Rediger

Azure Confidential Computing for Azure Database for PostgreSQL flexible server

Azure Confidential Computing (ACC) enables organizations to securely process and collaborate on sensitive data, such as personal data or protected health information (PHI). ACC provides built-in protection against unauthorized access by securing data in use through Trusted Execution Environments (TEEs). This protection enables secure real-time analytics and collaborative machine learning across organizational boundaries.

Understanding the architecture

Azure Database for PostgreSQL flexible server supports Azure Confidential Computing through Trusted Execution Environments (TEEs), which are hardware-based, isolated memory regions within the CPU. The operating system, hypervisor, and other applications can't access data processed inside the TEE.

  • Code runs in plaintext within the TEE but remains encrypted outside the enclave.
  • Data is encrypted at rest, in transit, and use.
  • The operating system, hypervisor, and other applications can't access protected data.

Processors

You enable Azure Confidential Computing in Azure Database for PostgreSQL flexible server by selecting a supported confidential virtual machine (VM) SKU when creating a new server. Only AMD SEV-SNP processors are supported.

Note

Intel TDX processors aren't currently supported for Azure Database for PostgreSQL flexible server.

Virtual machine SKUs

The SKUs that support Azure Confidential Computing (ACC) for Azure Database for PostgreSQL flexible server are:

SKU Name Processor vCores Memory (GiB) Max IOPS Max I/O Bandwidth (MBps)
Dcadsv5 AMD SEV-SNP 2-96 8-384 3750-80000 48-1200
Ecadsv5 AMD SEV-SNP 2-96 16-672 3750-80000 48-1200

Steps to deploy a server with confidential computing

Using the Azure portal:

  1. Select a region that supports Azure Confidential Computing for Azure Database for PostgreSQL flexible server. Then, in the Compute + storage section, select Configure Server.

    Screenshot showing Basics tab of New Azure Database for PostgreSQL flexible server wizard.

  2. Select your Compute tier and Compute processor.

    Screenshot showing where you can select the compute tier and processor.

  3. Expand the Compute size and select one of the confidential compute SKUs with an appropriate size to satisfy your needs.

    Screenshot showing where you can select the compute size.

  4. Deploy your server.

Compare

Let's compare Azure Confidential Compute virtual machines and Azure Confidential Computing.

Feature Confidential Compute VMs ACC for Azure Database for PostgreSQL
Hardware root of trust Yes Yes
Trusted launch Yes Yes
Memory isolation and encryption Yes Yes
Secure key management Yes Yes
Remote attestation Yes No

Limitations and considerations

Evaluate the limitations carefully before deploying in a production environment.

  • Confidential Computing is only available in the following regions: UAE North region, and West Europe.
  • Only AMD SEV-SNP processors are supported. Intel TDX processors aren't currently compatible with Azure Database for PostgreSQL flexible server.
  • Point-in-time restore (PITR) from nonconfidential compute versions to confidential ones isn't allowed.