Azure - Force Encryption Between Public and Private Subnets

YogiBear 130 Reputation points
2023-04-11T09:23:58.85+00:00

Hi, Could I get some feedback on best practicses around forcing encryption on ALL traffic between public and private subnets? Thanks.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,193 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 36,316 Reputation points Microsoft Employee
    2023-04-17T08:38:31.5866667+00:00

    @YogiBear Thanks for the info. Again, there is no concept of "Encryption". In case you feel that a specific source or destination is malicious, you can go for Azure Firewall or NVAs and "FILTER" the traffic Azure Firewall

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sedat SALMAN 13,180 Reputation points
    2023-04-11T11:42:37.5333333+00:00

    Here are some best practices:

    • Azure Private Link enables you to access Azure services over a private connection facilitated by Azure backbone network. This allows you to establish secure and private connectivity between your virtual networks and Azure services without exposing data to the public internet.
    • Deploy an Azure VPN Gateway in the virtual network to create encrypted IPsec tunnels between the subnets. This will ensure that traffic between the subnets is secure, even if it has to traverse the public internet.
    • Network Security Groups (NSGs) allow you to create rules that filter traffic at the network layer. Configure NSGs to only allow traffic over specific ports and protocols that support encryption, such as HTTPS (port 443) and SSH (port 22).
    • Azure ExpressRoute: For a dedicated private connection between your on-premises network and Azure, consider using Azure ExpressRoute. It provides an additional layer of security by keeping your traffic off the public internet.

    There are mostly network level encryption also we have another methods for application level encryption

    0 comments No comments