When Azure traffic moves between datacenters (outside physical boundaries not controlled by Microsoft or on behalf of Microsoft), MACsec data-link layer encryption is used on the underlying network hardware. This is applicable to virtual network peering traffic.
Design recommendations
Figure 1: Encryption flows.
When you're establishing VPN connections from on-premises to Azure by using VPN gateways, traffic is encrypted at a protocol level through IPsec tunnels. The preceding diagram shows this encryption in flow A.
If you need to encrypt VM-to-VM traffic in the same virtual network or across regional or global peered virtual networks, use Virtual Network encryption.
When you're using ExpressRoute Direct, configure MACsec in order to encrypt traffic at Layer 2 between your organization's routers and MSEE. The diagram shows this encryption in flow B.
For Virtual WAN scenarios where MACsec isn't an option (for example, not using ExpressRoute Direct), use a Virtual WAN VPN Gateway to establish IPsec tunnels over ExpressRoute private peering. The diagram shows this encryption in flow C.
For non-Virtual WAN scenarios, and where MACsec isn't an option (for example, not using ExpressRoute Direct), the only options are:
Use partner NVAs to establish IPsec tunnels over ExpressRoute private peering.
Establish a VPN tunnel over ExpressRoute with Microsoft peering.
If native Azure solutions (as shown in flows B and C in the diagram) don't meet your requirements, use partner NVAs in Azure to encrypt traffic over ExpressRoute private peering.
You have a traditional on-premises infrastructure that you need to connect to resources in Azure. In this module, you learn how to select a connectivity method for your use cases that balances functionality, cost, and security.