cancel
Showing results for 
Search instead for 
Did you mean: 

Microsoft Azure Confidential Computing Powered by 3rd Gen EPYC™ CPUs

Lynn_Comp
Staff
Staff
1 0 19.6K

The accelerating global digital transformation means that enterprises are rapidly moving data and applications to the cloud to unlock new capabilities and achieve faster time to insights. This new environment requires new security paradigms to help protect sensitive data at rest, on the network, and in use.  These needs of protecting and managing sensitive data throughout the life cycle, along with ever increasing industry regulations, are pushing confidential computing to become a technology choice for secure computing environments.

AMD has developed a strong roadmap of silicon-level security features based on AMD Infinity Guard to enable confidential computing environments that help defend against internal and external threats.

AMD Infinity GuardAMD Infinity Guard

Recently, Microsoft Azure announced availability of Azure confidential virtual machines, DCasv5 and ECasv5, powered by the 3rd Gen AMD EPYC processors with its SEV-SNP capability enabled. These VMs help protect data from other users’ virtual machines, the hypervisor, and host management code. Furthermore, customers can lift and shift existing x86-based virtual machines to ACC confidential VMs without changing code. AMD tested these virtual machines on various enterprise workloads to understand the performance impact, if any, of using VMs with SEV-SNP enabled. The results indicate that customers can take advantage of Azure confidential VMs, equipped with the leadership-class security features of AMD Infinity Guard, with minimal performance difference on common benchmarks as compared with general purpose VMs.  For a deep dive on SEV-SNP technology, visit this link.

Standardized Performance with Estimated SPECCPU2017

The SPEC CPU® 2017 benchmark package contains SPEC's next-generation, industry-standardized, CPU intensive suites for measuring and comparing compute intensive performance, stressing a system's processor, memory subsystem and compiler. SPEC designed these suites to provide a comparative measure of compute-intensive performance across the widest practical range of hardware using workloads developed from real user applications. Synthetic benchmarks are well known representations of how actual workloads exercise platforms and as a result it’s important to recognize the application behind the benchmark to more easily translate the results into an enterprise environment.

Figure 1: Estimated SPECrate®2017_int_base and SPECrate®2017_fp_base performance of Azure Confidential DC16av5 VM versus D16asv5 VM (normalized to D16asv5)Figure 1: Estimated SPECrate®2017_int_base and SPECrate®2017_fp_base performance of Azure Confidential DC16av5 VM versus D16asv5 VM (normalized to D16asv5)

Take-away: Estimated SPECrate®2017_int_base and SPECrate®2017_fp_base scores showed solid performance in DC16asv5 with an approximate 4% performance delta compared D16asv5.

[MLNC-020, MLNC-021. See Endnotes]


Server-Side Java Performance

Java® applications are deployed in virtually every enterprise around the world, especially regulated industries. We ran our internal Java benchmark to measure server-side Java performance and with an emphasis on the middle-tier Java.

Figure 3: Server-Side Java normalized performance of Azure Confidential VM DCav5 Vs standard VM Dasv5Figure 3: Server-Side Java normalized performance of Azure Confidential VM DCav5 Vs standard VM Dasv5

Take-away: Server-Side Java Performance benchmarks show excellent Java applications performance with an approximate 2% delta for DC16asv5 Vs standard D16asv5 VMs.
[MLNC-016. See Endnote]

Financial Services – Monte Carlo Simulation

The Monte Carlo simulation is widely used in financial services industry. It is a stochastic (random sampling of inputs) method to solve a statistical problem, and a simulation is a virtual representation of a problem. The Monte Carlo simulation combines the two to give us a powerful tool that allows us to obtain a distribution (array) of results for any statistical problem with numerous inputs sampled repeatedly.  When used in financial apps, the Monte Carlo simulation can accommodate a variety of risk assumptions in many scenarios and is therefore applicable numerous investment and portfolio decisions applications as well as in corporate finance to model components of project cash flow, which are impacted by uncertainty.

Figure4: FSI – Monte Carlo Benchmark normalized performance of Azure Confidential VM DC16asv5 Vs standard VM D16asv5Figure4: FSI – Monte Carlo Benchmark normalized performance of Azure Confidential VM DC16asv5 Vs standard VM D16asv5

Take-away: FSI-related Monte Carlo Benchmark shows an approximate 1% delta for running on confidential DC16asv5 Vs standard D16av5 VM
[MLNC-017. See Endnote]

Financial Application – Black-Scholes Model Performance

The Black-Scholes model, also known as the Black-Scholes-Merton (BSM) model, is one of the most important concepts in modern financial theory. This mathematical differential equation estimates the theoretical value of derivatives, stocks, or futures contracts, considering the impact of time and other risk factors.  It is one of the best ways for pricing an options contract.

