Embedded Files
Azure VNET Encryption
Azure VNET Encryption
Date: 2024-04-21
Author: Simon Jackson
Microsoft introduced Azure Virtual Network Encryption to enable you to encrypt traffic between Virtual Machines, and the Virtual Machine Scale Sets, within the same Virtual Network.
Encryption can be enforced across peered networks in the same region, across region, and even across continents. Enforcement isn't always desired...
Enabling VNET Encryption
Enabling VNET Encryption
During the VNET Creation process, on the Security tab, we are now presented with a simple checkbox to enable encryption.
How do we know if VNET Encryption is currently enabled?
How do we know if VNET Encryption is currently enabled?
Via the GUI, there isn't yet an option on https://portal.azure.com - except to view the JSON of the given VNET.
What is this new Enforcement Policy?
What is this new Enforcement Policy?
If we think about traffic entering a VNET, there are points-of-ingress to consider. Such as a Virtual Network Gateway (GatewaySubnet), or Virtual Network Peer Link (VNET Peering).
Options are:
DropUnencrypted - enforce to DROP traffic that is ingress and comes from an unencrypted source VM (secure)
AllowUnencrypted - enforce to ALLOW traffic that is ingress and comes from an unencrypted source VM (relaxed)
Microsoft have a list of what VM SKUs are supported here.
Are there any pre-requsites for VNET Encryption?
Are there any pre-requsites for VNET Encryption?
Yes. If we want to use VNET Encryption with an AllowDropUnencrypted Enforcement policy; We need to register our interest in the `Microsoft.Network` feature called `AllowDropUnencryptedVnet`. This is done manually via the command line, and can take several days to complete.
- my guess is someone at Microsoft has to push a button to approve, with your subscription's workload.
Oh and it's to be enabled per-subscription!
Can we enable VNET Encryption after VNET Creation?
Can we enable VNET Encryption after VNET Creation?
Via Microsoft Graph API - this *might* be possible.
Via the GUI, there is no option today.
Via Terraform, yes, but it requires deletion and re-creation of the resource.
How do we Enable AllowDropEncryptedVnet feature with Terraform?
How do we Enable AllowDropEncryptedVnet feature with Terraform?
This is essentially the same as the above command, just using the null provider to execute the command during terraform runtime.
WARNING: There is a HUGE delay between registering this feature, and it being able to be used. Do it before the weekend, and resume on Monday ;)
Building a VNET using Terraform, with VNET Encryption
Building a VNET using Terraform, with VNET Encryption
Here is one i prepared earlier; with a little help of the AzureRM provider documentation here.
Hope this helps someone.
Page updated
Report abuse