| page_type | sample | ||||||
|---|---|---|---|---|---|---|---|
| languages |
|
||||||
| products |
|
||||||
| description | Azure Confidential Computing Samples | ||||||
| urlFragment | confidential-computing-samples |
Last Updated: June 2026
Heads up β this is the new home for Azure Confidential Computing samples.
https://aka.ms/accsamplesnow redirects here. The previous repository,Azure-Samples/confidential-container-samples, is still available for reference but is no longer actively maintained. New samples and updates land here.
Security is a key driver accelerating the adoption of cloud computing, but it's also a major concern when you're moving extremely sensitive IP and data scenarios to the cloud.
Confidential computing is the protection of data-in-use through isolating computations to a hardware-based trusted execution environment (TEE). While data is traditionally encrypted at rest and in transit, confidential computing protects your data while it's being processed. A TEE provides a protected container by securing a portion of the hardware's processor and memory. You can run software on top of the protected environment to shield portions of your code and data from view or modification from outside of the TEE. read more
π Want to learn more? See the official Azure Confidential Computing documentation at
https://aka.ms/accdocs.
IMPORTANT: This repository contains sample code for educational and demonstration purposes only.
- No Warranty: This code is provided "AS IS" without warranty of any kind, express or implied
- Not Production-Ready: These samples are not intended for production use without thorough review and modification
- User Responsibility: Users are solely responsible for:
- Reviewing and testing all code before deployment
- Ensuring compliance with their organization's security policies
- Validating cryptographic implementations meet their security requirements
- Proper key management and secret handling
- Any data processed using these samples
- AI-Assisted Content: Several samples in this repository were created with significant assistance from AI coding tools, primarily GitHub Copilot inside Visual Studio Code, to showcase modern AI-assisted development. While functional, AI-assisted code should always be reviewed by qualified security professionals before use in sensitive scenarios.
| Addition | Description |
|---|---|
| Visual Attestation Demo v2 (ACI) π | Simplified ACI port of the AKS visual attestation sample. Flask app calls Microsoft Azure Attestation directly via the upstream get-snp-report tool β no SKR sidecar, single container. Side-by-side Confidential vs Standard SKU deployment demonstrates falsifiability: the same image fails deterministically on Standard (no /dev/sev-guest), proving the success case really came from AMD silicon. |
| Sealed Container (ACI) β updated π | New sealed-container guidance and features: -WelcomeSecret encryption/decryption flow, artifact integrity verification walkthrough (checksums vs signatures), clearer UI section highlighting, and updated deployment defaults/documentation. |
| Federated Multi-Party Demo β | New 4-party (Contoso, Fabrikam, Wingtip Toys, Woodgrove Bank) federated analytics demo. Each partner decrypts its own data inside its own AMD SEV-SNP TEE and returns only aggregates β no raw PII ever crosses the trust boundary. Includes a 3-minute DEMO-SCRIPT.md. |
| CVM samples now support Intel TDX | BuildRandomCVM.ps1 auto-detects AMD SEV-SNP (DCa*/ECa*) vs Intel TDX (DCe*/ECe*, e.g. Standard_DC2es_v6) from the chosen VM SKU and runs the matching attestation config. The script now also enables outbound internet on the private VM subnet via NAT Gateway by default, with -NoInternetAccess available for fully isolated deployments. The June 2026 validation matrix now includes all four combinations: AMD v6 Windows, AMD v6 Linux, TDX v6 Windows, and TDX v6 Linux. See the Intel TDX examples in the VM samples README. |
| Validation workflow update π | Local pre-push performs validation only (no PR commenting). Use ./scripts/post-validation-comment.ps1 to run the 4-way CVM matrix and auto-post results as a comment on the active PR (use -NoPostToPr to skip posting). Commit-message annotation is removed. GitHub Actions is temporarily running secret scan + syntax/parameter validation only until service principal secrets are available. See Validation Automation. |
| Updated in-VM attestation tooling | The CVM build script now runs the latest pre-built attest binary from Azure/cvm-attestation-tools inside the VM (Linux + Windows), then decodes the returned MAA JWT (header, payload and key claims like x-ms-attestation-type and x-ms-compliance-status) using jq on Linux and built-in ConvertFrom-Json on Windows. Linux extraction now supports unzip, python3, or bsdtar fallback paths to avoid image-specific package gaps. When -NoInternetAccess is used, this attestation step is skipped because the VM cannot reach GitHub to download the tooling. The legacy WindowsAttest.ps1 is kept for reference but is no longer recommended. |
| Repo redirect | https://aka.ms/accsamples now points to this repo. The legacy confidential-container-samples repo remains read-only / archived for reference. |
| Addition | Description |
|---|---|
