Merge pull request #206174 from angarg05/angarg05-snp-on-aks-doc-additions

edits for confidential node pools in AKS

Author: 19BMG00

articles/aks/use-multiple-node-pools.md

@@ -170,6 +170,22 @@ az aks nodepool add \
     --node-vm-size Standard_Dpds_v5
 ```
 
+### Add a confidential VM (with AMD SEV-SNP support) node pool (preview)
+AKS node pools now support the generally available [confidential VM sizes (DCav5/ECav5)](https://aka.ms/AMD-ACC-VMs-GA-Inspire-2022) to create confidential VM node pools. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect date-in-use with full VM memory encryption. This enables confidential VM node pools to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the full AKS feature support. To learn more, check out our [latest offering](../confidential-computing/confidential-node-pool-aks.md).
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
+Add a confidential node pool using the [az aks nodepool add][az-aks-nodepool-add] command. Specify the name *cvmnodepool*, and use the `--node-vm-size` parameter to specify the *Standard_DC2as_v5* size:
+
+```azurecli-interactive
+az aks nodepool add \
+    --resource-group myResourceGroup \
+    --cluster-name myAKSCluster \
+    --name cvmnodepool \
+    --node-count 3 \
+    --node-vm-size Standard_DC2as_v5 \
+```
+
 ### Add a node pool with a unique subnet
 
 A workload may require splitting a cluster's nodes into separate pools for logical isolation. This isolation can be supported with separate subnets dedicated to each node pool in the cluster. This can address requirements such as having non-contiguous virtual network address space to split across node pools.

articles/confidential-computing/TOC.yml

@@ -40,6 +40,10 @@
       items:
         - name: Create Intel SGX enclaves on AKS with CLI
           href: confidential-enclave-nodes-aks-get-started.md
+    - name: Confidential node pools in AKS
+      items:
+        - name: Add a confidential VM node pool to your AKS cluster
+          href: confidential-node-pool-aks.md
 - name: Concept
   expanded: true
   items:
@@ -105,7 +109,10 @@
         href: confidential-containers-enclaves.md
       - name: VM isolated confidential containers on Azure Container Instance 
         href: https://techcommunity.microsoft.com/t5/azure-confidential-computing/microsoft-introduces-preview-of-confidential-containers-on-azure/ba-p/3410394
-        # confidential-containers.md #vm-isolated-confidential-containers-on-azure-container-instances-aci---private-preview.md
+    - name: Confidential node pools on AKS
+      items: 
+      - name: Confidential node pools in AKS (preview)
+        href: confidential-node-pool-aks.md
 - name: How To
   expanded: true
   items:

articles/confidential-computing/confidential-node-pool-aks.md

@@ -0,0 +1,38 @@
+---
+title: Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs - Preview
+description: Learn about confidential node pool support on AKS with AMD SEV-SNP confidential VMs 
+services: container-service
+author: ananyagarg
+ms.topic: article
+ms.date: 8/1/2022
+ms.author: ananyagarg
+ms.service: container-service
+ms.custom: inspire-fall-2022
+---
+
+# Confidential VM node pool support on AKS with AMD SEV-SNP confidential VMs - Preview
+
+[Azure Kubernetes Service (AKS)](../aks/index.yml) makes it simple to deploy a managed Kubernetes cluster in Azure. In AKS, nodes of the same configuration are grouped together into node pools. These node pools contain the underlying VMs that run your applications. 
+
+AKS now supports confidential VM node pools with Azure confidential VMs. These confidential VMs are the [generally available DCasv5 and ECasv5 confidential VM-series](https://aka.ms/AMD-ACC-VMs-GA-Inspire-2022) utilizing 3rd Gen AMD EPYC<sup>TM</sup> processors with Secure Encrypted Virtualization-Secure Nested Paging ([SEV-SNP](https://www.amd.com/en/technologies/infinity-guard)) security features. To read more about this offering, head to our [announcement](https://aka.ms/ACC-AKS-AMD-SEV-SNP-Preview-Blog).
+
+## Benefits
+Confidential node pools leverage VMs with a hardware-based Trusted Execution Environment (TEE). AMD SEV-SNP confidential VMs deny the hypervisor and other host management code access to VM memory and state, and add defense in depth protections against operator access.
+
+In addition to the hardened security profile, confidential node pools on AKS also enable:
+
+- Lift and Shift with full AKS feature support - to enable a seamless lift-and-shift of Linux container workloads
+- Heterogenous Node Pools - to store sensitive data in a VM-level TEE node pool with memory encryption keys generated from the chipset itself
+
+:::image type="content" source="media/confidential-vm-node-pools-on-aks/snp-on-aks-architecture-image.png" alt-text="Graphic of VM nodes in AKS with encrypted code and data in confidential VM node pools 1 and 2, on top of the hypervisor":::
+
+Get started and add confidential node pools to existing AKS cluster with [this quick start guide](../aks/use-multiple-node-pools.md#add-a-confidential-vm-with-amd-sev-snp-support-node-pool-preview).
+
+## Questions?
+
+If you have questions about container offerings, please reach out to <[email protected]>.
+
+## Next steps
+
+- [Deploy a confidential node pool in your AKS cluster](../aks/use-multiple-node-pools.md#add-a-confidential-vm-with-amd-sev-snp-support-node-pool-preview)
+- Learn more about sizes and specs for [general purpose](../virtual-machines/dcasv5-dcadsv5-series.md) and [memory-optimized](../virtual-machines/ecasv5-ecadsv5-series.md) confidential VMs.

articles/confidential-computing/index.yml

@@ -92,6 +92,8 @@ landingContent:
           url: confidential-containers.md
         - text: App enclave nodes in AKS
           url: confidential-nodes-aks-overview.md
+        - text: Confidential VM node pool in AKS
+          url: confidential-node-pool-aks.md
       - linkListType: quickstart
         links:
           - text: CLI based provisioning with a hello from enclave container app on AKS