Momentum for Azure Confidential VMs with Intel® TDX

Simran Parkhe shares insights on Azure’s next-gen Confidential VMs with Intel® TDX, detailing technical advancements, security boundaries, performance updates, and customer adoption stories.

Azure Confidential VMs Momentum with Intel® TDX

Overview

Azure has announced the next generation of Confidential Virtual Machines, leveraging 5th Gen Intel® Xeon® processors (Emerald Rapids) and Intel® Trust Domain Extensions (TDX). These VMs are now available in preview and enable organizations to run confidential workloads in the cloud without modifying their application code.

Confidential VMs are suited for tenants with high security and confidentiality needs. They enforce strong, attestable hardware boundaries and ensure that code and data remain encrypted in memory during processing. This supports data privacy even while in use.

Key Technical Enhancements

• Supported SKUs:
  • General-purpose: DCesv6-series
  • Memory-optimized: ECesv6-series
• Intel® Advanced Matrix Extensions (AMX):
  • Accelerate confidential AI workloads and scenarios
• Local NVMe SSD Support (DCedsv6/ECedsv6):
  • Designed for storage workloads demanding SSD capacity, compute, and memory balance
  • Achieves ~5x throughput, 16% lower latency vs previous SCSI gen
  • IO latency reduced by ~27 microseconds across varying block sizes and thread counts
• Azure Boost:
  • Up to 205k IOPS, 4 GB/s remote storage, 40 Gbps network bandwidth
• Open-Source Paravisor and OpenHCL:
  • Azure’s first use of open paravisor (see GitHub and OpenHCL announcement)
  • Supports transparency through “trust but verify” approach

Security and Confidentiality Highlights

• Hardware-enforced attestation and boundaries for sensitive workloads
• Memory encryption throughout data usage lifecycle
• Integration with customer-managed security platforms (e.g., Thales CipherTrust)
• Enables ecosystem approaches to end-to-end data protection (at rest, in transit, and in use)

Customer Feedback

• Bosch Trustworthy Collaboration Services:
  • Uses Azure Confidential VMs for foundational secure collaboration with enhanced transparency and verification
• Thales Cyber & Digital Identity:
  • Achieves encryption for data-in-use, closing key gaps in end-to-end data protection
  • Relies on integration between Microsoft, Intel, and Thales CipherTrust
• Nuuday (TDC Erhverv):
  • Delivers a secure, compliant Confidential AI environment meeting privacy and sovereignty standards
• Arqit:
  • Demonstrates security-enhancing technologies for sovereign control over sensitive AI workloads, accelerating AI adoption

Product Series Details

• DCesv6-series / DCedsv6-series:
  • Up to 128 vCPUs, up to 512 GiB memory
  • NVMe SSD options for storage workloads
• ECesv6-series / ECedsv6-series:
  • Higher memory/vCPU ratio, up to 64 vCPUs and 512 GiB memory

Availability and Preview Sign-up

• General release expected in Q1 2026 (select US and EU regions)
• Preview sign-up for DCesv6 and ECesv6 VM: forms.office.com

---

Useful Links and References

• Intel Trust Domain Extensions
• Intel Advanced Matrix Extensions
• Open-source paravisor (GitHub)
• OpenHCL Blog Announcement
• Azure Boost Info
• Thales Data Security

---

Last updated Nov 17, 2025 by Simran Parkhe

This post appeared first on “Microsoft Tech Community”. Read the entire article here