The previous article described the Confidential Computing features related to VMs. The same approach, i.e. securing data during processing, also applies to PaaS. These features will be discussed in this post.


  1. Dedicated App Service Plan
    • “The Basic, Standard, Premium, PremiumV2, and PremiumV3 tiers run apps on dedicated Azure VMs. Only apps in the same App Service plan share the same compute resources.”
    • it is therefore like a single VM on a shared host and does not provide additional confidential compute features
  2. App Service Environment (ASE)
    • sometimes called “Isolated Plan” or “IsolatedV2”
    • can be deployed on isolated hardware (with 132 vCores) as additional option
    • same as dedicated App Service Plan, if not on isolated hardware
    • can additionally isolate all network traffic
    • only ASE v3 can be created, other versions are deprecated
  3. KeyVault Managed HSM
    • KeyVault PaaS for dedicated tenant
    • used for storing keys
    • can perform encryption and decryption of data
  4. Dedicated HSM
    • like managed HSM, but as real hardware module
    • can performe encryption and decryption with different algorithms
    • can only be used, if the customer generated $5M consumption
  5. Azure SQL Database Always Encrypt
    • can be activated on selected database columns (e.g. with credit card numbers)
    • the columns are automatic encrypted and can not be decrypted from database administrators
    • only granted clients can encrypt the data
    • data encryption is done automatic on the client via database driver
  6. Always Encrypt with Secure Enclaves

Featured not in the Picture

  • Transparent data encryption (TDE): corresponds to the encryption-at-rest feature at storage accounts. It encrypts the database, backups and logs. It can be done with a customer-key or a platform-key.