| Citizen Registry (Sovereign Example) | End-to-end data-sovereignty demo: Confidential ACI β Private VNet β App Gateway β SQL Server on CVM. Features IPv6-only CVMs, ephemeral credentials, and API-based data seeding. |
| Finance + OpenAI Multi-Party Demo | 3-company financial analytics with Azure OpenAI (GPT-4o-mini) chat integration. AI assistant answers questions about decrypted partner transaction data inside the TEE. |
| ACI + PostgreSQL Demo | Confidential ACI with DCa/ECa AMD PostgreSQL Flexible Server, 5,000 financial transactions, and 9 documented threat scenarios. |
| CVM with Azure Backup | Windows Confidential VM with Recovery Services Vault backup, Customer Managed Keys, and 4-hourly backup policy. |
| Deploy script hardening | All multi-party deploy scripts now use az rest with preview API (2025-01-31-preview) for managed identity creation, working around Azure subscription policies requiring regional isolation scope. |
| Pre-commit secret scanning | Repository-wide pre-commit hook and GitHub Actions workflow to block credentials, SAS tokens, and sensitive parameter files from being committed. |
- Azure subscription
- Azure CLI (v2.60+) with
confcomextension - Azure PowerShell (Az module 12.0+)
- Docker Desktop (for confidential container policy generation)
- Python 3.11+ (for local development/testing)
# Install required Azure CLI extension
az extension add --name confcom --upgrade
# Verify installation
az confcom --versionThis repository is organized by Azure service type and deployment method:
Azure Container Instances with AMD SEV-SNP confidential computing:
- BuildRandomACI.ps1 - Create confidential ACI with hello-world container
- Visual Attestation Demo - Interactive web demo with remote attestation via Microsoft Azure Attestation (MAA) using the SKR sidecar
- Visual Attestation Demo v2 π - Simplified single-container port that calls MAA directly (no SKR sidecar) via the upstream
get-snp-reporttool;-Comparemode deploys Confidential + Standard SKUs side-by-side to demonstrate falsifiability - App + PostgreSQL Finance Demo π - Confidential ACI with DCa/ECa AMD PostgreSQL, 5,000 financial transactions, Application Gateway, and 9 documented threat scenarios
- Side-by-side comparison mode (Confidential vs Standard SKU)
- Real-time encryption with SKR-released keys
- Live diagnostics and TEE hardware detection
- App + PostgreSQL Demo - Basic confidential container app with hardware-enforced AMD SEV-SNP security and container policy, connected to a DCa/ECa AMD PostgreSQL Flexible Server with confidential compute protections
- Single-container Flask dashboard with 5,000 financial transactions
- Application Gateway (L7) β Private VNet β Confidential ACI β PostgreSQL (DCa/ECa AMD)
- Remote attestation (MAA) with detailed claim explanations and Secure Key Release (SKR)
- 9 documented threat scenarios with specific mitigations
Multi-Party Samples β FEATURED
Secure multi-party computation demonstrations with Azure Confidential Containers and Confidential VMs.
Federated Multi-Party Demo β NEW (June 2026)
4 parties β Contoso, Fabrikam, Wingtip Toys, Woodgrove Bank β each running the same image with their own data, identity, and Key Vault. Woodgrove orchestrates federated analytics where every partner decrypts only its own data inside its own TEE and returns only counts, averages, and percentages. Zero PII crosses the trust boundary. Includes a 3-minute live DEMO-SCRIPT.md, live RSA-OAEP encryption panel, cross-company key-access denial, operator-lockout demo, and a combined demographics dashboard with country/city/generation/blood-type aggregates and a salary world map.
Advanced App - Full-Featured Demo
Comprehensive 3-container demonstration with partner analytics:
- Contoso Corporation - Corporate data provider with encrypted employee records (π’)
- Fabrikam Fashion - Online retailer with encrypted customer records (π)
- Woodgrove Bank - Trusted analytics partner with cross-company key access (π¦)
Deployment Modes:
- Direct ACI (default) β Simple single-command deployment to Azure Container Instances
- AKS Virtual Nodes (
-AKSflag) β Kubernetes-managed deployment using virtual nodes, where pods run as confidential ACI container groups with full AMD SEV-SNP attestation. This is a more complex setup involving VNet creation, NAT gateway, AKS cluster with Azure CNI, VN2 Helm chart, managed identity plumbing in the MC_ resource group, and an nginx reverse proxy for external access. See the AKS documentation for architecture details.
Key Features:
- π Hardware-based isolation - AMD SEV-SNP TEE protects data in memory
- π‘οΈ Remote attestation - Cryptographic proof of TEE environment via MAA
- π Secure Key Release (SKR) - HSM keys only released to attested containers
- π¦ Partner Analytics - Woodgrove Bank analyzes encrypted partner data inside TEE
- π Real-time Progress - SSE streaming with progress bars and time estimates
- π Demographics Analysis - Top countries, cities, generations by company, salary world map
- π TEE-only decryption - Data decrypted only inside hardware-protected memory
Encrypted Data Flow: Data remains encrypted in storage and transit; decryption only occurs inside the TEE.
Demo App - Basic Demo
Simpler 2-container demonstration (Contoso, Fabrikam Fashion) without partner analytics.
