Skip to main content

Machine Configuration

When deploying Polaris through the Microsoft Azure, Google Cloud, and Amazon Web Services Marketplace offers, you will be asked to perform standard configuration for the underlying resources, such as region, CPU and memory resources, networking, and identity. The respective cloud provider's standard interface is used for this configuration. For details, refer to the section specific to your cloud provider below.

Google Cloud

For deployment on Google Cloud, you need to provide the following configuration:

  • Deployment Service Account: Specify the account used to deploy the infrastructure resources. You can create a new service account with the required permissions or use an existing one.
  • Zone: Select the zone where the VM will be created. Please note any restrictions.
  • Machine Type: Choose the machine type that fits your workload requirements. Refer to the restrictions on machine types that support Confidential Computing. Machines from the N2D family are recommended.
  • Boot Disk: Configure based on the requirements of your workload.
  • Networking: Set up the network interface and VPC according to your needs.
  • Firewall: Configure firewall rules to make the VM accessible from the internet if required. Alternatively, you can place the VM behind a load balancer or VPN.
info

Currently, the VM will use the default compute service account. This will be configurable in future versions.

tip

If you need additional machine configuration, please get in touch.

Deployment through Terraform

If you prefer deploying Polaris using Terraform, you can download the Terraform configuration files from the deployment page and integrate them into your environment. Select the "Command Line Deployment" option to access the files.

Azure

To deploy Polaris on Azure, you first need to choose a plan. The plan determines the number of CPUs available for the client workload (the Polaris Proxy has separate infrastructure). Options include 1, 2, or 4 vCPUs per container (refer to ACI restrictions). Once selected, configure your managed application with the following parameters:

  • Subscription: Specify the subscription where the resources will be created.
  • Resource Group: Define the resource group where the resources will be created.
  • Region: Select the region where the resources will be created.
  • Memory: Set the memory allocation for the client workload (refer to ACI restrictions).
  • Managed Identity: Choose to create a new managed identity or use an existing one.
tip

For further container configuration or to use Terraform for your deployment, please get in touch.

Amazon Web Services

For deployment on AWS, Polaris utilizes AWS Nitro Enclaves technology. When deploying through the AWS Marketplace, you can choose between two infrastructure templates:

  • New VPC Deployment: Automatically provisions a complete network infrastructure including VPC, subnets, and security groups with a public-facing load balancer.
  • Existing VPC Deployment: Integrates with your existing VPC infrastructure for enhanced network control and security compliance.

Unlike the Azure and Google Cloud deployments where Polaris Proxy and your workload run in separate containers, the AWS architecture runs both components within a single Nitro Enclave. The Nitro Enclave provides hardware-level isolation, creating a secure boundary that protects the entire application stack. Within this secure enclave, both the Polaris Proxy and your workload container operate together, with internal communication occurring over localhost.

When configuring your Polaris deployment on AWS, you need to provide:

  • Instance Type: Select an EC2 instance type that supports Nitro Enclaves.
  • AMI ID: Choose an Amazon Machine Image ID (the default is recommended).
  • Storage: Specify the EBS root volume size based on your workload requirements.
  • Network Settings: Configure load balancer ports and additional ports required for your application.
info

The CloudFormation template allocates CPU and memory resources for the Nitro Enclave according to AWS best practices for confidential computing workloads.

tip

For custom workload requirements or specific configuration needs, please get in touch.