您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.


Azure 证明
Kubernetes 服务

组织协作时,他们共享信息。When organizations collaborate, they share information. 但大多数方不希望向其他方授予对数据的所有部分的访问权限。But most parties don't want to give other parties access to all parts of the data. 存在用于保护静态数据和传输中数据的机制。Mechanisms exist for safeguarding data at rest and in transit. 但是,在使用中加密数据会带来不同的挑战。However, encrypting data in use poses different challenges. 本文介绍了 Azure 机密计算 (ACC) 为加密正在使用的数据提供的解决方案。This article presents a solution that Azure confidential computing (ACC) offers for encrypting in-use data.

使用机密计算和容器,解决方案为提供商托管的应用程序提供了一种与医院和第三方诊断提供商安全协作的方法。By using confidential computing and containers, the solution provides a way for a provider-hosted application to securely collaborate with a hospital and a third-party diagnostic provider. Azure Kubernetes Service (AKS) 托管机密计算节点。Azure Kubernetes Service (AKS) hosts confidential computing nodes. Azure 证明与诊断提供程序建立了信任关系。Azure Attestation establishes trust with the diagnostic provider. 通过使用这些 Azure 组件,体系结构将隔离医院患者的敏感数据,同时在云中处理特定的共享数据。By using these Azure components, the architecture isolates the sensitive data of the hospital patients while the specific shared data is being processed in the cloud. 然后,诊断提供商无法访问医院数据。The hospital data is then inaccessible to the diagnostic provider. 通过此体系结构,提供商托管的应用程序也可以利用高级分析。Through this architecture, the provider-hosted application can also take advantage of advanced analytics. 诊断提供程序可将这些分析作为机器学习的机密计算服务 (ML) 应用程序提供。The diagnostic provider makes these analytics available as confidential computing services of machine learning (ML) applications.

可能的用例Potential use cases

许多行业使用机密计算来保护其数据,目的如下:Many industries protect their data by using confidential computing for these purposes:

  • 保护财务数据Securing financial data
  • 保护患者信息Protecting patient information
  • 对敏感信息运行 ML 进程Running ML processes on sensitive information
  • 针对多个源中的加密数据集执行算法Performing algorithms on encrypted datasets from many sources
  • 保护容器数据和代码完整性Protecting container data and code integrity



显示如何在医疗保健设置中的第三方之间流动数据的关系图。Diagram showing how data flows between three parties in a healthcare setting. 三个矩形代表三方:一家医院、医学平台和诊断提供商。Three rectangles represent the three parties: a hospital, a medical platform, and a diagnostic provider. 每个矩形都包含表示各种组件的图标,如网站、客户端应用程序、Azure 证明、web API、数据存储和运行时。Each rectangle contains icons that represent various components, such as a website, a client application, Azure Attestation, a web API, data storage, and a runtime. 医疗平台和诊断提供程序矩形还包含表示机密节点和 K S 分类的小矩形。The medical platform and diagnostic provider rectangles also contain smaller rectangles that represent confidential nodes and A K S clusters. 箭头连接这些组件,并显示数据流。Arrows connect these components and show the flow of data. 编号标注对应于本文后面描述的步骤。Numbered callouts correspond to the steps that this article describes after the diagram.

下载此体系结构的 svgDownload an .svg of this architecture.

此关系图概述了此体系结构。The diagram outlines the architecture. 整个系统:Throughout the system:

  • 网络通信在传输过程中加密。Network communication is TLS encrypted in transit.
  • Azure Monitor 跟踪组件性能和 Azure 容器注册表 (ACR) 管理解决方案的容器。Azure Monitor tracks component performance, and Azure Container Registry (ACR) manages the solution's containers.

解决方案涉及以下步骤:The solution involves the following steps:

