Merge branch 'main' into release-2022-cu1

Author: v-alje

.openpublishing.redirection.azure-sql.json

@@ -480,6 +480,11 @@
       "redirect_url": "/azure/security-center/defender-for-sql-on-machines-vulnerability-assessment",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/azure-sql/database/always-encrypted-enclaves-enable-sgx.md",
+      "redirect_url": "/azure/azure-sql/database/always-encrypted-enclaves-enable",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/azure-sql/database/machine-learning-services-add-r-packages.md",
       "redirect_url": "/sql/machine-learning/package-management/install-additional-r-packages-on-sql-server?context=/azure/azure-sql/managed-instance/context/ml-context&view=azuresqldb-mi-current",

azure-sql/database/active-geo-replication-configure-portal.md

@@ -151,8 +151,6 @@ This operation permanently stops the replication to the secondary database, and
 1. In the [Azure portal](https://portal.azure.com), browse to the primary database in the geo-replication partnership.
 2. Select **Replicas**.
 3. In the **Geo replicas** list, select the database you want to remove from the geo-replication partnership, select the ellipsis, and then select **Stop replication**.
-
-    :::image type="content" source="./media/active-geo-replication-configure-portal/azure-portal-select-stop-replication.png" alt-text="Screenshot that shows selecting stop replication from the drop-down.":::
 5. A confirmation window opens. Click **Yes** to remove the database from the geo-replication partnership. (Set it to a read-write database not part of any replication.)
 
 # [Azure CLI](#tab/azure-cli)

azure-sql/database/always-encrypted-enclaves-configure-attestation.md

@@ -4,7 +4,7 @@ description: Configure Azure Attestation for Always Encrypted with secure enclav
 author: jaszymas
 ms.author: jaszymas
 ms.reviewer: vanto
-ms.date: 07/14/2021
+ms.date: 02/01/2023
 ms.service: sql-database
 ms.subservice: security
 ms.topic: how-to
@@ -24,25 +24,29 @@ keywords:
 
 [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
 
-[Microsoft Azure Attestation](/azure/attestation/overview) is a solution for attesting Trusted Execution Environments (TEEs), including Intel Software Guard Extensions (Intel SGX) enclaves. 
+[Microsoft Azure Attestation](/azure/attestation/overview) is a solution for attesting Trusted Execution Environments (TEEs), including Intel Software Guard Extensions (Intel SGX) enclaves.
 
 To use Azure Attestation for attesting Intel SGX enclaves used for [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database, you need to:
 
 1. Create an [attestation provider](/azure/attestation/basic-concepts#attestation-provider) and configure it with the recommended attestation policy.
 
 2. Determine the attestation URL and share it with application administrators.
 
+> [!IMPORTANT]
+>With Intel SGX enclaves in Azure SQL Database, attestation is mandatory and it requires Microsoft Azure Attestation.
+VBS enclaves in Azure SQL Database (in preview) currently do not support attestation. This document only applies to Intel SGX enclaves.
+
 > [!NOTE]
-> Configuring attestation is the responsibility of the attestation administrator. See [Roles and responsibilities when configuring SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-sgx-enclaves-and-attestation).
+> Configuring attestation is the responsibility of the attestation administrator. See [Roles and responsibilities when configuring Intel SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-intel-sgx-enclaves-and-attestation).
 
 ## Create and configure an attestation provider
 
-An [attestation provider](/azure/attestation/basic-concepts#attestation-provider) is a resource in Azure Attestation that evaluates [attestation requests](/azure/attestation/basic-concepts#attestation-request) against [attestation policies](/azure/attestation/basic-concepts#attestation-request) and issues [attestation tokens](/azure/attestation/basic-concepts#attestation-token). 
+An [attestation provider](/azure/attestation/basic-concepts#attestation-provider) is a resource in Azure Attestation that evaluates [attestation requests](/azure/attestation/basic-concepts#attestation-request) against [attestation policies](/azure/attestation/basic-concepts#attestation-request) and issues [attestation tokens](/azure/attestation/basic-concepts#attestation-token).
 
