Confidential VM node pool support on AKS with AMD SEV-SNP confidential VMs

Azure Kubernetes Service (AKS) makes it simple to deploy a managed Kubernetes cluster in Azure. In AKS, nodes of the same configuration are grouped together into node pools. These node pools contain the underlying VMs that run your applications.

AKS now supports confidential VM node pools with Azure confidential VMs. These confidential VMs are the generally available DCasv5 and ECasv5 confidential VM-series utilizing 3rd Gen AMD EPYC^TM processors with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features. To read more about this offering, see the announcement.

Benefits

Confidential node pools leverage VMs with a hardware-based Trusted Execution Environment (TEE). AMD SEV-SNP confidential VMs deny the hypervisor and other host management code access to VM memory and state, and add defense in depth protections against operator access.

In addition to the hardened security profile, confidential node pools on AKS also enable:

• Lift and Shift with full AKS feature support - to enable a seamless lift-and-shift of Linux container workloads
• Heterogenous Node Pools - to store sensitive data in a VM-level TEE node pool with memory encryption keys generated from the chipset itself
• Cryptographically attest that your code will be executed on AMD SEV-SNP hardware with an application to generate the hardware attestation report.

Get started and add confidential node pools to existing AKS cluster with this quick start guide.

Questions?

If you have questions about container offerings, please reach out to acconaks@microsoft.com.

Next steps

• Deploy a confidential node pool in your AKS cluster
• Learn more about sizes and specs for general purpose and memory-optimized confidential VMs.