Here are some answers to common questions about using Azure Virtual Network encryption.
Can I enable virtual network encryption on an existing virtual network, virtual machine, network interface, or NSG?
Yes. For more information about enabling virtual network encryption on an existing virtual network, see Enable encryption.
How do I verify my data is encrypted?
Encryption verification is limited to the status of the network interface resource, vnetEncryptionSupported, and Accelerated networking during public preview. After public preview, virtual network flow logs can be used to see the encrypted and unencrypted flows between virtual machines.
Is there data not encrypted?
Fragmented packets aren't offloaded to hardware and don't get encrypted. Use an MTU of 1500 in the network configuration of your virtual machines.
What certificate is used for the DTLS establishment on the Azure Host?
Microsoft manages and has created certificates for each region. Customer provided certificates are a feature on the road map.
What is the performance effect?
There's a minimal performance effect to throughput/bandwidth. The crypto operations are offloaded to a crypto-specialized FPGA. There's a minimal effect to an initial connection between two virtual machines, because a tunnel needs to be established.
Is VPN gateway, Application gateway, Azure Firewall, or PaaS supported?
It depends on the underlying VM size that the PaaS uses, and requires Accelerated Networking enabled.
Where is the encryption terminated?
The encryption is terminated at the SmartNIC/FPGA on the Azure Host.
Is FIPS-140 compliance supported with virtual network encryption?
FIPS-140 is an Azure-wide commitment to FedRAMP accreditation. The proof point for crypto usage in Azure is covered by the FedRAMP certification for all of Azure, including Azure Virtual Network encryption. For more information about Azure public guidance for FIPS-140, see Federal Information Processing Standard (FIPS) 140. For more information about PCI, HIPAA, and FedRAMP in the context of Azure, see Service Trust Portal.
How is virtual network encryption priced?
Azure Virtual Network encryption is a free feature offered under the Azure subscription within Azure Virtual Network. Standard charges are applicable for resources, such as Virtual Machines (VMs) and other products that you use.
Is asymmetric encryption supported for a scenario where one direction is encryption enabled and the reverse is encryption disabled?
Asymmetric encryption can happen when there is asymmetric routing and traffic is flowing encrypted in one direction and un-encrypted in the other direction. Asymmetric encryption is not supported and is not recommended.