Share via

Is Azure internal traffic encrypted where HTTPS is not specified?

Andrej Rosic 1 Reputation point
19 May 2021, 4:05 pm

For example, a web app or function to PLS to private endpoint, to another subnet with a private endpoint to PLS to a storage account, ADLS, or a SQL DB?

What if the storage account requires HTTPS? Where is that encryption handled?

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,491 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,238 questions
Azure SQL Edge
Azure SQL Edge
An Azure service that provides a small-footprint, edge-optimized data engine with built-in artificial intelligence. Previously known as Azure SQL Database Edge.
49 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,523 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 47,106 Reputation points Microsoft Employee
    21 May 2021, 11:04 am

    @Andrej Rosic Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    • Encryption in transit is taken care by TLS for that you need to make use of HTTPS.
    • Azure offers many mechanisms for keeping data private as it moves from one location to another. Refer to this article Encryption of data in transit
    • Azure Storage uses server-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Azure Storage encryption protects your data and to help you to meet your organizational security and compliance commitments.

    Learn more on(Azure Storage encryption, About encryption key management, Doubly encrypt data with infrastructure encryption) Azure Storage encryption for data at rest

    Additional information: Azure Storage When you interact with Azure Storage through the Azure portal, all transactions take place over HTTPS. You can also use the Storage REST API over HTTPS to interact with Azure Storage. You can enforce the use of HTTPS when you call the REST APIs to access objects in storage accounts by enabling the secure transfer that's required for the storage account.

    Shared Access Signatures (SAS), which can be used to delegate access to Azure Storage objects, include an option to specify that only the HTTPS protocol can be used when you use Shared Access Signatures. This approach ensures that anybody who sends links with SAS tokens uses the proper protocol.

    SMB 3.0, which used to access Azure Files shares, supports encryption, and it's available in Windows Server 2012 R2, Windows 8, Windows 8.1, and Windows 10. It allows cross-region access and even access on the desktop.

    Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it travels across the network.

    Azure Data Lake Data in transit (also known as data in motion) is also always encrypted in Data Lake Store. In addition to encrypting data prior to storing it in persistent media, the data is also always secured in transit by using HTTPS. HTTPS is the only protocol that is supported for the Data Lake Store REST interfaces.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. msrini-MSFT 9,286 Reputation points Microsoft Employee
    1 Jun 2021, 3:18 pm

    @zhengriffin ,

    If HTTPS is not enabled, then the traffic is not encrypted. The security aspect what PE or PLE brings here is that the IP which you are accessing is private which is non routable. Hence the services is not accessible from Internet.

    If you still need your internal traffic to be encrypted, you can enable HTTPS.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.