Merge pull request #197735 from agowdamsft/agowdamsft-patch-1-msbuild22

MS Build Related DcSv3 GA Updates

Author: PRMerger17

articles/confidential-computing/confidential-enclave-nodes-aks-get-started.md

@@ -10,7 +10,7 @@ ms.author: amgowda
 ms.custom: contentperf-fy21q3, devx-track-azurecli, ignite-fall-2021, mode-api
 ---
 
-# Quickstart: Deploy an AKS cluster with confidential computing nodes by using the Azure CLI
+# Quickstart: Deploy an AKS cluster with confidential computing Intel SGX agent nodes by using the Azure CLI
 
 In this quickstart, you'll use the Azure CLI to deploy an Azure Kubernetes Service (AKS) cluster with enclave-aware (DCsv2/DCSv3) VM nodes. You'll then run a simple Hello World application in an enclave. You can also provision a cluster and add confidential computing nodes from the Azure portal, but this quickstart focuses on the Azure CLI.
 
@@ -24,51 +24,52 @@ Features of confidential computing nodes include:
 - Intel SGX DCAP Driver preinstalled on the confidential computing nodes. For more information, see [Frequently asked questions for Azure confidential computing](./confidential-nodes-aks-faq.yml).
 
 > [!NOTE]
-> DCsv2/DCsv3 VMs use specialized hardware that's subject to higher pricing and region availability. For more information, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md). DCsv3 VM's are currently in preview in limited regions. Please refer to above mentioned page for details. 
+> DCsv2/DCsv3 VMs use specialized hardware that's subject region availability. For more information, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md).
 
 
 ## Prerequisites
 
 This quickstart requires:
 
 - An active Azure subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-- Azure CLI version 2.0.64 or later installed and configured on your deployment machine. 
+- Azure CLI version 2.0.64 or later installed and configured on your deployment machine.
 
   Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](../container-registry/container-registry-get-started-azure-cli.md).
-- A minimum of six DCsv2 cores available in your subscription. 
+- A minimum of eight DCsv2/DCSv3/DCdsv3 cores available in your subscription.
 
-  By default, the quota for confidential computing per Azure subscription is eight VM cores. If you plan to provision a cluster that requires more than eight cores, follow [these instructions](../azure-portal/supportability/per-vm-quota-requests.md) to raise a quota-increase ticket.
+  By default, there is no pre-assigned quota for Intel SGX VM sizes for your Azure subscriptions. You should follow [these instructions](../azure-portal/supportability/per-vm-quota-requests.md) to request for VM core quota for your subscriptions.
 
-## Create an AKS cluster with enclave-aware confidential computing nodes and add-on
+## Create an AKS cluster with enclave-aware confidential computing nodes and Intel SGX add-on
 
-Use the following instructions to create an AKS cluster with the confidential computing add-on enabled, add a node pool to the cluster, and verify what you created.
+Use the following instructions to create an AKS cluster with the Intel SGX add-on enabled, add a node pool to the cluster, and verify what you created with hello world enclave application.
 
 ### Create an AKS cluster with a system node pool
 
 > [!NOTE]
 > If you already have an AKS cluster that meets the prerequisite criteria listed earlier, [skip to the next section](#add-a-user-node-pool-with-confidential-computing-capabilities-to-the-aks-cluster) to add a confidential computing node pool.
 
-First, create a resource group for the cluster by using the [az group create][az-group-create] command. The following example creates a resource group named *myResourceGroup* in the *westus2* region:
+First, create a resource group for the cluster by using the [az group create][az-group-create] command. The following example creates a resource group named *myResourceGroup* in the *eastus2* region:
 
 ```azurecli-interactive
-az group create --name myResourceGroup --location westus2
+az group create --name myResourceGroup --location eastus2
 ```
 
 Now create an AKS cluster, with the confidential computing add-on enabled, by using the [az aks create][az-aks-create] command:
 
 ```azurecli-interactive
 az aks create -g myResourceGroup --name myAKSCluster --generate-ssh-keys --enable-addons confcom
 ```
+The above command will deploy a new AKS cluster with system node pool of non confidential computing node. Confidential computing Intel SGX nodes are not recommended for system node pools.
 
