Merge pull request #266986 from michamcr/patch-83

Rename virtual-machine-solutions.md to virtual-machine-options.md

Author: JamesJBarnett

articles/attestation/overview.md

@@ -50,7 +50,7 @@ Client applications can be designed to take advantage of TPM attestation by dele
 
 ### AMD SEV-SNP attestation
 
-Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions.md). CVM offers VM OS disk encryption option with platform-managed keys or customer-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements is sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
+Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-options.md). CVM offers VM OS disk encryption option with platform-managed keys or customer-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.
 
 ### Trusted Launch attestation
 

articles/confidential-computing/TOC.yml

@@ -38,7 +38,7 @@
     - name: About Azure confidential VMs
       href: confidential-vm-overview.md
     - name: Azure confidential VM options
-      href: virtual-machine-solutions.md
+      href: virtual-machine-options.md
     - name: FAQ for confidential VMs
       href: confidential-vm-faq.yml
     - name: Guest attestation for confidential VMs

articles/confidential-computing/confidential-vm-faq.yml

@@ -1,8 +1,8 @@
 ### YamlMime:FAQ
 metadata:
   title: Azure confidential virtual machines FAQ
-  description: Answers to frequently asked questions (FAQs) about confidential virtual machines (confidential VMs) in Azure Confidential Computing.
-  author: edendcohen
+  description: Answers to frequently asked questions (FAQs) about confidential virtual machines in Azure Confidential Computing.
+  author: michamcr
   ms.topic: faq
   ms.service: virtual-machines
   ms.subservice: confidential-computing
@@ -125,6 +125,14 @@ sections:
         answer: |
           No. After you've created a confidential VM, you can't deactivate or reactivate full-disk encryption. Create a new confidential VM instead.
 
+      - question: |
+          Can I control more aspects of the Trusted Computing Base to enforce operator independent key management, attestation and disk encryption?
+        answer: |
+          Developers seeking further "separation of duties" for TCB services from the cloud service provider should use security type "NonPersistedTPM". 
+          - This experience is only available as part of the Intel TDX public preview. It has disclaimers in that, organizations that use it, or provide services with it are in control of the TCB and the responsibilities that come along with it. 
+          - This experience bypasses the native Azure services, allowing you to bring your own disk encryption, key management and attestation solution. 
+          - Each VM still has a vTPM, which should be used to retrieve hardware evidence, however the vTPM state is not persisted through reboots, meaning this solution is excellent for ephemeral workloads and organizations seeking further decoupling from the cloud service provider.
+
       - question: |
           Can I convert a non-confidential VM into a confidential VM?
         answer: |

articles/confidential-computing/index.yml

@@ -68,7 +68,7 @@ landingContent:
           - text: About Azure confidential VMs
             url: confidential-vm-overview.md
           - text: Azure Confidential VM options
-            url: virtual-machine-solutions.md
+            url: virtual-machine-options.md
       - linkListType: concept
         links:
           - text: Guest attestation for confidential VMs

articles/confidential-computing/quick-create-confidential-vm-azure-cli.md

@@ -41,7 +41,7 @@ az group create --name myResourceGroup --location northeurope
 Create a VM with the [az vm create](/cli/azure/vm) command.
 
 The following example creates a VM named *myVM* and adds a user account named *azureuser*. The `--generate-ssh-keys` parameter is used to automatically generate an SSH key, and put it in the default key location(*~/.ssh*). To use a specific set of keys instead, use the `--ssh-key-values` option.
-For `size`, select a confidential VM size. For more information, see [supported confidential VM families](virtual-machine-solutions.md).
+For `size`, select a confidential VM size. For more information, see [supported confidential VM families](virtual-machine-options.md).
 
 Choose `VMGuestStateOnly` for no OS disk confidential encryption. Or, choose `DiskWithVMGuestState` for OS disk confidential encryption with a platform-managed key. Secure Boot is enabled by default, but is optional for `VMGuestStateOnly`. For more information, see [secure boot and vTPM](../virtual-machines/trusted-launch.md). For more information on disk encryption and encryption at host, see [confidential OS disk encryption](confidential-vm-overview.md) and [encryption at host](/azure/virtual-machines/linux/disks-enable-host-based-encryption-cli).
 

articles/confidential-computing/quick-create-confidential-vm-portal.md

@@ -61,7 +61,7 @@ To create a confidential VM in the Azure portal using an Azure Marketplace image
 
     h. Toggle [Generation 2](../virtual-machines/generation-2.md) images. Confidential VMs only run on Generation 2 images. To ensure, under **Image**, select **Configure VM generation**. In the pane **Configure VM generation**, for **VM generation**, select **Generation 2**. Then, select **Apply**.
 
