---
title: Quickstart - Create Intel SGX VM in the Azure Portal
description: Get started with your deployments by learning how to quickly create an Intel SGX VM in the Azure Portal
author: stempesta
ms.service: virtual-machines
ms.subservice: workloads
ms.workload: infrastructure
ms.topic: quickstart
ms.date: 11/1/2021
ms.author: stempesta
ms.custom: ignite-fall-2021, mode-ui
---
# Quickstart: Create Intel SGX VM in the Azure portal
This tutorial guides you through the process of deploying Intel SGX VMs using Azure portal. Otherwise, we recommend following [Azure Marketplace](quick-create-marketplace.md) templates.
## Prerequisites
If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) before you begin.
> [!NOTE]
> Free trial accounts do not have access to the VMs in this tutorial. Please upgrade to a Pay-As-You-Go subscription.
## Sign in to Azure
1. Sign in to the [Azure Portal](https://portal.azure.com/).
1. At the top, select **Create a resource**.
1. On the left hand side pane, select, select **Compute**.
1. Select **Create Virtual Machine**.
## Configure an Intel SGX Virtual Machine
1. In the **Basics** tab, select your **Subscription** and **Resource Group**.
1. For **Virtual machine name**, enter a name for your new VM.
1. Type or select the following values:
* **Region**: Select the Azure region that's right for you.
> [!NOTE]
> Intel SGX VMs run on specialized hardware in specific regions. For the latest regional availability, look for DCsv2-series or DCsv3/DCdsv3-series in [available regions](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).
1. Configure the operating system image that you would like to use for your virtual machine.
* **Choose Image**: For this tutorial, select Ubuntu 20.04 LTS - Gen2. You may also select Ubuntu 18.04 LTS - Gen2, or Windows Server 2019.
* **Update to Generation 2**: Underneath Image, select **Configure VM generation**, in the fly out, then select **Generation 2**.
1. Choose a virtual machine with Intel SGX capabilities by clicking on **+ Add filter** to create a filter, select **Type** for Filter type, and check only **Confidential compute** from the list in the next dropdown.
> [!TIP]
> You should see sizes **DC(number)s_v2**, **DC(number)s_v3** and **DC(number)ds_v3**. [Learn more](virtual-machine-solutions-sgx.md).
1. Fill in the following information:
* **Authentication type**: Select **SSH public key** if you're creating a Linux VM.
> [!NOTE]
> You have the choice of using an SSH public key or a Password for authentication. SSH is more secure. For instructions on how to generate an SSH key, see [Create SSH keys on Linux and Mac for Linux VMs in Azure](../virtual-machines/linux/mac-create-ssh-keys.md).
* **Username**: Enter the Administrator name for the VM.
* **SSH public key**: If applicable, enter your RSA public key.
* **Password**: If applicable, enter your password for authentication.
* **Public inbound ports**: Choose **Allow selected ports** and select **SSH (22)** and **HTTP (80)** in the **Select public inbound ports** list. If you're deploying a Windows VM, select **HTTP (80)** and **RDP (3389)**.
>[!Note]
> Allowing RDP/SSH ports is not recommended for production deployments.
1. Make changes in the **Disks** tab.
* **DCsv2-series** supports **Standard SSD**, **Premium SSD** is supported across DC1, DC2 and DC4.
* **DCsv3 and DCdsv3-series** supports **Standard SSD**, **Premium SSD** and **Ultra Disk**
1. Make any changes you want to the settings in the following tabs or keep the default settings.
* **Networking**
* **Management**
* **Guest config**
* **Tags**
1. Select **Review + create**.
1. In the **Review + create** pane, select **Create**.
> [!NOTE]
> Proceed to the next section and continue with this tutorial if you deployed a Linux VM. If you deployed a Windows VM, [follow these steps to connect to your Windows VM](../virtual-machines/windows/connect-logon.md) and then [install the OE SDK on Windows](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/install_oe_sdk-Windows.md).
## Connect to the Linux VM
If you already use a BASH shell, connect to the Azure VM using the **ssh** command. In the following command, replace the VM user name and IP address to connect to your Linux VM.
```bash
ssh azureadmin@40.55.55.555
```
You can find the Public IP address of your VM in the Azure portal, under the Overview section of your virtual machine.
:::image type="content" source="media/quick-create-portal/public-ip-virtual-machine.png" alt-text="IP address in Azure portal":::
If you're running on Windows and don't have a BASH shell, install an SSH client, such as PuTTY.
1. [Download and install PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html).
1. Run PuTTY.
1. On the PuTTY configuration screen, enter your VM's public IP address.
1. Select **Open** and enter your username and password at the prompts.
For more information about connecting to Linux VMs, see [Create a Linux VM on Azure using the Portal](../virtual-machines/linux/quick-create-portal.md).
> [!NOTE]
> If you see a PuTTY security alert about the server's host key not being cached in the registry, choose from the following options. If you trust this host, select **Yes** to add the key to PuTTy's cache and continue connecting. If you want to carry on connecting just once, without adding the key to the cache, select **No**. If you don't trust this host, select **Cancel** to abandon the connection.
## Install Azure DCAP Client
> [!NOTE]
> Trusted Hardware Identity Management (THIM) is a free Azure service that helps you manage the hardware identities of different Trusted Execution Environments (TEEs). It fetches collateral from Intel Provisioning Certification Service (PCS) and caches it. The service enforces a minimum Trusted Compute Base (TCB) level as Azure security baseline, for attestation purposes. For DCsv3 and DCdsv3-series Azure VMs, the Intel certificates can only be fetched from THIM, as it is not possible to make direct calls to Intel service from the VMs.
With the release of the IntelĀ® Xeon Scalable Processors, remote attestation support is changing. DCsv3 and DCdsv3 only support [ECDSA-based Attestation](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/attestation-services.html) and the users are required to install [Azure DCAP](https://github.com/Microsoft/Azure-DCAP-Client) client to interact with THIM and fetch TEE collateral for quote generation during attestation process. DCsv2 continues to support [EPID-based Attestation](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/attestation-services.html).
## Clean up resources
When no longer needed, you can delete the resource group, virtual machine, and all its related resources.
Select the resource group for the virtual machine, then select **Delete**. Confirm the name of the resource group to finish deleting the resources.
## Next steps
In this quickstart, you deployed and connected to your Intel SGX VM. For more information, see [Solutions on Virtual Machines](virtual-machine-solutions-sgx.md).
Discover how you can build confidential computing applications, by continuing to the Open Enclave SDK samples on GitHub.
> [!div class="nextstepaction"]
> [Building Open Enclave SDK Samples](https://github.com/openenclave/openenclave/blob/master/samples/README.md)
Microsoft Azure Attestation is free and ECDSA-based attestation framework, for remotely verifying the trustworthiness of multiple TEEs and integrity of the binaries running inside it. Learn [more](../attestation/overview.md)