  1. 本地医院的职员打开 web 门户。A clerk for a local hospital opens a web portal. 整个 web 应用是一个 Azure Blob 存储静态网站。The entire web app is an Azure Blob Storage static website.
  2. 职员将数据输入医院的 web 门户,该门户连接到由流行的医疗平台供应商构建的基于 Python Flask 的 web API。The clerk enters data into the hospital's web portal, which connects to a Python Flask–based web API built by a popular medical platform vendor. SCONE机密计算软件中的机密节点可保护患者数据。A confidential node in the SCONE confidential computing software protects the patient data. SCONE 在具有软件防护扩展 (SGX) 启用的 AKS 群集中运行,可帮助在 enclave 中运行该容器。SCONE works within an AKS cluster that has the Software Guard Extensions (SGX) enabled that help run the container in an enclave. Web API 将提供敏感数据和应用代码在受信任的执行环境中进行加密和隔离的证据。The Web API will provide evidence that the sensitive data and app code is encrypted and isolated in a Trusted Execution Environment. 这意味着,不会有任何人、没有任何进程和任何日志都有权访问明文数据或应用程序代码。This means that no humans, no processes, and no logs have access to the cleartext data or the application code.
  3. 医院的 web 应用客户端请求证明服务 (的 Azure 证明) 验证此证据,并收到用于验证的其他应用的签名 证明令牌The hospital's web app client requests that an attestation service (Azure Attestation) validates this evidence, and receives a signed attestation token for other apps to verify.
  4. 如果 Web API 需要 (类似于 Redis 缓存的其他组件) ,则它可以沿证明令牌传递来验证数据和应用程序代码是否已一直保持在安全的 enclave 中 (请参阅步骤6,验证) 。If the Web API requires additional components (like a Redis cache), it can pass along the attestation token to verify that the data and app code have so far remained in a safe enclave (see step 6 for verification).
  5. Web API 甚至可以使用远程服务,例如由第三方诊断提供商托管的 ML 模型。The Web API can even consume remote services, such as an ML model hosted by a third-party diagnostics provider. 在执行此操作时,它会继续传递任何证明令牌,以获取需要 enclaves 的证据。When doing so, it continues to pass along any attestation tokens for evidence that required enclaves are safe. Web API 还可以尝试接收和验证诊断提供商的基础结构的证明令牌。The Web API could also attempt to receive and verify attestation tokens for the diagnostic provider's infrastructure.
  6. 远程基础结构接受来自医疗平台的 web api 的证明令牌,并使用在 Azure 证明服务中找到的公共证书对其进行验证。The remote infrastructure accepts the attestation token from the medical platform's web api and verifies it with a public certificate found in the Azure Attestation service. 如果验证了令牌,则 enclave 是安全的,并且数据或应用代码都不会在 enclave 外打开。If the token is verified, there is near certainty that the enclave is safe and neither the data or app code have been opened outside of the enclave.
  7. 诊断提供程序确信数据尚未公开,并将其发送到开放式神经网络交换 (ONNX) 运行时服务器中的 enclave。The diagnostics provider, confident that the data has not been exposed, sends it into its own enclave in an Open Neural Network Exchange (ONNX) runtime server. AI 模型解释医疗图像,并将其诊断结果返回到医学平台的机密 Web API 应用。An AI model interprets the medical imagery and returns its diagnosis results back to the medical platform's confidential Web API app. 然后,软件可以与患者记录进行交互,也可以与其他医院人员联系。From here, the software can then interact with patient records and/or contact other hospital staff.


  • 在 Blob 存储中托管的静态网站 直接从存储容器提供静态内容,如 HTML、CSS、JavaScript 和映像文件。Static website hosting in Blob Storage serves static content like HTML, CSS, JavaScript, and image files directly from a storage container.

  • Azure 证明 是一个统一的解决方案,可远程验证平台的可信度。Azure Attestation is a unified solution that remotely verifies the trustworthiness of a platform. Azure 证明还会远程验证在平台中运行的二进制文件的完整性。Azure Attestation also remotely verifies the integrity of the binaries that run in the platform. 使用 Azure 证明建立与机密应用程序的信任关系。Use Azure Attestation to establish trust with the confidential application.

  • AKS 群集 简化了部署 Kubernetes 群集的过程。AKS Cluster simplifies the process of deploying a Kubernetes cluster.

  • 机密计算节点 托管在特定虚拟机系列上,该系列可通过允许用户级别代码分配内存(称为 enclaves)的专用区域来在基于硬件的受信任执行) (环境中的 AKS 上运行敏感工作负荷。Confidential computing nodes are hosted on a specific virtual machine series that can run sensitive workloads on AKS within a hardware-based trusted execution environment (TEE) by allowing user-level code to allocate private regions of memory, known as enclaves. 机密计算节点可以支持机密容器或 enclave 感知容器。Confidential computing nodes can support confidential containers or enclave-aware containers.

  • SCONE 平台 是独立于 Azure 合作伙伴的软件供应商 (ISV) 解决方案。SCONE platform is an Azure Partner independent software vendor (ISV) solution from Scontain.

  • Redis 是一个开源的内存中数据结构存储区。Redis is an open-source, in-memory data structure store.

  • 安全容器环境 (SCONE) 支持在 Kubernetes 群集内运行的容器中执行机密应用程序。Secure Container Environment (SCONE) supports the execution of confidential applications in containers that run inside a Kubernetes cluster.

  • 机密推断 ONNX 运行时服务器 Enclave (ONNX RT-Enclave) 是一台主机,它限制 ML 主机参与方访问推断请求及其相应的响应。Confidential Inferencing ONNX Runtime Server Enclave (ONNX RT - Enclave) is a host that restricts the ML hosting party from accessing both the inferencing request and its corresponding response.


  • 可以使用 Fortanix 而不是 SCONE 来部署要用于容器化应用程序的机密容器。You can use Fortanix instead of SCONE to deploy confidential containers to use with your containerized application. Fortanix 提供运行和管理最广泛的一组应用程序所需的灵活性:现有应用程序、新的 enclave 应用程序和预打包的应用程序。Fortanix provides the flexibility you need to run and manage the broadest set of applications: existing applications, new enclave-native applications, and pre-packaged applications.