Figure 5: FSI Black Scholes benchmark normalized performance of Azure Confidential VM DC16asv5 Vs standard VM D16asv5Figure 5: FSI Black Scholes benchmark normalized performance of Azure Confidential VM DC16asv5 Vs standard VM D16asv5

Take-away: FSI-related Black Scholes model shows an approximate 2% performance delta for running on confidential DC16asv5 VM Vs standard D16asv5 VM.

[MLNC-018. See Endnote]

CoreMark Benchmark Performance

CoreMark® is an industry-standard benchmark that measures the performance of central processing units (CPU) and embedded microcontrollers (MCU) used in both system configuration and virtual machines. CoreMark contains multiple algorithms seen in many real applications and measures single -thread performance per clock frequency. It is a realistic benchmark that is typically used to represent application CPU performance. Figure 2 compares CoreMark performance on Azure Confidential VM DC16av5 versus standard D16asv5 VMs.

Figure 2: CoreMark normalized performance of Azure Confidential VM DCasv5 versus Dasv5Figure 2: CoreMark normalized performance of Azure Confidential VM DCasv5 versus Dasv5

Take-away: CoreMark benchmark shows ~8% performance delta for DC16asv5 VM Vs standard D16asv5 VM.
[MLNC-019. See Endnote]

Conclusion

Confidential computing enabled for Azure DCasv5 and ECasv5 can help transform the way organizations process data in the cloud by delivering high application performance while preserving confidentiality and privacy. As demonstrated in our tests above, customers can run general purpose workloads on confidential virtual machines with minimal performance impact compared to standard VMs. This can help virtually any organization with sensitive data to take advantage of the cloud to develop world changing products and services. We can’t wait to see confidential computing become ubiquitous on the clouds to help customers around the world unlock new possibilities.

Check out the Microsoft Azure confidential virtual machines, DCasv5 and ECasv5, powered by 3rd Gen EPYC CPUs with SEV-SNP technology enabled, here.

 

Endnotes:
MNLC-016: Results as of 10-28-2021 based on AMD internal tests using Multi JVM configuration for Server Side Java benchmark on Azure D16asv5 virtual machine (SEV-SNP not enabled) generated a median result of 13293 critical Java operations per second (31179 Max Java operations per second) and Azure DC16asv5 virtual machine (SEV-SNP enabled) generated a median result of 13217 critical Java operations per second (30184 max Java operations per second). Both configurations used Ubuntu 20.04.2 LTS and OpenJDK 64-bit Server VM, version 16.0.1. Results may vary according to instance size, operating system and other variables.

MNLC-017: Results as of 10-28-2021 based on AMD internal tests using Monte Carlo benchmark. Azure D16asv5 virtual machine (SEV-SNP not enabled) generated a median result of 13756.62 Options per second and Azure DC16asv5 virtual machine (SEV-SNP enabled) generated a median result of 13467.81 Options per second. These configurations used Ubuntu 20.04.2 LTS.  Results may vary according to instance size, operating system, and other variables.

MNLC-018: Results as of 10-28-2021 based on AMD internal tests using Black Scholes benchmark. Azure D16asv5 virtual machine (SEV-SNP not enabled) generated a median result of 350.95 Parallel Options per million/s and Azure DC16asv5 virtual machine (SEV-SNP enabled) generated a median result of 343.65 Parallel Options per million/s. These configurations used Ubuntu 20.04.2 LTS. Results may vary according to instance size, operating system and other variables.

MNLC-019: Results as of 10-28-2021 based on AMD internal tests using Coremark Linux benchmark. Azure D16asv5 virtual machine (SEV-SNP not enabled) generated a median Coremark score of 334745.5411 and Azure DC16asv5 virtual machine (SEV-SNP enabled) generated a median Coremark score of 307145.942. These configurations used Ubuntu 20.04.2 LTS. Results may vary according to instance size, operating system, and other variables. Linux is a registered trademark of Linus Torvalds in the U.S. and other countries.

MLNC-020: Estimated results as of 10-28-2021 based on AMD internal tests on SPECrate®2017_int_base benchmark. Azure DC16asv5 virtual machine generated, on average, performance within 96% of Azure D16asv5 virtual machine performance. Results may vary according to instance size, operating system, and other variables. These configurations used Ubuntu 20.04.2 LTS.

MLNC-021: Estimated results as of 10-28-2021 based on AMD internal tests on SPECrate®2017_fp_base benchmark. Azure DC16asv5 virtual machine generated, on average, performance within 97% of Azure D16asv5 virtual machine performance. Results may vary according to instance size, operating system, and other variables. These configurations used Ubuntu 20.04.2 LTS.

GD-174: Results may vary due to changes to the underlying configuration, and other conditions such as the placement of the VM and its resources, optimizations by the cloud service provider, accessed cloud regions, co-tenants, and the types of other workloads exercised at the same time on the system. GD-174