Quickstart: Create confidential VM on AMD in the Azure portal (preview)


Confidential virtual machines (confidential VMs) in Azure Confidential Computing is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

You can use the Azure portal to create a confidential VM based on an Azure Marketplace image quickly.There are multiple confidential VM options on AMD with AMD SEV-SNP technology.


  • An Azure subscription. Free trial accounts don't have access to the VMs used in this tutorial. One option is to use a pay as you go subscription.
  • If you're using a Linux-based confidential VM, have a BASH shell to use for SSH or install an SSH client, such as PuTTY.

Create confidential VM

To create a confidential VM in the Azure portal using an Azure Marketplace image:

  1. Sign in to the Azure portal.

  2. Select or search for Virtual machines.

  3. On the Virtual machines page menu, select Create > Virtual machine.

  4. On the tab Basics, configure the following settings:

    1. Under Project details, for Subscription, select an Azure subscription that meets the prerequisites.

    2. For Resource Group, select Create new to create a new resource group. Enter a name, and select OK.

    3. Under Instance details, for Virtual machine name, enter a name for your new VM.

    4. For Region, select the Azure region in which to deploy your VM.


      Confidential VMs are not available in all locations. For currently supported locations, see which VM products are available by Azure region.

    5. For Security Type, select Confidential virtual machines.

    6. For Image, select the OS image to use for your VM. For this tutorial, select Ubuntu Server 20.04 LTS (Confidential VM preview), Windows Server 2019 [Small disk] Data Center, or Windows Server 2022 [Small disk] Data Center.


      Optionally, select See all images to open Azure Marketplace. Select the filter Security Type > Confidential to show all available confidential VM images.

    7. Toggle Generation 2 images. Confidential VMs only run on Generation 2 images. To ensure, under Image, select Configure VM generation. In the pane Configure VM generation, for VM generation, select Generation 2. Then, select Apply.

    8. For Size, select a VM size. For more information, see supported confidential VM families.

    9. For Authentication type, if you're creating a Linux VM, select SSH public key . If you don't already have SSH keys, create SSH keys for your Linux VMs.

    10. Under Administrator account, for Username, enter an administrator name for your VM.

    11. For SSH public key, if applicable, enter your RSA public key.

    12. For Password and Confirm password, if applicable, enter an administrator password.

    13. Under Inbound port rules, for Public inbound ports, select Allow selected ports.

    14. For Select inbound ports, select your inbound ports from the drop-down menu. For Windows VMs, select HTTP (80) and RDP (3389). For Linux VMs, select SSH (22) and HTTP (80).


      It's not recommended to allow RDP/SSH ports for production deployments.

  5. On the tab Disks, configure the following settings:

    1. Under Disk options, enable Confidential compute encryption if you want to encrypt your VM's OS disk during creation.

    2. For Confidential compute encryption type, select the type of encryption to use.

  6. As needed, make changes to settings under the tabs Networking, Management, Guest Config, and Tags.

  7. Select Review + create to validate your configuration.

  8. Wait for validation to complete. If necessary, fix any validation issues, then select Review + create again.

  9. In the Review + create pane, select Create.

Connect to confidential VM

There are different methods to connect to Windows confidential VMs and Linux confidential VMs.

Connect to Windows VMs

To connect to a confidential VM with a Windows OS, see How to connect and sign on to an Azure virtual machine running Windows.

Connect to Linux VMs

To connect to a confidential VM with a Linux OS, see the instructions for your computer's OS.

Before you begin, make sure you have your VM's public IP address. To find the IP address:

  1. Sign in to the Azure portal.

  2. Select or search for Virtual machines.

  3. On the Virtual machines page, select your confidential VM.

  4. On your confidential VM's overview page, copy the Public IP address.

    For more information about connecting to Linux VMs, see Quickstart: Create a Linux virtual machine in the Azure portal.

  5. Open your SSH client, such as PuTTY.

  6. Enter your confidential VM's public IP address.

  7. Connect to the VM. In PuTTY, select Open.

  8. Enter your VM administrator username and password.


    If you're using PuTTY, you might receive a security alert that the server's host key isn't cached in the registry. If you trust the host, select Yes to add the key to PuTTY's cache and continue connecting. To connect just once, without adding the key, select No. If you don't trust the host, select Cancel to abandon your connection.

Clean up resources

After you're done with the quickstart, you can clean up the confidential VM, the resource group, and other related resources.

  1. Sign in to the Azure portal.

  2. Select or search for Resource groups.

  3. On the Resource groups page, select the resource group you created for this quickstart.

  4. On the resource group's menu, select Delete resource group.

  5. In the warning pane, enter the resource group's name to confirm the deletion.

  6. Select Delete.

Next steps