 Attestation policies are specified using the [claim rule grammar](/azure/attestation/claim-rule-grammar).
 
 > [!IMPORTANT]
-> An attestation provider gets created with the default policy for Intel SGX enclaves, which does not validate the code running inside the enclave. Microsoft strongly advises you set the below recommended policy, and not use the default policy, for Always Encrypted with secure enclaves.
+> An attestation provider gets created with the default policy for Intel SGX enclaves, which does not validate the code running inside the enclave. Microsoft strongly advises you set the recommended policy used in the following output, and not use the default policy for Always Encrypted with secure enclaves.
 
 Microsoft recommends the following policy for attesting Intel SGX enclaves used for Always Encrypted in Azure SQL Database:
 
@@ -58,16 +62,23 @@ authorizationrules
 };
 ```
 
-The above policy verifies:
+The policy verifies:
+
+- The enclave inside Azure SQL Database doesn't support debugging.
+  
+  Enclaves can be loaded with debugging disabled or enabled. Debugging support is designed to allow developers to troubleshoot the code running in an enclave. In a production system, debugging could enable an administrator to examine the content of the enclave, which would reduce the level of protection the enclave provides. The recommended policy disables debugging to ensure that if a malicious admin tries to turn on debugging support by taking over the enclave machine, attestation will fail.
 
-- The enclave inside Azure SQL Database doesn't support debugging. 
-  > Enclaves can be loaded with debugging disabled or enabled. Debugging support is designed to allow developers to troubleshoot the code running in an enclave. In a production system, debugging could enable an administrator to examine the content of the enclave, which would reduce the level of protection the enclave provides. The recommended policy disables debugging to ensure that if a malicious admin tries to turn on debugging support by taking over the enclave machine, attestation will fail. 
 - The product ID of the enclave matches the product ID assigned to Always Encrypted with secure enclaves.
-  > Each enclave has a unique product ID that differentiates the enclave from other enclaves. The product ID assigned to the Always Encrypted enclave is 4639. 
-- The security version number (SVN) of the library is greater than 0.
-  > The SVN allows Microsoft to respond to potential security bugs identified in the enclave code. In case a security issue is dicovered and fixed, Microsoft will deploy a new version of the enclave with a new (incremented) SVN. The above recommended policy will be updated to reflect the new SVN. By updating your policy to match the recommended policy you can ensure that if a malicious administrator tries to load an older and insecure enclave, attestation will fail.
+  
+  Each enclave has a unique product ID that differentiates the enclave from other enclaves. The product ID assigned to the Always Encrypted enclave is 4639.
+
+- The security version number (SVN) of the library is greater than or equal to 2.
+  
+  The SVN allows Microsoft to respond to potential security bugs identified in the enclave code. In case a security issue is discovered and fixed, Microsoft will deploy a new version of the enclave with a new (incremented) SVN. The recommended policy is updated to reflect the new SVN. By updating your policy to match the recommended policy, you can ensure that if a malicious administrator tries to load an older and insecure enclave, attestation will fail.
+
 - The library in the enclave has been signed using the Microsoft signing key (the value of the x-ms-sgx-mrsigner claim is the hash of the signing key).
-  > One of the main goals of attestation is to convince clients that the binary running in the enclave is the binary that is supposed to run. Attestation policies provide two mechanisms for this purpose. One is the **mrenclave** claim which is the hash of the binary that is supposed to run in an enclave. The problem with the **mrenclave** is that the binary hash changes even with trivial changes to the code, which makes it hard to rev the code running in the enclave. Hence, we recommend the use of the **mrsigner**, which is a hash of a key that is used to sign the enclave binary. When Microsoft revs the enclave, the **mrsigner** stays the same as long as the signing key does not change. In this way, it becomes feasible to deploy updated binaries without breaking customers' applications. 
