REDMOND, WASHINGTON —
The Azure Cobalt 100 from Microsoft represents Microsoft’s largest investment in securing architectural systems across all platforms since migrating from generic chips to using custom chips, which are designed specifically to provide hardware-level isolation, enable computing in secure enclave mode, and ensure that all data sovereignty is guaranteed through structural means rather than contractual commitments. The embedded security features associated with Microsoft Azure’s Cobalt 100 chip establish a zero-trust computing and storage cloud environment at the processor level, providing security below the OS and hypervisor levels – the primary levels of vulnerability for companies using the cloud for their enterprise computer network environments historically. For enterprise customers, government agencies, and industries subject to regulations that require a secure computing network and cloud environment, the Cobalt 100 provides the best evidence of security, with security statements embedded in the physical infrastructure of Microsoft Azure, rather than providing security through software layers placed on commodity computing and networking hardware.
What the Azure Cobalt 100 Custom Silicon Architecture Delivers
Cobalt 100, the first generation in the Azure Cobalt series, is a 64-bit 128-core chip that delivers up to 40 percent performance improvement over current generations of Azure ARM chips and powers services such as Microsoft Teams and Azure SQL. The 128-core configuration is not simply a throughput specification; it reflects a deliberate cloud architecture decision to maximize parallel workload density within the physical security boundary that custom silicon enables, allowing enterprises to run a greater number of isolated workloads on a single physical host without expanding the attack surface that shared infrastructure traditionally creates.
Microsoft services such as Teams and Microsoft Defender Endpoint have seen up to 45 percent better performance on Cobalt 100 instances, and leading software vendors, including OneTrust and Databricks, have reported significant performance efficiency improvements alongside cost savings. The security and performance gains are not separate outcomes achieved through separate architectural choices; they are the combined product of purpose-built silicon that optimizes for the specific workload characteristics of enterprise cloud environments rather than adapting general-purpose server processors to cloud security requirements after the fact.
How Secure Enclaves Enforce Zero Trust Cloud at the Hardware Layer
The Microsoft Azure Cobalt silicon security features that most directly address enterprise security requirements operate through Trusted Execution Environments, the hardware-enforced isolation regions that the processor itself maintains independently of any software running on the system. These TEEs, referred to as secure enclaves, are cryptographically isolated from the rest of the system, including the operating system, the hypervisor, other applications, and even the cloud provider itself, with the processor hardware enforcing this isolation so that only authorized code running within the enclave can access the data.
The practical impact of confidential computing for enterprise workloads is critical. Sensitive enterprise data processed in the secure enclave of Azure’s confidential computing service is encrypted while it is stored at rest and transmitted over networks, as well as while it is being computed. Azure confidential computing provides the capability to create enclaves that protect data during processing within the CPU by encrypting it and isolating it in memory, preventing access by the operating system, hypervisors running with escalated privileges, or Azure operators. This protects against attacks in which bad actors obtain elevated access to cloud infrastructure via compromised administrative credentials or hypervisor vulnerabilities; such attack vectors are not addressed by traditional encryption-at-rest and in-transit protections.
Data Sovereignty and the Zero Trust Cloud Compliance Case
Data sovereignty within the Azure Cobalt 100 architecture is enforced through the Sovereign Landing Zone framework that Microsoft has built around its confidential computing infrastructure. Azure Sovereign Public Cloud uses policy sets and the Sovereign Landing Zone to codify controls, such as service location and confidentiality options, so deployments can be configured and monitored consistently. Confidential computing provides attestation so workloads can verify TEE hardware and software measurements before releasing secrets or handling sensitive data.
The attestation mechanism is the technical underpinning that provides the practical basis of data sovereignty guarantees. Before releasing sensitive data or processing regulated data in a secure enclave, a workload performs cryptographic verification of the hardware and software environment in which it operates, verifying that the execution environment is as expected and has not been tampered with by any entity, including the cloud operator. Azure’s approach reduces reliance on the trustworthiness of cloud providers and other privileged layers by enforcing hardware-based isolation and verification. Providing memory-encrypted compute via confidential VMs with attestation affords many workloads protection with little to no changes required in their source code.
For government agencies, or regulated enterprises that must comply with national data localization requirements, this attestation functionality gives the organization the ability to demonstrate that their data is “in-scope” within the committed jurisdiction through auditable, verifiable means, enabling them to provide evidence to regulators or auditors that at no time did the organization’s data leave the authorized jurisdiction nor was it accessed by unauthorized parties while processed through the organization’s operations.
What the Cobalt 200 Roadmap Signals for Enterprise Cloud Architecture
At IgniAt Ignite 2025, Microsoft announced Cobalt 200, the next generation in-house-developed ARM processor for Azure VMs, featuring more cores, larger caches, and faster memory, built on the latest ARM architecture and 3nm TSMC process technology for better performance and efficiency balt 200 with 132 cores delivers up to 50 percent more performance than its predecessor, and the roadmap trajectory it establishes signals that Microsoft intends to advance custom silicon security capabilities alongside raw compute performance with each successive generation.
Microsoft’s position in the custom-designed silicon ecosystem is further solidified by the competitive landscape surrounding that investment. Through its Graviton 4 processor, Amazon Web Services operates with similar levels of custom silicon at the same time as Google Cloud uses its Axon chip for its service, while Oracle’s Cloud Infrastructure uses Ampere Computing’s custom processors, making it clear that the development of custom-designed silicon has become an established norm in the architectural framework for secure architecture of hyperscale cloud infrastructure, rather than being merely a differentiating experiment by one vendor. The Azure Cobalt 100 and the roadmap to the Azure Cobalt 200 give Azure the advantage of being a robust provider of custom-designed silicon, with the distinction that Azure’s confidential computing implementations and zero-trust enhanced cloud security architecture are among the best-documented and compliance-validated solutions currently available in the enterprise cloud environment.
Conclusion
Azure Cobalt 100 has established custom silicon as the foundational layer, enabling zero-trust cloud enforcement as a hardware guarantee rather than a software policy, embedding secure enclaves, cryptographic attestation, and memory-isolated processing directly into the processor architecture that powers Azure virtual machines and containers. Data sovereignty within the Azure Cobalt 100 framework is enforced through Sovereign Landing Zone policy sets, hardware-rooted attestation, and Trusted Execution Environments that remain simultaneously cryptographically inaccessible to cloud operators, hypervisors, and operating systems. The Microsoft Azure Cobalt silicon security features that deliver 40 percent better performance than prior generation ARM instances, while providing hardware-level confidential computing capabilities, resolve the fundamental tension that enterprise cloud adoption has historically faced: the requirement to choose between the performance and economics of public cloud infrastructure and the security assurances that regulated industries and government agencies are required by law to maintain.
Source: Microsoft Latest news
