Confidential Computing Manager Azure Managed Application

Introduction

Fortanix Confidential Computing Manager (CCM) enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing. 

With CCM Azure managed application users can create and manage confidential computing applications from inside the Azure portal.

This article describes the steps to deploy the Fortanix Confidential Computing Manager (CCM) on the Microsoft Azure portal.

Prerequisites: Getting Started Video: 

  • A private Docker registry to push converted application image(s)
  • An Azure subscription

Deploy CCM Managed Application on Azure

  1. Go to the Microsoft Azure portal - https://portal.azure.com/
      1.png                                                                         Figure 1: Azure portal
     
  2. In the Search Bar, search "Fortanix Confidential Computing Manager" and you will find the Marketplace listing for Fortanix CCM. Click Fortanix Confidential Computing Manager on Azure.
      2.png
                                                                            Figure 2: Search CCM
     
  3. This will open the page to create the CCM Managed application. Click Create.
      CCMAzure3.png
                                                                Figure 3: Create the CCM managed application
     
  4. Fill in all the required fields.
    1. In the Managed Application Details section, the Managed Resource Group field will have a default value that the user can modify if required.
    2. In the Region field, select either Australia East, Australia SoutheastEast USWest US 2West EuropeNorth Europe, Canada Central, Canada East, or East US 2 EUAP (more regions will be added as Azure adds Managed Application support to more regions).
        
    CCMAzure4.png
                                                                  Figure 4: Create the CCM managed application

        Click Review + create to create the Fortanix CCM managed application.
     
  5. Review the details and once the validation passes, select the I agree to the terms and conditions above check box, and then click Create to create the managed application.
      CCMAzure5.png
                                                                 Figure 5: Create CCM managed application
     
  6. The Fortanix CCM deployment will start and notifies that the deployment is in progress.
      CCMAzure6.png
                                                                       Figure 6: Deployment in progress
     
  7. When the deployment is complete, click Go to resource button to go to the deployed CCM managed application's "Overview" page to enroll the compute node.
      CCMAzure7.png
                                                                         Figure 7: Deployment complete
      CCMAzure8_1.png
                                                               Figure 8: Deployed CCM managed application 

Enroll Compute Node in Fortanix CCM

  1. Click Confidential Computing Manager from the left navigation menu. Log in to Fortanix CCM and create an account as you see in Figure 9.

    For more details on how to sign up, log in and create an account in CCM refer to https://support.fortanix.com/hc/en-us/articles/360034373551-User-s-Guide-Logging-in.
      CCMAzure9a.png
                                                                            Figure 9: CCM Logging in
     
  2. Get the Join Token from the CCM Management Console by clicking the ENROLL NODE button and in the ENROLL NODE window click the COPY button to copy the join token.
      CCMAzure10a.png
                                                                            Figure 10: Get the join token
     
  3. Now to enroll a node agent, click the Confidential Computing Node Agent tab and click Add to add a CCM node agent.
    CCMAzure11a.png
                                                                            Figure 11: Add node agent
     
  4. In the CCM node agent form, fill all the required fields. Paste the join token that you copied in Step 2 in the Join Token field. Click Review + submit button to confirm.

    For more details on how to enroll a CCM compute node, refer to https://support.fortanix.com/hc/en-us/articles/360043085652-User-s-Guide-Compute-Nodes.
    CCMAzure12a.png
                                                                            Figure 12: Node agent creation
     
    NOTE
    • If an invalid Join token is provided, then the Compute Node will still be added in the Azure Managed Application successfully, but it will not be enrolled in the Fortanix Confidential Computing Manager. In such cases, Fortanix recommends that users delete the Compute Node and create it again.
    • Creating multiple Compute Nodes with the same name will fail as Azure does not allow multiple resources with the same name within the same resource group. Fortanix recommends that users carefully choose the Node Name.
     
  5. Once the validation passes, click Submit to complete the node agent creation.
    CCMAzure13a.png
                                                                      Figure 13: Node agent creation confirm
     
  6. To check the deployment status, go to the Overview tab, and click Managed resource group link.
    CCMAzure14a.png
                                                                            Figure 14: Node enrolled
      CCMAzure14_2.png
                                                                Figure 15: Managed resource group link
     
  7. Now you will notice that the deployment status is still in progress and will take a few minutes for the node agent to be successfully enrolled.
      CCMAzure15.png
                                                                         Figure 16: Node agent enrollment in progress
     
  8. Once the node agent enrollment is successful, the status changes to "Succeeded".
      CCMAzure16.png
                                                                            Figure 17: Node enrollment success
     
  9. Now in the CCM managed application, go to the Compute Nodes pages and you will notice that the node is in an Active state and enrolled successfully.
    CCMAzure17b.png
                                                                            Figure 18: Node in active state 

Delete CCM Compute Nodes

  1. The user also has the option to delete a CCM node agent from the Confidential Computing Node Agent page. To do this, select the node agent and click the Delete button on the top bar.
    CCMAzure18a.png
                                                                            Figure 19: Delete node agent
     
  2. The node agent is successfully deleted.
      CCMAzure19.png
                                                                            Figure 20: Node agent deleted
     
    NOTE
    This will delete a Compute Node from the Azure Managed Application, but it will still appear in the Compute Nodes tab in Fortanix Confidential Computing Manager.

Running an Application on Fortanix CCM

The Fortanix Confidential Computing Manager (CCM) environment is designed with the goal of protecting any application. To run the image of an application on a compute node, refer to the article Running an Application.

 

 

Was this article helpful?
0 out of 0 found this helpful