Finance + OpenAI Demo - AI-Powered Analytics π
3-company financial transaction analytics with Azure OpenAI integration:
- 5,000+ synthetic financial transactions across Contoso & Fabrikam
- Azure OpenAI chat (GPT-4o-mini) answers questions about decrypted data inside the TEE
- Real-time streaming with progress bars, KPI cards, and interactive Chart.js visualizations
- Spending by category, merchant, age group, and country with loan payment analysis
Confidential Virtual Machine (CVM) deployment scripts:
- BuildRandomCVM.ps1 π Updated June 2026 β Deploy CVMs with Confidential OS disk encryption bound to a Customer Managed Key (CMK) and automated in-VM attestation. The OS disk and VM Guest State (vTPM + Secure Boot) are encrypted with an HSM-backed RSA-3072 key in your Key Vault Premium; the key is only released after Microsoft Azure Attestation (MAA) verifies the VM is a genuine SEV-SNP / TDX CVM, so even the Azure host fabric cannot read the disk. See What is Confidential OS disk encryption with CMK? and
https://aka.ms/accdocs.- AMD SEV-SNP (
DCa*/ECa*, e.g.Standard_DC2as_v5) and Intel TDX (DCe*/ECe*, e.g.Standard_DC2es_v6) β auto-detected from the chosen VM SKU, with the matching attestation config selected automatically - Windows Server 2022 Datacenter, Windows Server 2019, Windows 11 Enterprise 24H2, Ubuntu 24.04 LTS, RHEL 9.5 β all confidential-VM images
- New attestation flow β runs the latest pre-built
attestbinary fromAzure/cvm-attestation-toolsinside the freshly deployed VM (Linux + Windows) and decodes the returned MAA JWT (header, payload, key claims likex-ms-attestation-type,x-ms-compliance-status,secure-boot,tpm-enabled) usingjqon Linux / built-inConvertFrom-Jsonon Windows - Pre-flight checks before any resources are created: rejects Intel SGX SKUs (different isolation model), validates the chosen SKU is offered in the target region, and confirms there is enough vCPU quota in the VM family
- Bastion-optional (
-DisableBastion), internet-optional (-NoInternetAccess), and smoketest mode (-smoketest) for CI / cost-controlled validation
- AMD SEV-SNP (
- BuildRandomSQLCVM.ps1 - SQL Server 2022 on Confidential VM
Azure Kubernetes Service with AMD SEV-SNP confidential computing:
- BuildRandomAKS.ps1 - AKS cluster with Customer Managed Keys and confidential node pools
Microsoft Azure Attestation (MAA) provider management:
- createPrivateMAA.ps1 - Create private Azure Attestation provider for custom attestation policies
Reusable PowerShell snippets for common confidential computing tasks:
snippet-createDES.ps1- Create Disk Encryption Set for Confidential VMssnippet-remoteCallAttest.ps1- Remote attestation call examples
Sovereign Examples π
Confidential VM deployments with data-sovereignty and compliance focus:
- Citizen Registry - Full-stack sovereign data demo: Confidential ACI container with SQL Server on a Confidential VM, connected through a private VNet with Application Gateway. Features remote attestation, Secure Key Release, ephemeral credentials, and API-based citizen record seeding.
- CVM with Azure Backup - Windows CVM with Azure Backup (Recovery Services Vault), Customer Managed Keys, and confidential disk encryption
SKR Examples π
Standalone Secure Key Release demonstration:
- Deploy-SKRExample.ps1 - End-to-end CVM deployment with AMD SEV-SNP attestation and AKV key release
- Deploys a Confidential VM, SSHs in, performs vTPM attestation via MAA, and releases an HSM key
- Auto-cleans up all resources after displaying the released key material
- NSG locks SSH access to deployer's IP; ephemeral SSH key pair (no password)
Container Samples (Intel SGX)
Enclave-aware container samples for AKS with Intel SGX:
- HelloWorld - Simple enclave creation and function calls
- Attested-TLS - Secure communication channel between enclaves
Many of the samples in this repository β in particular the multi-party, sov-examples, and finance + OpenAI demos β were authored with significant assistance from AI coding tools, primarily GitHub Copilot running inside Visual Studio Code. This demonstrates the capabilities of modern AI-assisted development for:
- Complex infrastructure-as-code (ARM templates, Bicep, PowerShell, Terraform)
- Cryptographic implementations (RSA-OAEP, AES-256-GCM, SKR flows)
- Web application development (Flask, HTML/CSS/JavaScript)
- Security-focused architecture and threat modeling
- Documentation and diagram generation
While these samples are functional and demonstrate real Azure Confidential Computing capabilities, they should be reviewed by qualified security professionals before use in production scenarios.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project is licensed under the MIT License - see the LICENSE.md file for details.
By using this code, you acknowledge that:
- You have read and understood the disclaimer above
- You accept full responsibility for any use of this code
- You will conduct appropriate security reviews before any production deployment