Confidential computing nodes on Azure Kubernetes Service (public preview)

Azure confidential computing allows you to protect your sensitive data while it's in use. The underlying infrastructures protect this data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments.


Azure Kubernetes Service (AKS) supports adding DCsv2 confidential computing nodes powered by Intel SGX. These nodes run can run sensitive workloads within a hardware-based trusted execution environment (TEE) by allowing user-level code to allocate private regions of memory. These private memory regions are called enclaves. Enclaves are designed protect code and data from processes running at higher privilege. The SGX execution model removes the intermediate layers of Guest OS, Host OS and Hypervisor. The hardware based per container isolated execution model allows applications to directly execute with the CPU, while keeping the special block of memory encrypted. Confidential computing nodes help with the overall security posture of container applications on AKS and a great addition to defense-in-depth container strategy.

sgx node overview

AKS Confidential Nodes Features

  • Hardware based and process level container isolation through SGX trusted execution environment (TEE)
  • Heterogenous node pool clusters (mix confidential and non-confidential node pools)
  • Encrypted Page Cache (EPC) memory-based pod scheduling
  • SGX DCAP driver pre-installed
  • Intel FSGS Patch pre-installed
  • Supports CPU consumption based horizontal pod autoscaling and cluster autoscaling
  • Out of proc attestation helper through AKS daemonset
  • Linux Containers support through Ubuntu 18.04 Gen 2 VM worker nodes

AKS Provided Daemon Sets (addon)

SGX Device Plugin

The SGX Device Plugin implements the Kubernetes device plugin interface for EPC memory. Effectively, this plugin makes EPC memory an additional resource type in Kubernetes. Users can specify limits on this resource just as other resources. Apart from the scheduling function, the device plugin helps assign SGX device driver permissions to confidential workload containers. A sample implementation of the EPC memory-based deployment ( sample is here

SGX Quote Helper Service

Enclave applications that perform remote attestation need to generate a QUOTE. The QUOTE provides cryptographic proof of the identity and the state of the application, and the environment the enclave is running in. QUOTE generation relies on certain trusted software components from Intel, which are part of the SGX Platform Software Components (PSW/DCAP). This PSW is packaged as a daemon set that runs per node. It can leveraged when requesting attestation QUOTE from enclave apps. Using the AKS provided service will help better maintain the compatibility between the PSW and other SW components in the host. Read more on its usage and feature details.

Programming & application models

Confidential Containers

Confidential containers run existing programs and most common programming language runtime (Python, Node, Java etc.), along with their existing library dependencies, without any source-code modification or recompilation. This model is the fastest model to confidentiality enabled through Open Source Projects & Azure Partners. The container images that are made ready created to run in the secure enclaves are termed as confidential containers.

Enclave aware containers

AKS supports applications that are programmed to run on confidential nodes and utilize special instruction set made available through the SDKs and frameworks. This application model provides most control to your applications with a lowest Trusted Computing Base (TCB). Read more on enclave aware containers.

Next Steps

Deploy AKS Cluster with confidential computing nodes

Quick starter confidential container samples

DCsv2 SKU List