-    i. For **Size**, select a VM size. For more information, see [supported confidential VM families](virtual-machine-solutions.md).
+    i. For **Size**, select a VM size. For more information, see [supported confidential VM families](virtual-machine-options.md).
 
 
     j. For **Authentication type**, if you're creating a Linux VM, select **SSH public key** . If you don't already have SSH keys, [create SSH keys for your Linux VMs](../virtual-machines/linux/mac-create-ssh-keys.md).

articles/confidential-computing/trusted-execution-environment.md

@@ -22,7 +22,7 @@ Azure confidential computing has two offerings: one for enclave-based workloads
 
 The enclave-based offering uses [Intel Software Guard Extensions (SGX)](virtual-machine-solutions-sgx.md) to create a protected memory region called Encrypted Protected Cache (EPC) within a VM. This allows customers to run sensitive workloads with strong data protection and privacy guarantees. Azure Confidential computing launched the first enclave-based offering in 2020. 
 
-The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-solutions.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential Compute without any code changes or performance degradation.
+The lift and shift offering uses [AMD SEV-SNP (GA)](virtual-machine-options.md) or [Intel TDX (preview)](tdx-confidential-vm-overview.md) to encrypt the entire memory of a VM. This allows customers to migrate their existing workloads to Azure confidential Compute without any code changes or performance degradation.
 
 Many of these underlying technologies are used to deliver [confidential IaaS and PaaS services](overview-azure-products.md) in the Azure platform making it simple for customers to adopt confidential computing in their solutions.
 

