Azure Confidential Computing is Microsoft's cutting-edge security technology that protects data even while it is "in use" through encryption. On top of the traditional Encryption at Rest and Encryption in Transit, it adds a third layer — Encryption in Use (encryption of data inside CPU memory). This realizes "Zero Trust to Cloud," where internal data is invisible even to Microsoft, cloud administrators, and the hypervisor. This article organizes Confidential VM, Containers, Always Encrypted with Secure Enclaves, Confidential AI, and Attestation in one place.
| Layer | Scope | Technology |
|---|---|---|
| Encryption at Rest | Data at rest in Storage | Customer-Managed Key (CMK), TDE |
| Encryption in Transit | Data in transit | TLS 1.2/1.3, IPsec |
| Encryption in Use | Processing inside CPU memory | Trusted Execution Environment (TEE) |
| Technology | Provider | Characteristics |
|---|---|---|
| Intel SGX (Software Guard Extensions) | Intel | Application-level enclaves with fine-grained control |
| AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging) | AMD | Whole-VM protection; easy Lift and Shift |
An AMD SEV-SNP-based VM family that runs the entire VM fully isolated from the hypervisor.
The code is almost identical to a normal VM (Lift and Shift is possible); the cost premium is roughly 30% above a standard VM.
GA in 2024. A Confidential AKS Node Pool that runs on AMD SEV-SNP.
Add a Confidential Node Pool to AKS and designate pods as Confidential Containers via annotations. Note the constraint of longer startup times (tens of seconds, due to Confidential VM boot).
A feature that processes confidential columns in Azure SQL Database / Managed Instance / SQL on VM inside an Intel SGX TEE.
| Capability | Legacy Always Encrypted | With Secure Enclaves |
|---|---|---|
| Equality (=) | Yes | Yes |
| Pattern match (LIKE) | No | Yes |
| Range search (BETWEEN) | No | Yes |
| JOIN operations | No | Yes |
| Visible to DBA / Cloud Admin | Not visible without decryption key | Same, plus invisible during processing |
Realizes "Zero Trust to DBA" — the highest-grade Privacy-by-Design implementation pattern, mandatory for GDPR and HIPAA.
Attestation is the mechanism for cryptographically proving that a Confidential VM/Container is actually running inside a TEE.
Cosmos DB, Always Encrypted with Secure Enclaves, and Confidential Ledger are also integrated with Attestation.
Azure Confidential Ledger is a blockchain-like tamper-proof log service built on Confidential Computing.
| Industry | Use Case | Recommended Confidential Capability |
|---|---|---|
| Finance | Multi-party data analytics, KYC | Confidential VM + Confidential Ledger |
| Healthcare | Imaging AI inference | Confidential Containers + Confidential AI |
| Government | Classified information processing | Confidential VM + Always Encrypted Enclaves |
| Manufacturing | Supply chain tracking | Confidential Ledger |
| SaaS | Multi-tenant isolation | Confidential Containers |
| AI vendors | Model IP protection + customer data protection | Confidential AI Inferencing |
What is Confidential Computing?
Azure Confidential Computing protects data even while it is 'in use' through encryption. On top of the traditional layers of Encryption at Rest (storage encryption) and Encryption in Transit (TLS), it adds a third layer: Encryption in Use (encryption of data inside CPU memory). A Trusted Execution Environment (TEE) provides CPU-level hardware protection so that internal data is invisible even to Microsoft, cloud administrators, and the hypervisor — realizing 'Zero Trust to Cloud'. Azure supports two TEE technologies: Intel SGX (Software Guard Extensions) and AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging). It is a state-of-the-art security capability for the most confidential workloads at financial institutions, healthcare providers, and government agencies.
What is a Confidential VM (DCasv5/ECasv5)?
Confidential VMs are an AMD SEV-SNP-based VM family (DCasv5, ECasv5, ECCasv5) that run the entire VM fully isolated from the hypervisor. Key characteristics: 1) the entire VM memory is encrypted by the AMD CPU and invisible to the hypervisor, 2) Boot Integrity Measurement detects tampering, 3) Trusted Launch and Secure Boot are required, 4) vTPM (Virtual Trusted Platform Module) is integrated, 5) Confidential OS Disk encrypts the OS disk itself with a Customer-managed Key. Typical use cases: 1) multi-party data analytics (Multi-party Computation, Federated Learning), 2) financial data analytics and transaction processing, 3) medical imaging AI inference, 4) confidential AI model inference (Model IP protection). The code is almost identical to a normal VM (Lift and Shift is possible), and the cost premium is roughly 30% above a standard VM.
What are Confidential Containers on AKS?
Confidential Containers on AKS reached GA in 2024 and run as a Confidential AKS Node Pool on AMD SEV-SNP. Pods execute as Confidential Containers, so data inside the pod is invisible to the hypervisor, the AKS control plane, and even the node OS. The technology is based on the open-source Kata Containers project, which adds an extra layer of isolation by running containers inside a VM sandbox. Typical use cases: 1) AI inference services that prevent customer data exposure and protect model IP, 2) multi-party ML pipelines (Federated Learning where participants do not see each other's data), 3) regulated-industry SaaS with full tenant isolation. You add a Confidential Node Pool to AKS and designate pods as Confidential Containers via annotations. It is a breakthrough capability that lets you make container apps confidential without changing existing code — but with a constraint: startup time is longer (tens of seconds, due to Confidential VM boot).
What is Always Encrypted with Secure Enclaves?