  • Graphene 是一种轻型开源来宾操作系统。Graphene is a lightweight, open-source guest OS. Graphene 可以在隔离的环境中运行单个 Linux 应用程序,其中的优点与运行完整的 OS 相当。Graphene can run a single Linux application in an isolated environment with benefits comparable to running a complete OS. 它为将现有 Docker 容器应用程序转换为 Graphene 受防护容器 (GSC) 提供了良好的工具支持。It has good tooling support for converting existing Docker container applications to Graphene Shielded Containers (GSC).


Azure 机密计算虚拟机 (Vm) 可用于满足一般用途的第二代 D 系列大小。Azure confidential computing virtual machines (VMs) are available in 2nd-generation D family sizes for general purpose needs. 这些大小统称为 D 系列 v2 或 DCsv2 系列。These sizes are known collectively as D-Series v2 or DCsv2 series. 此方案将使用启用了 Intel SGX 的 DCs_v2 系列虚拟机与 Gen2 操作系统 (OS) 映像。This scenario uses Intel SGX-enabled DCs_v2-series virtual machines with Gen2 operating system (OS) images. 但在某些区域中只能部署某些大小。But you can only deploy certain sizes in certain regions. 有关详细信息,请参阅 快速入门:在 Marketplace 中部署 Azure 机密计算 VM按区域提供的产品For more information, see Quickstart: Deploy an Azure Confidential Computing VM in the Marketplace and Products available by region.

部署此方案Deploy this scenario

部署此方案涉及以下高级步骤:Deploying this scenario involves the following high-level steps:

  • 在已启用 SGX 的现有 AKS 群集上部署机密推断服务器。Deploy the confidential inferencing server on an existing SGX-enabled AKS Cluster. 有关此步骤的信息,请参阅 GitHub 上的 机密 ONNX 推理服务器 项目。See the confidential ONNX inference server project on GitHub for information on this step.

  • 配置 Azure 认证策略。Configure Azure Attestation policies.

  • 部署启用了 SGX 的 AKS 群集节点池。Deploy an SGX-enabled AKS cluster node pool.

  • 获取对 名为 SconeApps 的特选机密应用程序的访问权限。Get access to curated confidential applications called SconeApps. SconeApps 仅可用于商业客户的专用 GitHub 存储库,通过 SCONE Standard Edition。SconeApps are available on a private GitHub repository that's currently only available for commercial customers, through SCONE Standard Edition. 转到 SCONE 网站 并直接联系公司以获取此服务级别。Go to the SCONE website and contact the company directly to get this service level.

  • 在 AKS 群集上安装并运行 SCONE 服务。Install and run SCONE services on your AKS cluster.

  • 在 AKS 群集上安装并测试基于 Flask 的应用程序。Install and test the Flask-based application on your AKS cluster.

  • 部署和访问 web 客户端。Deploy and access the web client.

这些步骤侧重于 enclave 容器。These steps focus on the enclave containers. 受保护的基础结构将扩展到此实现之外,并包括符合性要求,如 HIPAA 所需的附加保护。A secured infrastructure would extend beyond this implementation and include compliance requirements, such as added protections required by HIPAA.


若要了解运行此方案的成本,请使用 azure 定价计算器,它预配置所有 Azure 服务。To explore the cost of running this scenario, use the Azure pricing calculator, which preconfigures all Azure services.

如图中所示,Contoso 医疗 SaaS 平台提供了一个 示例成本配置文件A sample cost profile is available for the Contoso Medical SaaS Platform, as pictured in the diagram. 它包括以下组件:It includes the following components:

  • 系统节点池和 SGX 节点池:无磁盘,全部暂时System node pool and SGX node pool: no disks, all ephemeral
  • AKS 负载均衡器AKS Load Balancer
  • Azure 虚拟网络:名义Azure Virtual Network: nominal
  • Azure 容器注册表Azure Container Registry
  • 单页面应用程序的存储帐户 (SPA) Storage account for single-page application (SPA)

配置文件不包括以下组件:The profile doesn't include the following components:

  • Azure 证明服务:免费Azure Attestation Service: free

  • Azure Monitor 日志:基于使用情况Azure Monitor Logs: usage based

  • SCONE ISV 许可SCONE ISV licensing

  • 处理敏感数据的解决方案所需的合规性服务,其中包括:Compliance services required for solutions working with sensitive data, including:

    • 适用于 Kubernetes 的 azure 安全中心和 Azure DefenderAzure Security Center and Azure Defender for Kubernetes
    • Azure DDoS 保护:标准Azure DDoS Protection: standard
    • Azure 防火墙Azure Firewall
    • Azure 应用程序网关和 Azure Web 应用程序防火墙Azure Application Gateway and Azure Web Application Firewall
    • Azure Key VaultAzure Key Vault

后续步骤Next steps