Azure Migrate Enhances Security with Support for Migrating Gen 1 and 2 VMs to Confidential Virtual Machines

Azure Migrate now supports migrating Generation 1 and 2 VMs to Azure Confidential Virtual Machines (CVMs), enhancing data security with hardware-based Trusted Execution Environments. This private preview enables seamless, compliant, and secure migration for Windows Server and Ubuntu workloads. :

Azure Migrate Now Supports Migration to Confidential Virtual Machines (CVMs)

Microsoft has just rolled out a game-changing update for Azure Migrate. Now, you can move Generation 1 and Generation 2 VMs from on-premises or other clouds directly to Azure Confidential Virtual Machines (CVMs). This feature is currently in Private Preview, but it promises to boost security and simplify migration workflows.

What’s New with Azure Migrate and CVMs?

Azure Migrate supports two migration methods for CVMs: the simplified agent-based migration and the VMware agentless migration. This means you can choose the approach that fits your environment best without compromising security or efficiency.

Confidential Computing is the star here. It protects data while it’s being processed by using hardware-based Trusted Execution Environments (TEEs). These environments isolate applications and data, preventing unauthorized access or tampering.

“Confidential computing adds an extra layer of protection by safeguarding data in use, including cryptographic keys.”

Major Updates and Key Benefits

Azure already encrypts data at rest and in transit. Confidential Computing takes it a step further by securing data in use. This is crucial for workloads handling sensitive information or regulated data.

Enhanced Data Security: TEEs ensure computations happen in a secure, isolated environment.
Reduced Attack Surface: Protects cryptographic keys and data even during processing.
Improved Privacy: Even cloud operators can’t access data in use.
Compliance Friendly: Helps meet strict data protection regulations with ease.

“Azure Migrate’s support for Confidential Virtual Machines represents a significant step forward in secure and efficient VM migration.”

Important Migration Details You Should Know

The migration supports specific OS versions: Windows Server 2019 and 2022, plus Ubuntu 20.04 LTS and 204 LTS. Both Generation 1 (MBR/BIOS) and Generation 2 (GPT/UEFI) VMs are eligible.

Before migrating, ensure Windows VMs have the latest patches and uninstall paravirtual drivers. Ubuntu VMs also require removing these drivers.

For Generation 1 Windows VMs, disk requirements include enough free space for GPT conversion and no extended or logical partitions. You can validate readiness using the MBR2GPT.exe /validate /allowFullOS command.

Agent-Based Migration Workflow

Start with discovery and assessment using Azure Migrate tools. Then, deploy the simplified Azure Site Recovery appliance and install the mobility agent on your source VMs. During migration, select “Confidential Virtual Machine” in the VM tab to identify eligible machines.

Conclusion: Why This Matters

Azure Migrate’s new CVM support is a big win for organizations prioritizing data security and compliance. It makes migrating sensitive workloads safer and smoother. If you’re looking to protect your data even during processing, this update is definitely worth exploring.

Confidential Computing protects data in use by isolating workloads in hardware-based Trusted Execution Environments (TEEs).

Azure Migrate offers both agent-based and agentless migration methods for CVMs.

Supported OS include Windows Server 2019/2022 and Ubuntu 20.04/204 LTS for confidential VM migration.

Pre-migration steps include updating Windows patches and uninstalling paravirtual drivers on source VMs.

Generation 1 VMs require disk validation and conversion from MBR to GPT to migrate successfully to CVMs.

From the New blog articles in Microsoft Community Hub