Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS) cluster
You can use confidential virtual machine (VM) sizes (DCav5/ECav5) to add a node pool to your AKS cluster with CVM. Confidential VMs with AMD SEV-SNP support bring a new set of security features to protect data-in-use with full VM memory encryption. These features enable node pools with CVM to target the migration of highly sensitive container workloads to AKS without any code refactoring while benefiting from the features of AKS. The nodes in a node pool created with CVM use a customized Ubuntu 20.04 image specially configured for CVM. For more on CVM, see Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs.
In this article, there are references to a feature that may be using Ubuntu OS versions that are being deprecated for AKS
- Starting on 17 March 2027, AKS will no longer support Ubuntu 20.04. Existing node images will be deleted and AKS will no longer provide security updates. You'll no longer be able to scale your node pools. Upgrade your node pools to kubernetes version 1.34+ to migrate to a supported Ubuntu version. For more information on this retirement, see AKS GitHub Issues
Before you begin
Before you begin, make sure you have the following:
- An existing AKS cluster.
- The DCasv5 and DCadsv5-series or ECasv5 and ECadsv5-series SKUs available for your subscription.
The following limitations apply when adding a node pool with CVM to AKS:
- You can't use
, ARM64, or Azure Linux. - You can't upgrade an existing node pool to use CVM.
- The DCasv5 and DCadsv5-series or ECasv5 and ECadsv5-series SKUs must be available for your subscription in the region where the cluster is created.
Add a node pool with the CVM to AKS
Add a node pool with CVM to AKS using the
az aks nodepool add
command and set thenode-vm-size
.az aks nodepool add \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool \ --node-count 3 \ --node-vm-size Standard_DC4as_v5
Verify the node pool uses CVM
Verify a node pool uses CVM using the
az aks nodepool show
command and verify thevmSize
.az aks nodepool show \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool \ --query 'vmSize'
The following example command and output shows the node pool uses CVM:
az aks nodepool show \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool \ --query 'vmSize' "Standard_DC4as_v5"
Remove a node pool with CVM from an AKS cluster
Remove a node pool with CVM from an AKS cluster using the
az aks nodepool delete aks nodepool delete \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name cvmnodepool
Next steps
In this article, you learned how to add a node pool with CVM to an AKS cluster. For more information about CVM, see Confidential VM node pools support on AKS with AMD SEV-SNP confidential VMs.
Azure Kubernetes Service