Deploy SQL Server to an Azure confidential VM
Applies to: 
SQL Server on Azure VM
In this article, learn how to deploy SQL Server to an Azure confidential VM.
Overview
Azure confidential VMs provide a strong, hardware-enforced boundary that hardens the protection of the guest OS against host operator access. Choosing a confidential VM size for your SQL Server on Azure VM provides an extra layer of protection, enabling you to confidently store your sensitive data in the cloud and meet strict compliance requirements.
Azure confidential VMs leverage AMD processors with SEV-SNP technology that encrypt the memory of the VM using keys generated by the processor. This helps protect data while it's in use (the data that is processed inside the memory of the SQL Server process) from unauthorized access from the host OS. The OS disk of a confidential VM can also be encrypted with keys bound to the Trusted Platform Module (TPM) chip of the virtual machine, reinforcing protection for data-at-rest.
Azure confidential VMs are available in both the general purpose and memory optimized VM size series.
Recommendations for disk encryption are different for confidential VMs than for the other VM sizes. See disk encryption to learn more.
Deploy SQL Server to a confidential VM
For detailed steps to deploy a confidential VM, review the Quickstart: Deploy a SQL Server on Azure VM.
To deploy a SQL Server VM to a confidential Azure VM, select the following values when deploying a SQL Server VM:
- Choose a supported region. To validate region supportability, look for the
ECadsv5-seriesorDCadsv5-seriesin VM products Available by Azure region. - Set the Security type to Confidential virtual machines. If this option is grayed out, it's likely the chosen region doesn't currently support confidential VMs. Choose a different region from the drop-down.
- Choose a supported confidential SQL Server image. To change the SQL Server image, select See all images and then filter by Security type = Confidential VMs to identify all SQL Server images that support confidential VMs.
- Choose a supported VM size. To see all available sizes, select See all sizes to identify all the VM sizes that support confidential VMs, as well as the sizes that don't.
- (Optional) Configure confidential disk encryption. Follow the steps in the Disk section of the Quickstart.
Identify available images
To view all SQL Server images that support confidential VMs, begin to deploy a SQL Server virtual machine from the Azure portal, and then select See all images under Images on the Basics tab to open the Azure Marketplace. Type sql in the search box, and then filter the options by choosing Security type = Confidential to view all SQL Server images that support confidential VMs.
Limitations
- Currently, only the following list of bre-built SQL Server images support Azure confidential VMs. If you wish to use a different combination of SQL Server version/edition/operating system with Confidential VMs, you can deploy an image of your choice and then self-install SQL Server.
SQL Server 2022 Enterprise / Developer / Standard / Web on Windows Server 2022 - x64 Gen 2SQL Server 2019 Enterprise on Windows Server 2022 Database Engine Only - x64 Gen 2.SQL Server 2017 Enterprise on Windows Server 2019 Database Engine Only - x64 Gen 2
- Confidential VMs aren't currently available in all regions. To validate region supportability, look for the
ECadsv5-seriesorDCadsv5-seriesin VM products Available by Azure region.
Next steps
In this article, you learned to deploy SQL Server to a confidential virtual machine in the Azure portal. To learn more about how to migrate your data to the new SQL Server, see the following article.
Feedback
Kommer snart: I hele 2024 udfaser vi GitHub-problemer som feedbackmekanisme for indhold og erstatter det med et nyt feedbacksystem. Du kan få flere oplysninger under: https://aka.ms/ContentUserFeedback.
Indsend og få vist feedback om