Introducing high-performance Confidential Computing with N2D and C2D VMs
Product Manager, Confidential Computing
Editor’s note: As of June 16, 2022, Confidential VMs on N2D and C2D machine types with 3rd gen processors are generally available.
We’re excited to announce Confidential Computing on the latest Google Compute Engine N2D and C2D Virtual Machines. At Google Cloud, we’re constantly striving to deliver performance improvements and feature enhancements. Last November, we announced the general availability of general-purpose N2D machine types running on 3rd Gen AMD EPYC™ processors. Then, in February, we announced the general availability of compute-optimized C2D machine types running on the same 3rd gen processors. Today, we are excited to announce that both of these new N2D and C2D machine types now offer Confidential Computing.
By default, Google Cloud keeps all data encrypted, in-transit between customers and our data centers, and at rest. We believe the future of computing will increasingly shift to private, encrypted services where users can be confident that their data is not being exposed to cloud providers or their own insiders. Confidential Computing helps make this future possible by keeping data encrypted in memory, and elsewhere outside the CPU, while it is being processed - all without needing any code changes to applications.
General Purpose Confidential VMs on N2D
The first product in Google Cloud’s Confidential Computing portfolio was Confidential VM. A Confidential VM is a type of Compute Engine VM that helps ensure that your data and applications stay private and encrypted even while in use.
Today, Confidential VMs are available in Preview on general-purpose N2D machine types powered by 3rd Gen AMD EPYC processors. We worked closely with the AMD Cloud Solution engineering team to help ensure that the VM’s memory encryption doesn’t interfere with workload performance.
N2D VMs are a great option for both general-purpose workloads and workloads that require larger VM sizes and memory ratios. General-purpose workloads that require a balance of compute and memory, like web applications and databases, can benefit from N2D’s performance, price, and wide array of features.
Compute-Optimized Confidential VMs on C2D
We’re also optimizing Confidential Computing for more types of workloads. Today, Confidential VMs are also available in Preview on compute-optimized C2D machine types. C2D instances provide the largest VM sizes within the compute-optimized VM family and are optimized for memory-bound workloads such as high-performance databases and high-performance computing (HPC) workloads.
Adding the compute-optimized machine family to our Confidential Computing portfolio gives you the ability to optimize performance-intensive workloads while maintaining confidentiality and can expand which of your workloads can easily switch to be confidential.
YellowDog, a cloud workload management company, is an early user of the new Confidential VMs in the C2D VM family.
“At YellowDog, we believe there should be no barriers to adopting secure cloud computing. YellowDog tested workloads across tens of thousands of cores using the new Google C2D VMs running on 3rd Gen AMD EPYC processors.
We were truly impressed to discover that the Confidential VMs' provisioning times were fantastic and the C2D VMs ran with no discernible difference in performance when enabling and disabling Confidential Computing," said Simon Ponsford, CTO at YellowDog. "We at YellowDog recommend that anyone running secure workloads in Google Cloud enable the Confidential Computing feature by default."
Expanding Confidential Computing availability
We are expanding the availability of Confidential Computing, and Confidential VMs are now available in more regions and zones than before, anywhere N2D or C2D machines are available. Confidential N2D VMs and Confidential C2D VMs are available today in regions around the globe including us-central1 (Iowa), asia-southeast1 (Singapore), us-east1 (South Carolina), us-east4 (North Virginia), asia-east1 (Taiwan), and europe-west4 (Netherlands).
The underpinnings of Confidential VMs
Confidential N2D and C2D VMs with 3rd Gen AMD EPYC processors utilize AMD Secure Encrypted Virtualization (SEV). With the AMD SEV feature, Confidential VMs offer high performance for demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the processor. These keys are generated by the processor during VM creation and reside solely within it, making them unavailable to Google or other VMs running on the host. We’re currently supporting SEV on 3rd Gen AMD EPYC processors but will bring more advanced capabilities in the future.
Confidential N2D and C2D VMs with 3rd Gen AMD EPYC processors are offered at the same price as the previous generation Confidential N2D VMs. You can also take advantage of cost savings with spot pricing. To learn more, visit Confidential VM pricing.
Ongoing Confidential Computing Investment
Today’s announcement comes off the heels of the review that the Google Cloud Security team, Google Project Zero, and the AMD firmware and product security teams collaborated on of the technology and firmware that powers AMD Confidential Computing technology. Google Cloud and AMD are committed to securing sensitive workloads and shaping future Confidential Computing innovations.
Upgrading your existing Confidential N2D VMs to use 3rd Gen AMD EPYC processors is easy. If you already use Confidential N2D machines or are just getting started, you can use the latest hardware by simply selecting “AMD Milan or later” as the CPU platform.
To create a Confidential C2D VM, choose the C2D option when creating a new VM and check the box under “Confidential VM service” in the Google Cloud Console.
With Confidential Computing, you can protect your data and run your most sensitive applications and services on N2D and C2D VMs.