+  
+  One of the main goals of attestation is to convince clients that the binary running in the enclave is the binary that is supposed to run. Attestation policies provide two mechanisms for this purpose. One is the **mrenclave** claim, which is the hash of the binary that is supposed to run in an enclave. The problem with the **mrenclave** is that the binary hash changes even with trivial changes to the code, which makes it hard to rev the code running in the enclave. Hence, we recommend the use of the **mrsigner**, which is a hash of a key that is used to sign the enclave binary. When Microsoft revs the enclave, the **mrsigner** stays the same as long as the signing key doesn't change. In this way, it becomes feasible to deploy updated binaries without breaking customers' applications.
 
 > [!IMPORTANT]
 > Microsoft may need to rotate the key used to sign the Always Encrypted enclave binary, which is expected to be a rare event. Before a new version of the enclave binary, signed with a new key, is deployed to Azure SQL Database, this article will be updated to provide a new recommended attestation policy and instructions on how you should update the policy in your attestation providers to ensure your applications continue to work uninterrupted.
@@ -84,14 +95,13 @@ For instructions for how to create an attestation provider and configure with an
     > [!IMPORTANT]
     > When you configure your attestation policy with Azure CLI, set the `attestation-type` parameter to `SGX-IntelSDK`.
 
-
 ## Determine the attestation URL for your attestation policy
 
 After you've configured an attestation policy, you need to share the attestation URL with administrators of applications that use Always Encrypted with secure enclaves in Azure SQL Database. The attestation URL is the `Attest URI` of the attestation provider containing the attestation policy, which looks like this: `https://MyAttestationProvider.wus.attest.azure.net`.
 
 ### Use Azure portal to determine the attestation URL
 
-In the Overview pane for your attestation provider, copy the value of the `Attest URI` property to clipboard. 
+In the Overview pane for your attestation provider, copy the value of the `Attest URI` property to clipboard.
 
 ### Use PowerShell to determine the attestation URL
 
@@ -103,10 +113,10 @@ Get-AzAttestation -Name $attestationProviderName -ResourceGroupName $attestation
 
 For more information, see [Create and manage an attestation provider](/azure/attestation/quickstart-powershell#create-and-manage-an-attestation-provider).
 
-## Next Steps
+## Next steps
 
 - [Manage keys for Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves-manage-keys)
 
 ## See also
 
-- [Tutorial: Getting started with Always Encrypted with secure enclaves in Azure SQL Database](always-encrypted-enclaves-getting-started.md)
+- [Getting started using Always Encrypted with secure enclaves](always-encrypted-enclaves-getting-started.md)

azure-sql/database/always-encrypted-enclaves-enable-sgx.md

@@ -0,0 +1,102 @@
+---
+title: "Enable Always Encrypted with secure enclaves in Azure SQL Database"
+description: Learn how to enable secure enclaves in Azure SQL Database by selecting Intel SGX-enabled hardware or virtualization-based security (VBS)
+author: jaszymas
+ms.author: jaszymas
+ms.reviewer: vanto
+ms.date: 02/15/2023
+ms.service: sql-database
+ms.subservice: security
+ms.topic: conceptual
+---
+# Enable Always Encrypted with secure enclaves in Azure SQL Database
+
+[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
+
+In Azure SQL Database, [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) can use either [Intel Software Guard Extensions (Intel SGX) enclaves](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) or [Virtualization-based Security (VBS) enclaves](https://www.microsoft.com/security/blog/2018/06/05/virtualization-based-security-vbs-memory-enclaves-data-protection-through-isolation/). For more information, see [Plan for secure enclaves in Azure SQL Database](always-encrypted-enclaves-plan.md).
