Supported configurations

To create a Confidential VM instance, you need a virtual machine that has the following properties:

You can configure your own Confidential VM instance manually, or accept the suggested settings when you enable the Confidential VM service in the Google Cloud console.

Limitations

The following limitations apply depending on how you've configured your Confidential VM instance.

All Confidential VM instances

You must create a new VM instance to enable Confidential VM. Existing instances can't be converted to Confidential VM instances.
You can't attach GPUs or TPUs to Confidential VM instances.
Confidential VM instances require an NVME interface for disks. SCSI isn't supported.
Only new disks can be formatted to XFS on Linux kernel versions earlier than 5.10. To format existing disks to XFS, you need kernel version 5.10 or later.
You can't attach more than 40 disks to a Confidential VM instance. You can request an exception through a support channel, although instances with more than 40 disks might fail silently.
Boot time is proportional to the amount of memory assigned to an instance. You might notice longer boot times for Confidential VM instances with large amounts of memory.
Establishing SSH connections takes longer on Confidential VM instances than non-Confidential VM instances.
Live migration is only supported on N2D machine types with AMD EPYC Milan CPU platforms running AMD SEV.

AMD SEV

Debian 12 doesn't have attestation support for AMD SEV due to the missing /dev/sev-guest package.
AMD SEV on the C3D machine type (Preview) has the following limitations:
- Confidential VM instances that use C3D machine types might experience lower network bandwidth than equivalent non-confidential VMs, even with per VM Tier_1 networking performance enabled.
- VMs with more than 180 vCPUs aren't supported.
- The following images that are tagged SEV_CAPABLE don't work with AMD SEV on C3D machines that have more than 8 vCPUs:
  - debian-11
  - rhel-8-4-sap-ha
  - sles-15-sp2-sap
  - ubuntu-pro-fips-1804-lts
  - ubuntu-pro-fips-2004-lts
  These images are missing a required patch that increases the size of the SWIOTLB buffer for high networking queues.

AMD SEV-SNP

Debian 12 doesn't have attestation support for AMD SEV-SNP due to the missing /dev/sev-guest package.
VM instances don't support kdump. Instead, use the guest console logs.

Intel TDX

Local SSD machine types aren't supported.
CPUs might appear to have high utilization. This is because the HLT CPU instruction has been disabled on the guest to avoid high overhead when waking the CPU.
VM instances take longer to shut down compared to standard VM instances. This delay increases with VM memory size.
Only Balanced Persistent Disk volumes that use the NVMe interface are supported.
VM instances booted with Container-Optimized OS images might experience poor performance compared to Ubuntu OS images.
VM instances might experience lower network bandwidth and higher latency compared to non-Confidential VM instances.
Custom images aren't supported.
VM instances can't be provisioned on sole-tenant node groups.
Due to additional security constraints, the CPUID instruction might return limited or no CPU architecture details. This might impact the performance of workloads that depend on those CPUID values.
VM instances don't support kdump. Instead, use the guest console logs.

Machine types, CPUs, and zones

Confidential VM is supported on the following machine types and configurations.

Machine type	CPU platform	Confidential Computing technology	Live migration support
C2D View machine type names	AMD EPYC Milan AMD EPYC Rome (deprecated)	AMD SEV on Milan and Rome	Not supported
`c3-standard-*` (Preview) View machine type names	Intel Sapphire Rapids	Intel TDX	Not supported
C3D (Preview) View machine type names	AMD EPYC Genoa	AMD SEV	Not supported
N2D View machine type names	AMD EPYC Milan AMD EPYC Rome (deprecated)	AMD SEV on Milan and Rome AMD SEV-SNP (Preview) on Milan only	AMD SEV VMs on Milan only

View supported zones

You can view which zones support these machine types with one of the following methods.

AMD SEV

Reference table

To view which zones support Confidential VM, complete the following steps.

Go to Available regions and zones.
Click Select a machine type, and then select N2D, C2D and C3D (Preview).
Click Select a CPU, and then select AMD EPYC Milan and AMD EPYC Genoa (Preview).

gcloud

To list the zones available in Google Cloud, run the following command:

gcloud compute zones list \
    --format="value(NAME)"

To list the available CPU platforms for a specific zone, run the following command and check for AMD Milan or AMD Genoa (Preview) support:

gcloud compute zones describe ZONE_NAME \
    --format="value(availableCpuPlatforms)"

AMD SEV-SNP

AMD SEV-SNP is supported in the following zones, on N2D machine types with AMD Milan CPU platforms:

asia-southeast1-a
asia-southeast1-b
asia-southeast1-c
europe-west3-a
europe-west3-b
europe-west3-c
europe-west4-a
europe-west4-b
europe-west4-c
us-central1-a
us-central1-b
us-central1-c

Intel TDX

Intel TDX (Preview) is supported in the following zones, on c3-standard-* machine types.

asia-southeast1-a
asia-southeast1-b
asia-southeast1-c
europe-west4-a
europe-west4-b
us-central1-a
us-central1-b
us-central1-c

Operating systems

For the available Confidential VM operating system images, see Operating system details. Find your distribution of choice, and then click the Security features tab to check if Confidential VM is supported.

Alternatively, you can view supported operating system images with a gcloud command, or create your own Linux image.

View supported operating system images with gcloud

The operating system images you can use are determined by your Confidential Computing technology choice.

AMD SEV and AMD SEV SNP

You can list the operating system images, their image families, and their versions that support AMD Confidential Computing technologies by running the following command:

gcloud compute images list \
    --filter="guestOsFeatures[].type:(OS_FEATURE)"

Provide the following value:

OS_FEATURE: The type of Confidential Computing support you want. Accepted values are:

SEV_CAPABLE: Operating systems that support AMD SEV.
SEV_LIVE_MIGRATABLE_V2: Operating systems that support AMD SEV and live migration.
SEV_SNP_CAPABLE: Operating systems that support AMD SEV-SNP isolation and attestation.

To limit the results to a specific image family, project, or other text provided in the previous command's response, use an AND operator, and replace STRING with a partial text match, similar to the following example:

gcloud compute images list \
    --filter="guestOsFeatures[].type:(OS_FEATURE) AND STRING"

To view details about a specific image, run the following command using details from the responses of the previous commands:

gcloud compute images describe IMAGE_NAME \
    --project=IMAGE_PROJECT

Intel TDX

You can list the operating system images, their image families, and their versions that support Intel TDX (Preview) by running the following command:

gcloud beta compute images list \
    --filter="guestOsFeatures[].type:(TDX_CAPABLE)" \
    --project=tdx-guest-images

gcloud beta compute images list \
    --filter="guestOsFeatures[].type:(TDX_CAPABLE) AND STRING" \
    --project=tdx-guest-images

To view details about a specific image, run the following command using details from the responses of the previous commands:

gcloud beta compute images describe IMAGE_NAME \
    --project=tdx-guest-images

What's next

Learn how to create a Confidential VM instance.