Azure just unveiled the next generation of Confidential Virtual Machines (CVMs) powered by 5th Gen Intel® Xeon® (Emerald Rapids) with Intel® Trust Domain Extensions (Intel® TDX), introducing the DCesv6 (general-purpose) and ECesv6 (memory-optimized) series. These VMs keep your data encrypted in memory while it’s being processed, so you can move sensitive workloads to the cloud without changing application code.

  • Two new families: DCesv6 (up to 128 vCPUs / 512 GiB RAM) and ECesv6 (up to 64 vCPUs / 512 GiB RAM).
  • Stronger transparency with Microsoft’s open-source paravisor, OpenHCL, aligning with a “trust but verify” model.
  • Faster I/O & networking via Azure Boost: up to 205k IOPS, 4 GB/s remote-storage throughput, and up to 54 Gbps VM network bandwidth (TDX CVM figures).
  • Attestation options: built-in Guest Attestation and Intel® Tiber™ Trust Authority for independent, operator-neutral attestation.
  • Availability (Preview): East US, West US, West US 3, West Europe; supported images include Windows Server 2025/2022 and Ubuntu 22.04/24.04. Sign-up required.

Preview note: These VMs are in public preview and not recommended for production yet.

Why this generation is different

1) A more transparent trust model with OpenHCL

CVMs now use OpenHCL, Microsoft’s open-source paravisor that runs inside the confidential boundary to provide virtualization services without exposing your VM state to the hypervisor. OpenHCL reduces guest OS changes, broadens OS support, and makes the platform’s behavior auditable in the open.

2) Better performance with Azure Boost

With Azure Boost, these TDX CVMs can hit ~205k IOPS, ~4 GB/s remote-storage throughput, and up to 54 Gbps VM networking, performance that helps close gaps between confidential and non-confidential VM SKUs.

3) Stronger, flexible attestation

You can verify that your VM is running on genuine TDX hardware using Guest Attestation, and enterprises can opt for Intel® Tiber™ Trust Authority for independent (operator-neutral) attestation across clouds and environments.

Security model in a nutshell (Intel® TDX + Azure Confidential VM features)

  • Memory-in-use encryption and isolation: TDX blocks the hypervisor and host code from reading VM memory/state, hardening against a broad range of hardware/software attacks.
  • Confidential OS disk encryption: CVMs offer an enhanced encryption scheme that binds disk keys to the VM’s vTPM, with keys bypassing the hypervisor and host OS. Keys can be platform-managed (PMK) or customer-managed (CMK) via Azure Key Vault / Managed HSM (FIPS 140-2 Level 3 validated).

The new VM families at a glance

DCesv6 (General-purpose)

  • Up to 128 vCPUs and 512 GiB RAM; no local disk (remote-storage only).
  • Great for general compute, web/app tiers, sensitive databases, VDI, and many enterprise apps.
  • Feature snapshot: Premium Storage (and caching) supported; no Live Migration, no Accelerated Networking, no Nested Virtualization.
  • Selected specs (per size documentation):
  • Remote storage scale up to 204,800 IOPS and ~4,000 MB/s (series maximums, size-dependent).
  • Network up to ~54,000 Mb/s (≈ 54 Gbps) on the largest size.

ECesv6 (Memory-optimized)

  • Up to 64 vCPUs and 512 GiB RAM; optimized for memory-intensive workloads (large RDBMS, BI, analytics) handling sensitive/regulated data.
  • Disk types: Standard HDD/SSD and Premium SSD; Premium Storage (and caching) supported.
  • Feature snapshot: No Live Migration, no Accelerated Networking, no Nested Virtualization.

Availability and images

Regions (Preview): East US, West US, West US 3, West Europe.
OS images: Windows Server 2025, Windows Server 2022, Ubuntu 22.04, Ubuntu 24.04.
Access: Request preview access via the sign-up form link here SignUp.

Choosing between DCesv6 and ECesv6

  • Pick DCesv6 when you need balanced compute/memory and broad workload fit (web/app, services, sensitive DBs, VDI).
  • Pick ECesv6 when you want higher memory-to-vCPU ratios for big in-memory DBs, BI, and analytics with sensitive data.

Limitations & feature notes (preview reality check)

  • Accelerated Networking: Not supported on DCesv6/ECesv6.
  • Live Migration / Memory-Preserving Updates: Not supported.
  • Nested Virtualization / Ephemeral OS disk: Not supported (see DCesv6 table for details).
  • Pricing nuances: Encryption settings can affect pricing; VMGS (guest state) incurs a small storage cost. Check the pricing notes and calculators.

Getting started (today)

  1. Request preview access using the this link. You’ll receive enablement details once approved.
  2. Plan security posture: decide PMK vs CMK in Key Vault/Managed HSM; define attestation flows (Azure Guest Attestation and/or Intel® Tiber™ Trust Authority).
  3. Deploy a Confidential VM from the Azure portal or CLI using the provided guides, then attach disks and configure storage for your target IOPS/throughput.
  4. Validate performance: benchmark against your non-confidential baseline; confirm Azure Boost targets are met for your chosen size.
  5. Integrate attestation into your workload start-up (e.g., gate secret release on successful attestation).

Common use cases

  • Finance, healthcare, public sector: process regulated data with data-in-use encryption and verifiable runtime integrity.
  • ISVs / SaaS: multi-tenant services that need strong isolation from cloud operators and other tenants with operator-independent attestation options.
  • Enterprise modernization: lift-and-shift sensitive apps without code changes, then iterate on attestation and key-management patterns.

Final thoughts

This generation of Azure Intel® TDX Confidential VMs closes key performance and operational gaps while raising the transparency bar (OpenHCL) and expanding attestation choices. If you’ve been waiting for a “no-code-change” path to confidential computing with real throughput and network headroom; DCesv6 and ECesv6 deserve a spot in your roadmap. Just remember: it’s preview, so validate your workloads and plan for production readiness before go-live.

References & further reading

Comments

comments

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here