Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

Menu Close menu
  1. Blog
  2. Article

Jehudi
on 26 October 2023

Introducing Confidential VMs on Ubuntu Pro for Azure

confidential computing confidential VM Microsoft Azure Ubuntu Pro

In the modern cloud ecosystem, the emergence of Confidential VMs (CVMs) has marked a significant stride towards robust security. However, while CVMs excel in guarding against external code threats, they remain susceptible to vulnerabilities within their boundaries. Herein lies the profound synergy between Ubuntu Pro and Confidential VMs on Microsoft Azure. While the latter fortifies the external walls, Ubuntu Pro vigilantly guards the interior, fostering a hardened, compliant, and manageable enclave for your cloud-based workloads. The integration not only significantly amplifies the security, but seamlessly aligns with enterprise requisites, propelling confidential computing towards being production-ready for professional workloads.

What are the benefits of Ubuntu Pro?

Ubuntu Pro extends the popular Ubuntu LTS with additional enterprise-grade capabilities tailored to meet the stringent requirements of professional and production use-cases. Here are some key advantages:

  • Extended Security Maintenance (ESM): 10 years of vulnerability management for the entire stack of software packages.
  • Comprehensive Patching: Security patching for over 25,000 open-source packages, expanding the set of packages your team can build on safely and reducing your average CVE exposure significantly.
  • Kernel Livepatch: Minimise downtime and unplanned reboots with patches for critical and high-severity kernel vulnerabilities.
  • Automated Compliance: Tooling for hardening and compliance profiles, including CIS, DISA-STIG, FIPS 140, and more.
  • Streamlined Billing: Hourly billing through your existing Azure account.

For more details, you can visit the Ubuntu Pro for Azure page.

Why use Confidential VMs (CVMs)?

Confidential VMs add an extra layer of security by encrypting data during processing, addressing a previously challenging aspect of data protection. The technology ensures that data is encrypted at runtime, at rest, and during boot-up. Here are some key features:

  • Runtime Protection: Data and code in memory are encrypted, ensuring that they are secure from any unauthorized access.
  • Data-at-Rest Encryption: Full-disk encryption capabilities to secure all stored data.
  • Boot-Time Verification: Hardware-rooted signed attestation to verify the OS, firmware, and platform boot measurements.

 For more information, you can visit this blog.

Combining Ubuntu Pro and Confidential VMs

Confidential computing introduces a security model where CVMs protect data from external software threats. However, vulnerabilities from within their boundaries remain a concern. This is where Ubuntu Pro becomes essential. Ubuntu Pro offers security measures to tackle vulnerabilities within the CVM’s software stack or the guest OS. Regular security patching and updates provided by Ubuntu Pro mitigate this risk. For a detailed exploration on the importance of securing your CVM from internal vulnerabilities, you can read our in-depth article here. This integration ensures a more secure environment suitable for enterprise operations and is compatible with both AMD SEV-SNP hardware and, for those in the Azure limited preview, Intel TDX.

How to Deploy

To deploy a new Confidential VM with Ubuntu Pro, use the Azure CLI command as follows:

az vm create \
--resource-group "${RESOURCE_GROUP}" \
--name "${VM_NAME}" \
--size Standard_DC4as_v5 \
--enable-vtpm true \
--image "Canonical:0001-com-ubuntu-confidential-vm-focal:20_04-lts-cvm:latest" \
--security-type ConfidentialVM \
--os-disk-security-encryption-type VMGuestStateOnly \
--enable-secure-boot true \
--license-type UBUNTU_PRO

The –license-type UBUNTU_PRO flag is the key for deploying Ubuntu Pro. 

In-Place Upgrade

Existing Confidential VM Ubuntu LTS VMs can be upgraded to Ubuntu Pro using a few commands. For more details, you can visit our In-Place Upgrade announcement.

Conclusion

Azure Confidential VMs provide an enhanced layer of protection for cloud-based workloads. But for a comprehensive security approach, it’s crucial to also address vulnerabilities from within. Ubuntu Pro fills this internal security need, improving the overall security framework. This integration between Ubuntu Pro and Azure Confidential VMs provides a more secure environment, enabling users to manage their confidential computing tasks with increased confidence.

Related posts

ijlal-loutfi
21 February 2024

Preview Confidential AI with Ubuntu Confidential VMs and NVIDIA H100 GPUs on Microsoft Azure

Confidential computing Confidential computing

Learn about Confidential AI preview on Azure with Ubuntu confidental VMs and Nvidia H100 GPUs, and explore how confidential computing in the cloud transforms AI security, ensuring utmost confidentiality and integrity for sensitive data and models. ...

ijlal-loutfi
19 December 2023

Ubuntu Confidential VMs on Azure: Introducing Ephemeral OS disks & vTPMs

Confidential computing Confidential computing

Canonical introduces ephemeral vTPMs for Ubuntu Confidential VMs on Azure, Strengthening remote attestation. Explore the evolution of confidential computing, the pivotal role of vTPMs, and Ubuntu’s solution that minimizes reliance on cloud infrastructure while ensuring comprehensive security within your VM’s software stack.” ...

Jehudi
28 March 2024

Deploying Open Language Models on Ubuntu

AI Article

Discover the benefits of using Ubuntu for open-source AI and how to seamlessly deploy models on Azure, including leveraging GPU and Confidential Compute capabilities. ...