Azure and Intel have announced the general availability of Intel® TDX Confidential VMs on Azure. This is a landmark moment for Confidential Computing. But deploying, managing and auditing these VMs still carries a real cost risk, unless you automate.
That’s where CanaryBit Tower comes in, offering an Infrastructure as Code approach that keeps your Confidential Computing spend under control from day one.
What is Intel TDX and why does this GA matter?
Intel® Trust Domain Extensions (Intel® TDX) is a hardware-based Trusted Execution Environment (TEE) technology built into Intel’s 5th Gen Xeon processors (codenamed “Emerald Rapids”). It creates isolated “trust domains” (Confidential VMs) whose memory is encrypted and integrity-protected at the hardware level. Even the hypervisor, host OS, or cloud operator cannot read the memory of a running trust domain.
Azure’s general availability announcement brings the DCesv6 and ECedsv6 VM series (general-purpose) and the ECesv6 and ECedsv6 series (memory-optimized) to production-ready status in West US and West US 3 regions.
This GA release matters for three big reasons:
- No application code changes required. Organizations can lift and shift sensitive workloads into a confidential environment without refactoring.
- Hardware-enforced isolation and cryptographic attestation. Workloads are protected against software and hardware attacks, including memory bus snooping and cold boot attacks, even if the hypervisor or BIOS is compromised.
- Confidential AI acceleration. The VMs include support for Intel Advanced Matrix Extensions (Intel AMX), directly accelerating AI inference on sensitive data.
The hidden cost problem with Confidential VMs
Confidential VMs are powerful, but they are also priced at a premium compared to standard compute. Every idle or misconfigured VM burns budget. The challenges are compounded in Confidential Computing environments because:
- Each trusted execution environment must be provisioned correctly. Wrong configurations can silently leave workloads unprotected, requiring teardown and redeployment.
- Resources are often left running after workloads complete. This occurs especially when teams manage environments manually through the portal.
- Security drift is costly. A configuration change that breaks attestation may not be caught until a verification audit by which time money and time have already been spent.
- Multi-cloud and hybrid setups add further complexity when teams try to replicate secure environments across Azure, AWS, GCP, or on-premises infrastructure.
Manual operations at scale simply don’t work for Confidential Computing. You need automation that also understands trust.
How CanaryBit Tower solves this with Infrastructure as Code
CanaryBit Tower is a Confidential Computing resource orchestration service built specifically for Trusted Execution Environments. It wraps the entire lifecycle of Confidential VM deployment – provisioning, attestation, execution, and teardown – into reusable Terraform and OpenTofu modules.
This Infrastructure as Code (IaC) approach directly addresses the cost and complexity problems of managing Azure Intel TDX Confidential VMs.
Automated provisioning eliminates waste
Tower creates all required infrastructure resources (e.g. Confidential VMs, virtual networks, security groups and more) and automatically tears them down once the workload completes or if the environment is compromised. There are no lingering VMs burning budget after a job is done. Each trusted execution environment is single-use and immutable once created, which is both a security and a cost principle.
Configuration as code prevents drift
Because all infrastructure is defined in code, every deployment is reproducible and auditable. Configuration drift – a common source of both security failures and unexpected re-deployments – is caught before it reaches production. Teams can version, review, and roll back Confidential VM configurations just like application code.
Built-in Remote Attestation from day one
Tower natively integrates remote attestation via CanaryBit Inspector. When the remote_attestation block is enabled in the module, every VM boot triggers automatic verification of its security characteristics. This means your Azure Intel TDX Confidential VMs are not just deployed, they are continuously verified. Unverified environments are flagged immediately, preventing teams from running workloads on compromised or misconfigured hardware.
Multi-cloud and On-prem support
Tower’s IaC modules cover Azure, AWS, and GCP for public cloud deployments, all free under the Apache-2.0 licence. For on-premises and private infrastructure (VMware, Proxmox, OpenShift, Libvirt/QEMU), a Premium License extends the same IaC workflow to your data centre. This means a single, consistent automation layer manages Confidential VMs across your entire estate, reducing operational overhead and the cost of maintaining separate toolchains.
A simple workflow, serious security
Getting started with Tower on Azure is straightforward:
- Configure credentials: set your Azure CLI credentials and CanaryBit account credentials as environment variables.
- Define your module: edit the Tower Terraform module to specify your Confidential VM size, count, SSH access, and attestation settings.
- Apply & Verify: Tower provisions the Confidential VMs enforcing CanaryBit Inspector Remote Attestation verification, and returns resource details.
- Audit: monitor the security posture of every deployed environment and download a full report from the CanaryBit Inspector dashboard.
- Destroy: take down non-compliant environments at your convenience with a single command.
That’s it. No manual portal clicks. No forgotten resources. No unverified environments.
Who should care about Azure Intel TDX + CanaryBit Tower?
This combination is especially valuable for:
- Organisations processing regulated data in the cloud, where compliance requires provable data-in-use protection.
- AI and ML teams running Confidential AI pipelines on sensitive models or proprietary training data.
- Multi-party data collaboration scenarios where two or more organisations need to jointly process data without exposing it to each other or the cloud operator.
- Security-first engineering teams who want automated, auditable, and reproducible secure infrastructure, without sacrificing developer velocity.
Getting started
The Azure Intel TDX Confidential VMs are now generally available. The CanaryBit Tower Terraform and OpenTofu modules for Azure are free to use under the Apache-2.0 licence and are available on the Terraform Registry and OpenTofu Registry.
To learn more about CanaryBit Tower and how it orchestrates Trusted Execution Environments across clouds, visit the official documentation.
The convergence of generally available Intel TDX hardware on Azure and purpose-built IaC tooling from CanaryBit removes the last major barriers to running sensitive workloads confidently in the cloud, without overspending on infrastructure management.
Ready to deploy and attest your first Azure Intel TDX Confidential VM with Infrastructure as Code? Sign up for a CanaryBit account and get started today.