-### Add a user node pool with confidential computing capabilities to the AKS cluster 
+### Add an user node pool with confidential computing capabilities to the AKS cluster<a id="add-a-user-node-pool-with-confidential-computing-capabilities-to-the-aks-cluster"></a>
 
-Run the following command to add a user node pool of `Standard_DC2s_v2` size with three nodes to the AKS cluster. You can choose another larger sized SKU from the [list of supported DCsv2/Dcsv3 SKUs and regions](../virtual-machines/dcv2-series.md).
+Run the following command to add a user node pool of `Standard_DC4s_v3` size with three nodes to the AKS cluster. You can choose another larger sized SKU from the [list of supported DCsv2/DCsv3 SKUs and regions](../virtual-machines/dcv3-series.md).
 
 ```azurecli-interactive
-az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-vm-size Standard_DC2s_v2
+az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-vm-size Standard_DC4s_v3 --node-count 2
 ```
 
-After you run the command, a new node pool with DCsv2 should be visible with confidential computing add-on DaemonSets ([SGX device plug-in](confidential-nodes-aks-overview.md#confidential-computing-add-on-for-aks)).
+After you run the command, a new node pool with DCsv3 should be visible with confidential computing add-on DaemonSets ([SGX device plug-in](confidential-nodes-aks-overview.md#confidential-computing-add-on-for-aks)).
 
 ### Verify the node pool and add-on
 
@@ -102,15 +103,15 @@ Run the following command to enable the confidential computing add-on:
 az aks enable-addons --addons confcom --name MyManagedCluster --resource-group MyResourceGroup 
 ```
 
-### Add a DCsv2/DCsv3 user node pool to the cluster
+### Add a DCsv3 user node pool to the cluster
 
 > [!NOTE]
-> To use the confidential computing capability, your existing AKS cluster needs to have a minimum of one node pool that's based on a DCsv2/DCsv3 VM SKU. To learn more about DCs-v2 VMs SKUs for confidential computing, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md).
+> To use the confidential computing capability, your existing AKS cluster needs to have a minimum of one node pool that's based on a DCsv2/DCsv3 VM SKU. To learn more about DCs-v2/Dcs-v3 VMs SKUs for confidential computing, see the [available SKUs and supported regions](virtual-machine-solutions-sgx.md).
 
 Run the following command to create a node pool:
 
