What is Azure Virtual Network encryption?
Azure Virtual Network encryption is a feature of Azure Virtual Networks. Virtual network encryption allows you to seamlessly encrypt and decrypt traffic between Azure Virtual Machines.
Whenever Azure customer traffic moves between datacenters, Microsoft applies a data-link layer encryption method using the IEEE 802.1AE MAC Security Standards (MACsec). This encryption is implemented to secure the traffic outside physical boundaries not controlled by Microsoft or on behalf of Microsoft. This method is applied from point-to-point across the underlying network hardware. Virtual network encryption enables you to encrypt traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network. It also encrypts traffic between regionally and globally peered virtual networks. Virtual network encryption enhances existing encryption in transit capabilities in Azure.
For more information about encryption in Azure, see Azure encryption overview.
Requirements
Virtual network encryption has the following requirements:
Virtual Network encryption is supported on general-purpose and memory optimized VM instance sizes including:
Type VM Series VM SKU General purpose workloads D-series V4 D-series V5 Dv4 and Dsv4-series Ddv4 and Ddsv4-series Dav4 and Dasv4-series Dv5 and Dsv5-series Ddv5 and Ddsv5-series Dlsv5 and Dldsv5-series Dasv5 and Dadsv5-series General purpose and memory intensive workloads E-series V4 E-series V5 Ev4 and Esv4-series Edv4 and Edsv4-series Eav4 and Easv4-series Ev5 and Esv5-series Edv5 and Edsv5-series Easv5 and Eadsv5-series Storage intensive workloads LSv3 LSv3-series Memory intensive workloads M-series Mv2-series Msv2 and Mdsv2-series Medium Memory Msv3 and Mdsv3 Medium Memory Series Accelerated Networking must be enabled on the network interface of the virtual machine. For more information about Accelerated Networking, see What is Accelerated Networking?.
Encryption is only applied to traffic between virtual machines in a virtual network. Traffic is encrypted from a private IP address to a private IP address.
Traffic to unsupported Virtual Machines is unencrypted. Use Virtual Network Flow Logs to confirm flow encryption between virtual machines. For more information, see Virtual network flow logs.
The start/stop of existing virtual machines is required after enabling encryption in a virtual network.
Availability
Azure Virtual Network encryption is generally available in all Azure public regions.
Limitations
Azure Virtual Network encryption has the following limitations:
In scenarios where a PaaS is involved, the virtual machine where the PaaS is hosted dictates if virtual network encryption is supported. The virtual machine must meet the listed requirements.
For Internal load balancer, all virtual machines behind the load balancer must be a supported virtual machine SKU.
Next steps
- For more information about Azure Virtual Networks, see What is Azure Virtual Network?
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for