+
+## [Intel SGX enclaves](#tab/IntelSGXenclaves)
+
+For Intel SGX to be available, the database must use the [vCore model](service-tiers-vcore.md) and [DC-series](service-tiers-sql-database-vcore.md#dc-series) hardware.
+
+Configuring the DC-series hardware to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. For more information, see [Roles and responsibilities when configuring Intel SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-intel-sgx-enclaves-and-attestation).
+
+> [!NOTE]
+> Intel SGX is not available in hardware configurations other than DC-series. For example, Intel SGX is not available for standard-series (Gen5) hardware, and it is not available for databases using the [DTU model](service-tiers-dtu.md).
+
+> [!IMPORTANT]
+> Before you configure the DC-series hardware for your database, check the regional availability of DC-series and make sure you understand its performance limitations. For more information, see [DC-series](service-tiers-sql-database-vcore.md#dc-series).
+
+For detailed instructions on how to configure a new or existing database to use a specific hardware configuration, see [Hardware configuration](service-tiers-sql-database-vcore.md#hardware-configuration).
+
+## Next steps
+
+- [Configure Azure Attestation for your Azure SQL database server](always-encrypted-enclaves-configure-attestation.md)
+
+## [VBS enclaves](#tab/VBSenclaves)
+
+> [!IMPORTANT]
+> The VBS enclaves feature in Azure SQL Database is currently in preview. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.
+
+To enable a VBS enclave in your database, you need to set the **preferredEnclaveType** [database property](/azure/templates/microsoft.sql/2022-05-01-preview/servers/databases?pivots=deployment-language-bicep#databaseproperties) to **VBS**, which activates the VBS enclave for the database. You can set **preferredEnclaveType** when you create a new database or by updating an existing database.
+
+> [!NOTE]
+> By default, a new database is created with **preferredEnclaveType** set to **Default**, which doesn't support VBS enclaves.
+
+You can set the **preferredEnclaveType** using Azure PowerShell or the Azure CLI.
+
+## Enabling VBS enclaves with Azure PowerShell
+
+Create a new database with a VBS enclave with the [New-AzSqlDatabase](/powershell/module/az.sql/New-AzSqlDatabase) cmdlet. The following example creates a serverless database with a VBS enclave.
+
+```azurepowershell-interactive
+New-AzSqlDatabase  -ResourceGroupName "ResourceGroup01" `
+    -ServerName "Server01" `
+    -DatabaseName "Database01" `
+    -Edition GeneralPurpose `
+    -ComputeModel Serverless `
+    -ComputeGeneration Gen5 `
+    -VCore 2 `
+    -MinimumCapacity 2 `
+    -PreferredEnclaveType VBS
+```
+
+To enable a VBS enclave for an existing database, use the [Set-AzSqlDatabase](/powershell/module/az.sql/Set-AzSqlDatabase) cmdlet. Here's an example:
+
+```azurepowershell-interactive
+Set-AzSqlDatabase -ResourceGroupName "ResourceGroup01" `
+    -DatabaseName "Database01" `
+    -ServerName "Server01" `
+    -PreferredEnclaveType VBS
+```
+
+## Enabling VBS enclaves with Azure CLI
+
+Create a new database with a VBS enclave with the [az sql db create](/cli/azure/sql/db) cmdlet. The following example creates a serverless database with a VBS enclave.
+
+```azurecli-interactive
+az sql db create -g ResourceGroup01 `
+    -s Server01 `
+    -n Database01 `
+    -e GeneralPurpose `
+    --compute-model Serverless `
+    -f Gen5 `
+    -c 2 `
+    --min-capacity 2 `
+    --preferred-enclave-type VBS 
+```
+
+To enable a VBS enclave for an existing database, use the [az sql db update](/cli/azure/sql/db) cmdlet. Here's an example:
+
+```azurecli-interactive
+az sql db update -g ResourceGroup01 `
+    -s Server01 `
+    -n Database01 `
+    --preferred-enclave-type VBS
+```
+
+---
+
+## See also
+
+- [Getting started using Always Encrypted with secure enclaves](always-encrypted-enclaves-getting-started.md)