Always Encrypted with Secure Enclaves processes confidential columns in Azure SQL Database / Managed Instance / SQL on VM inside an Intel SGX TEE. Legacy Always Encrypted could only perform equality comparisons on encrypted data, but Secure Enclaves enable pattern matching (LIKE), range queries (BETWEEN), and JOIN operations while data remains encrypted. Flow: 1) the client encrypts the Column Encryption Key with a Column Master Key, 2) the client sends an encrypted SQL query, 3) SQL Server decrypts and processes inside the Secure Enclave (Intel SGX), 4) results are returned encrypted, 5) the client decrypts to retrieve them. DBAs and cloud administrators never see plaintext values — realizing 'Zero Trust to DBA'. It is the highest-grade Privacy-by-Design implementation pattern, mandatory for GDPR and HIPAA.
What about Confidential AI / Federated Learning?
These are AI/ML applications of Confidential Computing. Confidential AI: AI model inference runs inside a Confidential Container/VM, fully protecting both customer data and model IP. Typical scenario: medical-imaging AI completes inference without sending patient data from the hospital to the AI vendor — protecting Model IP from customers while simultaneously protecting customer data from the AI vendor (bidirectional protection). Federated Learning: multiple organizations jointly train an ML model without disclosing their own data — each participant trains locally inside a Confidential VM and only model parameters are aggregated. With the Azure Confidential AI Inferencing Service (2024 Preview), Microsoft began offering Azure OpenAI on Confidential Computing, so that customer prompts and inference results are invisible even inside Microsoft — a 'Confidential OpenAI'. Confidential Computing is rapidly growing in importance as a cutting-edge privacy-preserving technology for the AI era.
How does Attestation work?
Attestation is the mechanism for cryptographically proving that a Confidential VM or Container is actually running inside a TEE. Flow: 1) at Confidential VM boot, the CPU generates an Attestation Quote (vTPM + CPU Signing Key), 2) Microsoft Azure Attestation Service (MAA) or a Customer Attestation Service verifies the Quote against Microsoft's Attestation Certificate Authority chain, 3) on success, the Confidential VM is confirmed as trustworthy, 4) Key Vault / Secret Server releases decryption keys in exchange for the Attestation Token. This cryptographically guarantees 'is this VM truly running on Confidential Computing?' and 'is it really invisible to the hypervisor?' Cosmos DB, Always Encrypted with Secure Enclaves, and Confidential Ledger are also integrated with Attestation. In production, the standard pattern is to verify Attestation at app startup and refuse access to confidential data if verification fails.
What should I watch out for when adopting Confidential Computing?
Key considerations: 1) ~30% cost premium (Confidential VM) plus extra latency (CPU encryption); applying it to every workload is overkill — choose only the parts that handle confidential data, 2) Confidential Containers take tens of seconds to start (vs. 1-2 seconds for normal pods), so use a Warm Pool design if you rely on autoscale, 3) Confidential VM sizing is limited (specific SKUs like the DCasv5 series only) and regional coverage is partial (not all regions), 4) Confidential Ledger is capped at 5,000 transactions/sec — not suited to high-volume writes, 5) it depends on the Attestation Service SLA and availability, requiring Region Pairing, 6) the application must implement Attestation verification (it is not transparent), 7) Microsoft is not perfectly 'blind' either — side-channel attack risk and future vulnerability response are required. You must weigh the benefits (invisible to Microsoft/cloud admins) against the constraints (cost, performance, design complexity) carefully when deciding to adopt it.
Which certifications cover this topic?
SC-100 (Cybersecurity Architect Expert) covers this as a key topic under the Data pillar of Zero Trust strategy and encryption architecture. SC-400 (Information Protection) Domain 1 covers Confidential Computing integration; AZ-305 (Solutions Architect Expert) covers architect-level selection (when to adopt Confidential Computing); AI-103 (GA in 2026-06) covers Confidential AI inference patterns; DP-300 (DBA) covers Always Encrypted with Secure Enclaves. As a cutting-edge security technology its share of exam questions is still modest, but it is essential knowledge for security architects.
Related Articles and Deep Dives
AI-103 完全ガイド|Developing AI Apps and Agents on Azure【2026 年 6 月 GA・AI-102 後継】
Microsoft Certified: Developing AI Apps and Agents on Azure (AI-103) の完全ガイド。AI-102 の後継として 2026 年 6 月 30 日 GA。Azure AI Foundry / Agent Service / OpenAI / AI Search を中心に、RAG パターン・Agent オーケストレーション・Responsible AI・Semantic Kernel SDK の実装スキル、3-4 ヶ月の合格ロードマップを日本語で網羅。
Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】
Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】
Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure AI エンジニア キャリアロードマップ|AI-901 → AI-103 → 生成 AI アーキテクトへの道【2026 年版】
Azure AI エンジニアになるための認定取得ロードマップ完全版。AI-901 (2026-06 GA、AI-900 後継) → AI-103 (2026-06 GA、AI-102 後継) の最新ルート、Azure AI Foundry / Agent Service / OpenAI 中心の生成 AI 時代の構成、Databricks GenAI / OpenAI Direct との二刀流戦略、年収レンジまで日本語で網羅。
Technical information in this article is based on the Azure Confidential Computing Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship relationship. Microsoft and Azure are trademarks of the Microsoft group of companies. Intel SGX is a technology of Intel Corporation; AMD SEV-SNP is a technology of Advanced Micro Devices, Inc. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
View Azure exam prepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...