articles/confidential-computing/virtual-machine-options.md

@@ -0,0 +1,141 @@
+---
+title: Azure Confidential VM options
+description: Azure Confidential Computing offers multiple options for confidential virtual machines on AMD and Intel processors.
+author: ju-shim
+ms.author: jushiman
+ms.reviewer: mattmcinnes
+ms.service: virtual-machines
+ms.subservice: confidential-computing
+ms.custom: devx-track-azurecli
+ms.topic: conceptual
+ms.date: 11/15/2023
+---
+
+# Azure Confidential VM options
+
+Azure offers multiple confidential VMs options leveraging Trusted Execution Environments (TEE) technologies from both AMD and Intel to harden the virtualization environment. These technologies enable you to provision confidential computing environments with excellent price-to-performance without code changes. 
+
+AMD confidential VMs leverage [Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP)](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) which was introduced with 3rd Gen AMD EPYC™ processors. Intel confidential VMs use [Trust Domain Extensions (TDX)](https://cdrdv2-public.intel.com/690419/TDX-Whitepaper-February2022.pdf) which was introduced with 4th Gen Intel® Xeon® processors.
+
+## Sizes
+
+You can create confidential VMs in the following size families:
+
+| Size Family          | TEE | Description                                                                         |
+| ------------------ | ------------ | ----------------------------------------------------------------------------------- |
+| **DCasv5-series** | AMD SEV-SNP | General purpose CVM with remote storage. No local temporary disk.                  |
+| **DCesv5-series** | Intel TDX | General purpose CVM with remote storage. No local temporary disk.                  |
+| **DCadsv5-series** | AMD SEV-SNP | General purpose CVM with local temporary disk.                                        |
+| **DCedsv5-series** | Intel TDX | General purpose CVM with local temporary disk.                                        |
+| **ECasv5-series** | AMD SEV-SNP | Memory-optimized CVM with remote storage. No local temporary disk. |
+| **ECesv5-series** | Intel TDX | Memory-optimized CVM with remote storage. No local temporary disk. |
+| **ECadsv5-series** | AMD SEV-SNP | Memory-optimized CVM with local temporary disk.                      |
+| **ECedsv5-series** | Intel TDX | Memory-optimized CVM with local temporary disk. |
+
+> [!NOTE]
+> Memory-optimized confidential VMs offer double the ratio of memory per vCPU count.
+
+## Azure CLI commands
+
+You can use the [Azure CLI](/cli/azure/install-azure-cli) with your confidential VMs.
+
+To see a list of confidential VM sizes, run the following command. Replace `<vm-series>` with the series you want to use. The output shows information about available regions and availability zones.
+
+```azurecli-interactive
+vm_series='DCASv5'
+az vm list-skus \
+    --size dc \
+    --query "[?family=='standard${vm_series}Family'].{name:name,locations:locationInfo[0].location,AZ_a:locationInfo[0].zones[0],AZ_b:locationInfo[0].zones[1],AZ_c:locationInfo[0].zones[2]}" \
+    --all \
+    --output table
+```
+
+For a more detailed list, run the following command instead:
+
+```azurecli-interactive
+vm_series='DCASv5'
+az vm list-skus \
+    --size dc \
+    --query "[?family=='standard${vm_series}Family']" 
+```
+
+## Deployment considerations
+
+Consider the following settings and choices before deploying confidential VMs.
+
+### Azure subscription
+
+To deploy a confidential VM instance, consider a [pay-as-you-go subscription](/azure/virtual-machines/linux/azure-hybrid-benefit-linux) or other purchase option. If you're using an [Azure free account](https://azure.microsoft.com/free/), the quota doesn't allow the appropriate number of Azure compute cores.
+
+You might need to increase the cores quota in your Azure subscription from the default value. Default limits vary depending on your subscription category. Your subscription might also limit the number of cores you can deploy in certain VM size families, including the confidential VM sizes. 
+
+To request a quota increase, [open an online customer support request](../azure-portal/supportability/per-vm-quota-requests.md). 
+
+If you have large-scale capacity needs, contact Azure Support. Azure quotas are credit limits, not capacity guarantees. You only incur charges for cores that you use.
+
+### Pricing
+
+For pricing options, see the [Linux Virtual Machines Pricing](https://azure.microsoft.com/pricing/details/virtual-machines/linux/). 
+
+### Regional availability
+
+For availability information, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).
+
+### Resizing
+
+Confidential VMs run on specialized hardware, so you can only [resize confidential VM instances](confidential-vm-faq.yml#can-i-convert-a-dcasv5-ecasv5-cvm-into-a-dcesv5-ecesv5-cvm-or-a-dcesv5-ecesv5-cvm-into-a-dcasv5-ecasv5-cvm-) to other confidential sizes in the same region. For example, if you have a DCasv5-series VM, you can resize to another DCasv5-series instance or a DCesv5-series instance. 
+
+It's not possible to resize a non-confidential VM to a confidential VM.
+
+### Guest OS support
+
+OS images for confidential VMs have to meet certain security and compatibility requirements. Qualified images support the secure mounting, attestation, optional [confidential OS disk encryption](confidential-vm-overview.md#confidential-os-disk-encryption), and isolation from underlying cloud infrastructure. These images include:
+
+- Ubuntu 20.04 LTS (AMD SEV-SNP supported only)
+- Ubuntu 22.04 LTS
+- Red Hat Enterprise Linux 9.3 (AMD SEV-SNP supported only)
+- Windows Server 2019 Datacenter - x64 Gen 2 (AMD SEV-SNP supported only)
+- Windows Server 2019 Datacenter Server Core - x64 Gen 2 (AMD SEV-SNP supported only)
+- Windows Server 2022 Datacenter - x64 Gen 2
+- Windows Server 2022 Datacenter: Azure Edition Core - x64 Gen 2
+- Windows Server 2022 Datacenter: Azure Edition - x64 Gen 2
+- Windows Server 2022 Datacenter Server Core - x64 Gen 2
+- Windows 11 Enterprise N, version 22H2 -x64 Gen 2
+- Windows 11 Pro, version 22H2 ZH-CN -x64 Gen 2
+- Windows 11 Pro, version 22H2 -x64 Gen 2
+- Windows 11 Pro N, version 22H2 -x64 Gen 2
+- Windows 11 Enterprise, version 22H2 -x64 Gen 2
+- Windows 11 Enterprise multi-session, version 22H2 -x64 Gen 2
+
+As we work to onboard more OS images with confidential OS disk encryption, there are various images available in early preview that can be tested. You can sign up below:
+
+- [Red Hat Enterprise Linux 9.3 (Support for Intel TDX)](https://aka.ms/tdx-rhel-93-preview)
+- [SUSE Enterprise Linux 15 SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)
+- [SUSE Enterprise Linux 15 SAP SP5 (Support for Intel TDX, AMD SEV-SNP)](https://aka.ms/cvm-sles-preview)
+
+For more information about supported and unsupported VM scenarios, see [support for generation 2 VMs on Azure](../virtual-machines/generation-2.md). 
+
+### High availability and disaster recovery
+
+You're responsible for creating high availability and disaster recovery solutions for your confidential VMs. Planning for these scenarios helps minimize and avoid prolonged downtime.
+
+### Deployment with ARM templates
+
+Azure Resource Manager is the deployment and management service for Azure. You can:
+
+- Secure and organize your resources after deployment with the management features, like access control, locks, and tags. 
+- Create, update, and delete resources in your Azure subscription using the management layer.
+- Use [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/overview.md) to deploy confidential VMs on AMD processors. There is an available [ARM template for confidential VMs](https://aka.ms/CVMTemplate). 
+
+Make sure to specify the following properties for your VM in the parameters section (`parameters`): 
+
+- VM size (`vmSize`). Choose from the different [confidential VM families and sizes](#sizes).
+- OS image name (`osImageName`). Choose from the qualified OS images. 
+- Disk encryption type (`securityType`). Choose from VMGS-only encryption (`VMGuestStateOnly`) or full OS disk pre-encryption (`DiskWithVMGuestState`), which might result in longer provisioning times. For Intel TDX instances only we also support another security type (`NonPersistedTPM`) which has no VMGS or OS disk encryption.
+
+## Next steps 
+
+> [!div class="nextstepaction"]
+> [Deploy a confidential VM from the Azure portal](quick-create-confidential-vm-portal.md)
+
+For more information see our [Confidential VM FAQ](confidential-vm-faq.yml).