Edit

What is an enclave?

An enclave is an isolated Azure Virtual Network that belongs to a community. It hosts one or more workloads that require network isolation, monitoring, and security boundaries. You can connect enclaves together using enclave endpoints to enable secure enclave-to-enclave communication.

Why create an enclave?

Enclaves give you boundaries for security, governance, and resource isolation. Each enclave provides:

  • Network isolation: Enclaves are isolated from anything outside of the enclave default. Traffic is restricted to authorized Microsoft services and connections you explicitly enable using enclave endpoints.
  • Built-in monitoring and audit logs: All activity in your enclave is automatically sent to a Log Analytics Workspace, giving you visibility into what's happening in your environment.
  • Shared security policies: Resources within an enclave inherit the enclave's security posture, making it easier to apply consistent policies across workloads.

Architecture of an enclave

Enclaves come with the following platform-managed resources:

Networking

Monitoring and Access

  • Log Analytics Workspace: Provides diagnostic logging and monitoring for enclave resources. Azure Enclave and user-deployed resources can send logs here, with routing configurable via diagnostic settings.
  • Azure Bastion: Provides secure RDP/SSH admin access to resources within the enclave.

Diagram showing the managed resources deployed with an enclave and your deployed resources.

Enclave managed resource group 

When you create an enclave, the Azure Enclave resource provider creates a managed resource group to hold all platform-managed resources. A deny assignment prevents unauthorized modifications to this resource group, protecting enclave isolation and security boundaries from accidental or malicious changes. This mechanism ensures platform-managed resources remain in a secure, consistent state.

Maintenance mode

Maintenance mode allows enclave owners to temporarily bypass the deny assignment restrictions for privileged maintenance tasks. Bypassing the deny assignment is useful when you need to make controlled changes to managed resources without losing isolation protection. Typical use cases include:

  • Applying network configuration updates
  • Updating enclave security policies
  • Modifying monitoring or logging settings

Learn more about maintenance mode.

Template

See template documentation

Managed Resources

The following resources types are deployed into the enclave managed resource group:

Next Steps