 ```azurecli-interactive
-az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-count 1 --node-vm-size Standard_DC4s_v2
+az aks nodepool add --cluster-name myAKSCluster --name confcompool1 --resource-group myResourceGroup --node-count 2 --node-vm-size Standard_DC4s_v3
 ```
 
 Verify that the new node pool with the name *confcompool1* has been created:

articles/confidential-computing/confidential-nodes-aks-faq.yml

@@ -6,7 +6,7 @@ metadata:
   ms.service: container-service
   ms.subservice: confidential-computing
   ms.topic: faq
-  ms.date: 06/30/2021
+  ms.date: 05/10/2022
   ms.author: amgowda
 title: Frequently asked questions about Confidential Computing Nodes on Azure Kubernetes Service (AKS)
 summary: |
@@ -20,11 +20,11 @@ sections:
             Yes, for Intel SGX enclave nodes.
       - question: Can I enable Accelerated Networking with Azure confidential computing AKS Clusters?
         answer: |
-          No. Accelerated Networking is not supported on DCSv2 Virtual machines that makeup confidential computing nodes on AKS.
+          Yes, DCSv3 VM nodes support accelerated networking. DCSv2 Virtual machines do not.
 
       - question: What version of Intel SGX Driver version is on the AKS Image for confidential nodes?  
         answer: |
-          Currently, Azure confidential computing DCSv2 VMs are installed with Intel SGX DCAP 1.33. 
+          Currently, Azure confidential computing DCSv2/DCSv3 VMs are installed with Intel SGX DCAP 1.33.2
 
       - question: Can I inject post install scripts/customize drivers to the Nodes provisioned by AKS?
         answer: |
@@ -48,8 +48,7 @@ sections:
       - question: Can I provision AKS with DCSv2 Node Pools through Azure portal? 
         answer: |
           Yes. Azure CLI could also be used as an alternative as documented [here](confidential-enclave-nodes-aks-get-started.md).
-          
-       
+                 
       - question: What Ubuntu version and VM generation is supported? 
         answer: |
           18.04 on Gen 2. 
@@ -66,10 +65,6 @@ sections:
         answer: |
           Yes. Azure CLI could also be used as an alternative as documented [here](confidential-enclave-nodes-aks-get-started.md).
           
-   
-      - question: What Ubuntu version and VM generation is supported?
-        answer: |
-          18.04 on Gen 2. 
           
   
   - name: Development & Deploy

articles/confidential-computing/confidential-nodes-aks-overview.md

@@ -6,24 +6,24 @@ author: agowdamsft
 ms.service: container-service
 ms.subservice: confidential-computing
 ms.topic: overview
-ms.date: 11/04/2021
+ms.date: 05/10/2022
 ms.author: amgowda
 ms.custom: ignite-fall-2021
 ---
 
 # Confidential computing nodes on Azure Kubernetes Service
 
-[Azure confidential computing](overview.md) allows you to protect your sensitive data while it's in use. The underlying confidential computing infrastructure protects this data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments. Adding confidential computing nodes allow you to target container application to run in an isolated, hardware protected, integrity protected in an attestable environment.
+[Azure confidential computing](overview.md) allows you to protect your sensitive data while it's in use. The underlying confidential computing infrastructure protects this data from other applications, administrators, and cloud providers with a hardware backed trusted execution container environments. Adding confidential computing nodes allow you to target container applications to run in an isolated, hardware protected, integrity protected attestable Trusted Execution Environment(TEE).
 
 ## Overview
 
-Azure Kubernetes Service (AKS) supports adding [DCsv2 confidential computing nodes](confidential-computing-enclaves.md) powered by Intel SGX. These nodes allow you to run sensitive workloads within a hardware-based trusted execution environment (TEE). TEEs allow user-level code from containers to allocate private regions of memory to execute the code with CPU directly. These private memory regions that execute directly with CPU are called enclaves. Enclaves help protect the data confidentiality, data integrity and code integrity from other processes running on the same nodes, as well as Azure operator. The Intel SGX execution model also removes the intermediate layers of Guest OS, Host OS and Hypervisor thus reducing the attack surface area. The *hardware based per container isolated execution* model in a node allows applications to directly execute with the CPU, while keeping the special block of memory encrypted per container. Confidential computing nodes with confidential containers are a great addition to your zero-trust security planning and defense-in-depth container strategy.
+Azure Kubernetes Service (AKS) supports adding [Intel SGX confidential computing VM nodes](confidential-computing-enclaves.md) as agent pools in a cluster. These nodes allow you to run sensitive workloads within a hardware-based TEE. TEEs allow user-level code from containers to allocate private regions of memory to execute the code with CPU directly. These private memory regions that execute directly with CPU are called enclaves. Enclaves help protect the data confidentiality, data integrity and code integrity from other processes running on the same nodes, as well as Azure operator. The Intel SGX execution model also removes the intermediate layers of Guest OS, Host OS and Hypervisor thus reducing the attack surface area. The *hardware based per container isolated execution* model in a node allows applications to directly execute with the CPU, while keeping the special block of memory encrypted per container. Confidential computing nodes with confidential containers are a great addition to your zero-trust, security planning and defense-in-depth container strategy.
 
 :::image type="content" source="./media/confidential-nodes-aks-overview/sgx-aks-node.png" alt-text="Graphic of AKS Confidential Compute Node, showing confidential containers with code and data secured inside.":::
 
 ## AKS Confidential Nodes Features
 
-- Hardware based and process level container isolation through Intel SGX trusted execution environment (TEE) 
+- Hardware based and process level container isolation through Intel SGX trusted execution environment (TEE)
 - Heterogenous node pool clusters (mix confidential and non-confidential node pools)
 - Encrypted Page Cache (EPC) memory-based pod scheduling (requires add-on)
 - Intel SGX DCAP driver pre-installed
@@ -67,6 +67,5 @@ Confidential computing nodes on AKS also support containers that are programmed
 <!-- LINKS - external -->
 [Azure Attestation]: ../attestation/index.yml
 
-
 <!-- LINKS - internal -->
 [DC Virtual Machine]: /confidential-computing/virtual-machine-solutions-sgx.md