.

This article describes the steps to deploy the Fortanix Confidential Computing Manager (CCM) on the Microsoft Azure portal.

Prerequisites: Getting Started Video: 

• A private Docker registry to push converted application image(s)
• An Azure subscription

Deploy CCM Managed Application on Azure

1. Go to the Microsoft Azure portal - https://portal.azure.com/
     Figure 1: Azure portal
2. In the Search Bar, search "Fortanix Confidential Computing Manager" and you will find the Marketplace listing for Fortanix CCM. Click Fortanix Confidential Computing Manager on Azure.
    
   Figure 2: Search CCM
3. This will open the page to create the CCM Managed application. Click Create.
    
   Figure 3: Create the CCM managed application
4. Fill in all the required fields.
   1. In the Managed Application Details section, the Managed Resource Group field will have a default value that the user can modify if required.
   2. In the Region field, select either Australia East, Australia Southeast, East US, West US 2, West Europe, North Europe, Canada Central, Canada East, or East US 2 EUAP (more regions will be added as Azure adds Managed Application support to more regions).
        
   
   Figure 4: Create the CCM managed applicationClick Review + create to create the Fortanix CCM managed application.
    
5. Review the details and once the validation passes, select the I agree to the terms and conditions above check box, and then click Create to create the managed application.
    
   Figure 5: Create CCM managed application
6. The Fortanix CCM deployment will start and notifies that the deployment is in progress.
    
   Figure 6: Deployment in progress
7. When the deployment is complete, click Go to resource button to go to the deployed CCM managed application's "Overview" page to enroll the compute node.
    
   Figure 7: Deployment complete
   Figure 8: Deployed CCM managed application

Enroll Compute Node in Fortanix CCM

1. Click Confidential Computing Manager from the left navigation menu. Log in to Fortanix CCM and create an account as you see in Figure 9.
   
   For more details on how to sign up, log in and create an account in CCM refer to https://support.fortanix.com/hc/en-us/articles/360034373551-User-s-Guide-Logging-in.
   NOTE

   When using Fortanix CCM Azure managed application, users cannot log in using Azure Active Directory (AD) authentication.
   
   Figure 9: CCM Logging in
2. Get the Join Token from the CCM Management Console by clicking the ENROLL NODE button and in the ENROLL NODE window click the COPY button to copy the join token.
    
   Figure 10: Get the join token
3. Now to enroll a node agent, click the Confidential Computing Node Agent tab and click Add to add a CCM node agent.
   
   Figure 11: Add node agent
4. In the CCM node agent form, fill all the required fields. Paste the join token that you copied in Step 2 in the Join Token field. Click Review + submit button to confirm.
   
   For more details on how to enroll a CCM compute node, refer to https://support.fortanix.com/hc/en-us/articles/4414187862164-User-s-Guide-Enroll-a-Compute-Node-Using-Azure-Marketplace.
   
   Figure 12: Node agent creation
   NOTE

   • If an invalid Join token is provided, then the Compute Node will still be added in the Azure Managed Application successfully, but it will not be enrolled in the Fortanix Confidential Computing Manager. In such cases, Fortanix recommends that users delete the Compute Node and create it again.
   • Creating multiple Compute Nodes with the same name will fail as Azure does not allow multiple resources with the same name within the same resource group. Fortanix recommends that users carefully choose the Node Name.
5. Once the validation passes, click Submit to complete the node agent creation.
   
   Figure 13: Node agent creation confirm
6. To check the deployment status, go to the Overview tab, and click Managed resource group link.
   
   Figure 14: Node enrolled
   Figure 15: Managed resource group link
7. Now you will notice that the deployment status is still in progress and will take a few minutes for the node agent to be successfully enrolled.
    
   Figure 16: Node agent enrollment in progress
8. Once the node agent enrollment is successful, the status changes to "Succeeded".
    
   Figure 17: Node enrollment success
9. Now in the CCM managed application, go to the Compute Nodes pages and you will notice that the node is in an Active state and enrolled successfully.
   
   Figure 18: Node in active state

Delete CCM Compute Nodes

1. The user also has the option to delete a CCM node agent from the Confidential Computing Node Agent page. To do this, select the node agent and click the Delete button on the top bar.
   
   Figure 19: Delete node agent
2. The node agent is successfully deleted.
    
   Figure 20: Node agent deleted
   NOTE

   This will delete a Compute Node from the Azure Managed Application, but it will still appear in the Compute Nodes tab in Fortanix Confidential Computing Manager.

Running an Application on Fortanix CCM

The Fortanix Confidential Computing Manager (CCM) environment is designed with the goal of protecting any application. To run the image of an application on a compute node, refer to the article Running an Application.