Create a virtual network with encryption

Azure Virtual Network encryption is a feature of Azure Virtual Network. With Virtual Network encryption, you can seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Virtual Network encryption protects data that traverses your virtual network from virtual machine to virtual machine.

Prerequisites

Portal

An Azure account with an active subscription. Create one for free.

PowerShell

• Have an Azure account with an active subscription. Create an account for free.

• Install Azure PowerShell locally or use Azure Cloud Shell.

• Sign in to Azure PowerShell and select the subscription with which you want to use this feature. For more information, see Sign in with Azure PowerShell.

• Ensure that your Az.Network module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name Az.Network. If the module requires an update, use the command Update-Module -Name Az.Network, if necessary.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

CLI

• An Azure account with an active subscription. Create one for free.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This article requires version 2.31.0 or later of the Azure CLI. If you're using Azure Cloud Shell, the latest version is already installed.

Create a virtual network

Portal

The following procedure creates a virtual network with a resource subnet.

1. In the portal, search for and select Virtual networks.

2. On the Virtual networks page, select + Create.

3. On the Basics tab of Create virtual network, enter or select the following information:

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select Create new. Enter test-rg in Name. Select OK.
   Instance details
   Name	Enter vnet-1.
   Region	Select East US 2.

   

4. Select Next to proceed to the Security tab.

5. Select Next to proceed to the IP addresses tab.

6. In the address space box under Subnets, select the default subnet.

7. On the Edit subnet pane, enter or select the following information:

   Setting	Value
   Subnet details
   Subnet template	Leave the default as Default.
   Name	Enter subnet-1.
   Starting address	Leave the default of 10.0.0.0.
   Subnet size	Leave the default of /24(256 addresses).

   

8. Select Save.

9. Select Review + create at the bottom of the screen. After validation passes, select Create.

PowerShell

Create a resource group with New-AzResourceGroup named test-rg in the eastus2 location.

$rg =@{
    Name = 'test-rg'
    Location = 'eastus2'
}
New-AzResourceGroup @rg

Use New-AzVirtualNetwork and New-AzVirtualNetworkSubnetConfig to create a virtual network.

## Create backend subnet config ##
$subnet = @{
    Name = 'subnet-1'
    AddressPrefix = '10.0.0.0/24'
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create the virtual network ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
    Location = 'eastus2'
    AddressPrefix = '10.0.0.0/16'
    Subnet = $subnetConfig
    EnableEncryption = 'true'
    EncryptionEnforcementPolicy = 'AllowUnencrypted'
}
New-AzVirtualNetwork @net

CLI

Create a resource group with az group create named test-rg in the eastus2 location.

  az group create \
    --name test-rg \
    --location eastus2

Use az network vnet create to create a virtual network.

  az network vnet create \
    --resource-group test-rg \
    --location eastus2 \
    --name vnet-1 \
    --enable-encryption true \
    --encryption-enforcement-policy allowUnencrypted \
    --address-prefixes 10.0.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefixes 10.0.0.0/24 

Important

To encrypt traffic, Virtual Network encryption requires supported virtual machine versions in the virtual network. The setting dropUnencrypted drops traffic between unsupported virtual machine versions if they're deployed in the virtual network. For more information, see Azure Virtual Network encryption requirements.

Enable encryption on a virtual network

Portal

Use the following steps to enable encryption for a virtual network.

1. In the search box at the top of the portal, begin to enter Virtual networks. When Virtual networks appears in the search results, select it.

2. Select vnet-1 to open the vnet-1 pane.

3. On the service menu, select Overview, and then select the Properties tab.

4. Under Encryption, select Disabled.

   

5. Select the box next to Virtual network encryption.

6. Select Save.

PowerShell

You can also enable encryption on an existing virtual network by using Set-AzVirtualNetwork. This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.

## Place the virtual network configuration into a variable. ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
}
$vnet = Get-AzVirtualNetwork @net

## Enable encryption on the virtual network ##
$vnet.Encryption = @{
    Enabled = 'true'
    Enforcement = 'allowUnencrypted'
}
$vnet | Set-AzVirtualNetwork

CLI

You can also enable encryption on an existing virtual network by using az network vnet update. This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.

  az network vnet update \
    --resource-group test-rg \
    --name vnet-1 \
    --enable-encryption true \
    --encryption-enforcement-policy allowUnencrypted

Verify that encryption is enabled

Portal

1. In the search box at the top of the portal, begin to enter Virtual networks. When Virtual networks appears in the search results, select it.

2. Select vnet-1 to open the vnet-1 pane.

3. On the service menu, select Overview, and then select the Properties tab.

4. Verify that Encryption is set to Enabled.

   

PowerShell

Use Get-AzVirtualNetwork to view the encryption parameter for the virtual network you created previously.

## Place the virtual network configuration into a variable. ##
$net = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
}
$vnet = Get-AzVirtualNetwork @net

To view the parameter for encryption, enter the following information:

$vnet.Encryption

Enabled Enforcement
------- -----------
True   allowUnencrypted

CLI

Use az network vnet show to view the encryption parameter for the virtual network you created previously.

  az network vnet show \
    --resource-group test-rg \
    --name vnet-1 \
    --query encryption \
    --output tsv

user@Azure:~$ az network vnet show \
    --resource-group test-rg \
    --name vnet-1 \
    --query encryption \
    --output tsv
True   AllowUnencrypted

Clean up resources

Portal

When you finish using the resources that you created, you can delete the resource group and all its resources.

1. In the Azure portal, search for and select Resource groups.

2. On the Resource groups page, select the test-rg resource group.

3. On the test-rg page, select Delete resource group.

4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

PowerShell

When you no longer need this resource group, use Remove-AzResourceGroup to remove the resource group and all the resources it contains.

$cleanup = @{
  Name  = "test-rg"
}
Remove-AzResourceGroup @cleanup -Force

CLI

When you finish with the virtual network, use az group delete to remove the resource group and all its resources.

az group delete \
    --name test-rg \
    --yes

Related content

• For more information about Virtual Network, see What is Azure Virtual Network?.
• For more information about Virtual Network encryption, see What is Azure Virtual Network encryption?.