Azure Confidential VM Setup

1.0 Introduction

This article describes the procedure for configuring a Fortanix Confidential Computing Manager (CCM) deployment to work with an Azure Confidential Virtual Machine (CVM) in Windows-based environment.

The setup includes creating a Windows CVM in the Azure portal and preparing the attestation configuration required to register and validate the workload in Fortanix CCM.

2.0 Prerequisites

Before you begin, ensure the following requirements are met:

You have access to an active Azure subscription and permissions to create and manage CVMs in the Azure portal.
You have determined which PCR indexes (such as PCR0, PCR1, PCR7, and so on) your attestation policy should validate.
Administrator Privileges: The attestation client must be run in an elevated (Administrator) command prompt because it requires write access to the system Trusted Platform Module (TPM).

2.1 Azure CVM Requirements

Azure Confidential VMs provide hardware-based memory encryption and attestation. Your VM image must be compatible with Azure’s confidential computing requirements while also enforcing strong OS-level security.

Hardware Requirements:
- VM SKU: You must use an Azure Confidential Computing VM family that supports AMD SEV-SNP technology and includes an “a” in the VM size. Supported families include DCasv5, ECasv5 series, or NCCasv5.
- Generation: Generation 2 VM images are mandatory.
- Boot Architecture: The Azure CVMs must use Unified Extensible Firmware Interface (UEFI) boot. Legacy Basic Input/Output System (BIOS) boot is not supported.
Security Features: The following features are hardware-enforced and must be validated for the Azure CVM:
- Secure Boot is enabled.
- Virtual Trusted Platform Module (vTPM) is enabled.
Refer to the following Microsoft Azure documentation for instructions on enabling these features:
- Create a confidential VM with the Azure CLI for Azure confidential computing
- Create a custom image for Azure confidential VMs
OS Requirements: The Fortanix Attestation Client supports Windows Server 2025 Datacenter Edition.

2.2 Image Requirements

Ensure the Azure CVM image meets the following requirements:

The operating system (OS) image must be immutable, with no package updates or runtime modifications.
Disable all remote interactive access (for example, PowerShell Remoting)
Remove unnecessary built-in applications and components.
Install only the software required for the intended workload.
Install all latest security patches before creating the image.
Disable unused services (for example, Print Spooler, Fax, Xbox services).
TPM tooling must be included for attestation and measurement collection.

3.0 Fortanix Azure CVM Setup

This section describes the steps to deploy a Confidential Virtual Machine (CVM) in the Azure portal.

Perform the following steps:

Log in to the Azure portal using https://portal.azure.com/.
In the left navigation panel, select Virtual machines and click + Create.
From the Create drop down menu, select the Virtual machine option.
On the Basics tab, configure the required details:
1. Subscription: Select the required Azure subscription.
  1. Resource group: Select an existing resource group or create a new one. For example, demo-vm_group.
2. Instance details:
  1. Virtual machine name: Enter a unique name for your CVM instance in Azure.
  2. Region: Select a region that supports Confidential Computing workloads. Azure CVM options appear only in supported regions.
  3. Availability options: Select the availability configuration based on redundancy requirements. For example, no redundancy or availability zones.
  4. Zone options: Select Self-selected zone.
  5. Availability zone: Select the appropriate zone.
  6. Security type: Select Confidential virtual machines to enable a hardware-based trusted execution environment.
  7. Image: Select Windows Server 2025 Datacenter Server Core – x64 Gen2 to support Azure CVM deployment for Windows OS.
  8. VM architecture: Select x64 processor architecture .
  9. Run with Azure Spot discount (Optional): Enables reduced cost and non-production deployments. This is not recommended for workloads requiring guaranteed uptime.
  10. Size: Select the VM size as Standard_DC2as_v5 – 2 vcpus, 8 GiB memory for Windows OS.
3. Authentication account:
  1. Authentication type: Select SSH public key or Password-basedauthentication to access the VM.
  2. Username: Enter the administrator username used to access the VM.
  3. SSH public key source: Select Generate new key pair to create and store a new SSH key pair.
  4. SSH Key Type: Select the RSA SSH Format option for secure access.
  5. Key pair name: Enter a name for the generated SSH key pair.
4. Inbound port rules:
  1. Public inbound ports: Select Allow selected ports to allow controlled public network access.
  2. Select inbound ports: Select SSH (22) to allow remote access to the VM.
    NOTE
    This will allow all IP addresses to access your virtual machine.
Click Review + create at the bottom of the screen.
Figure 1: Create VM for Windows
Once validation completes successfully, click Create to create the Azure CVM.
After creating the VM, connect to the VM using SSH command to generate the PCR values required for attestation.

4.0 Determine PCR Values

After the Azure CVM is successfully deployed, retrieve the PCR values for the required indexes for attestation. Any single PCR value or a combination of multiple PCR values can be used when defining the image policy, depending on the security requirements.

Run the following command to collect PCR values directly from the deployed Azure CVM:

tpmtool printpcr sha256

Copy the required PCR values and use them during image configuration in Fortanix CCM.

NOTE
The following figure illustrates sample PCR values and must not be used in your configuration.
Figure 2: Sample PCR values

Once the PCR values are available, create the image for the CVM application. For more information on creating an image for the Azure CVM application, refer to Create an Image.