Define network encryption requirements

This section explores key recommendations to achieve network encryption between on-premises and Azure as well as across Azure regions.

Design considerations:

  • Cost and available bandwidth are inversely proportional to the length of the encryption tunnel between endpoints.

  • When you're using a VPN to connect to Azure, traffic is encrypted over the internet via IPsec tunnels.

  • When you're using ExpressRoute with private peering, traffic isn't currently encrypted.

  • Its is possible to configure a Site-to-Site VPN connection over ExpressRoute private peering.

  • You can apply media access control security (MACsec) encryption to ExpressRoute Direct to achieve network encryption.

  • When Azure traffic moves between datacenters (outside physical boundaries not controlled by Microsoft or on behalf of Microsoft), MACsec data-link layer encryption is used on the underlying network hardware. This is applicable to VNet peering traffic.

Design recommendations:

Diagram that illustrates encryption flows.

Figure 1: Encryption flows.

  • When you're establishing VPN connections from on-premises to Azure by using VPN gateways, traffic is encrypted at a protocol level through IPsec tunnels. The preceding diagram shows this encryption in flow A.

  • When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at Layer 2 between your organization's routers and MSEE. The diagram shows this encryption in flow B.

  • For Virtual WAN scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a Virtual WAN VPN Gateway to establish IPsec tunnels over ExpressRoute private peering. The diagram shows this encryption in flow C.

  • For non-Virtual WAN scenarios, and where MACsec isn't an option (for example, not using ExpressRoute Direct), the only options are:

    • Use partner NVAs to establish IPsec tunnels over ExpressRoute private peering.
    • Establish a VPN tunnel over ExpressRoute with Microsoft peering.
    • Evaluate the capability to configure a Site-to-Site VPN connection over ExpressRoute private peering.
  • If native Azure solutions (as shown in flows B and C in the diagram) don't meet your requirements, use partner NVAs in Azure to encrypt traffic over ExpressRoute private peering.