What is Azure Virtual Network encryption?
Azure Virtual Network encryption is a feature of Azure Virtual Networks. Virtual network encryption allows you to seamlessly encrypt and decrypt traffic between Azure Virtual Machines by creating a DTLS tunnel.
Virtual network encryption enables you to encrypt traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network. Virtual network encryption encrypts traffic between regionally and globally peered virtual networks. For more information about virtual network peering, see Virtual network peering.
Virtual network encryption enhances existing encryption in transit capabilities in Azure. For more information about encryption in Azure, see Azure encryption overview.
Requirements
Virtual network encryption has the following requirements:
Virtual Network encryption is supported on the following virtual machine instance sizes:
Type VM Series VM SKU General purpose workloads D-series V4
D-series V5
D-series V6Dv4 and Dsv4-series
Ddv4 and Ddsv4-series
Dav4 and Dasv4-series
Dv5 and Dsv5-series
Ddv5 and Ddsv5-series
Dlsv5 and Dldsv5-series
Dasv5 and Dadsv5-series
Dasv6 and Dadsv6-series
Dalsv6 and Daldsv6-series
Dsv6-seriesMemory intensive workloads E-series V4
E-series V5
E-series V6
M-series V2
M-series V3Ev4 and Esv4-series
Edv4 and Edsv4-series
Eav4 and Easv4-series
Ev5 and Esv5-series
Edv5 and Edsv5-series
Easv5 and Eadsv5-series
Easv6 and Eadsv6-series
Mv2-series
Msv2 and Mdsv2 Medium Memory series
Msv3 and Mdsv3 Medium Memory seriesStorage intensive workloads L-series V3 LSv3-series Compute optimized F-series V6 Falsv6-series
Famsv6-series
Fasv6-seriesAccelerated Networking must be enabled on the network interface of the virtual machine. For more information about Accelerated Networking, see What is Accelerated Networking?
Encryption is only applied to traffic between virtual machines in a virtual network. Traffic is encrypted from a private IP address to a private IP address.
Traffic to unsupported Virtual Machines is unencrypted. Use Virtual Network Flow Logs to confirm flow encryption between virtual machines. For more information, see Virtual network flow logs.
The start/stop of existing virtual machines is required after enabling encryption in a virtual network.
Availability
Azure Virtual Network encryption is generally available in all Azure public regions and is currently in public preview in Azure Government and Microsoft Azure operated by 21Vianet.
Limitations
Azure Virtual Network encryption has the following limitations:
In scenarios where a PaaS is involved, the virtual machine where the PaaS is hosted dictates if virtual network encryption is supported. The virtual machine must meet the listed requirements.
For Internal load balancer, all virtual machines behind the load balancer must be a supported virtual machine SKU.
AllowUnencrypted is the only supported enforcement at general availability. DropUnencrypted enforcement will be supported in the future.
Virtual networks with encryption enabled don't support Azure DNS Private Resolver.
Virtual networks configured with the Azure Private Link service don't support Virtual Network encryption, so Virtual Network encryption shouldn't be enabled on these virtual networks.
The backend pool of an internal load balancer must not include any network interface secondary IPv4 configurations to prevent connection failures to the load balancer.
Virtual Network encryption shouldn't be enabled in virtual networks that have Azure confidential computing VM SKUs. If you want to use Azure confidential computing VMs in virtual networks where Virtual Network encryption is enabled, then:
- Enable Accelerated Networking on the VM's NIC if it's supported.
- If Accelerated Networking isn't supported, change the VM SKU to one that supports Accelerated Networking or Virtual Network encryption.
Don't enable Virtual Network encryption if the VM SKU doesn't support Accelerated Networking or Virtual Network encryption.
Supported scenarios
Virtual network encryption is supported in the following scenarios:
Scenario | Support |
---|---|
Virtual machines in the same virtual network (including virtual machine scale sets and their internal load balancer) | Supported on traffic between virtual machines from these SKUs. |
Virtual network peering | Supported on traffic between virtual machines across regional peering. |
Global virtual network peering | Supported on traffic between virtual machines across global peering. |
Azure Kubernetes Service (AKS) | - Supported on AKS using Azure CNI (regular or overlay mode), Kubenet, or BYOCNI: node and pod traffic is encrypted. - Partially supported on AKS using Azure CNI Dynamic Pod IP Assignment (podSubnetId specified): node traffic is encrypted, but pod traffic isn't encrypted. - Traffic to the AKS managed control plane egresses from the virtual network and thus isn't in scope for virtual network encryption. However, this traffic is always encrypted via TLS. |
Note
Other services that currently don't support virtual network encryption are included in our future roadmap.