Azure Virtual Network Encryption

Jagdish Bagul Azure Cloud, Terraform

Azure Virtual Network encryption is a feature in Azure Virtual Networks that lets you easily secure the data exchanged between Azure Virtual Machines by creating a DTLS tunnel. This feature allows you to encrypt traffic between Virtual Machines and Virtual Machine Scale Sets within the same virtual network. It also secures traffic between virtual networks that are connected across different regions or globally. Virtual Network encryption adds an extra layer of security on top of the existing encryption options in Azure.

Requirements for Using Azure Virtual Network Encryption

To use Azure Virtual Network encryption, certain conditions must be met:

  • Supported VM Types: Virtual Network encryption works with specific types of virtual machines, particularly those designed for general-purpose and memory-optimized workloads.
  • General-purpose workloads: Supported VM series include D-series V4, V5, and V6 (e.g., Dv4, Dv5, Dv6, and their corresponding Dsv, Ddv, and Das variants).
  • Memory-intensive workloads: Supported VM series include E-series V4, V5, and V6 (e.g., Ev4, Ev5, Ev6, and their corresponding Esv, Edv, and Eas variants).
  • Storage-intensive workloads: The LSv3 series is supported.
  • High-memory workloads: The M-series V2 and V3 (e.g., Mv2, Msv2, Mdsv2, Msv3, and Mdsv3) are supported.
  • Accelerated Networking: You must enable Accelerated Networking on the network interface of the virtual machine. This feature improves performance and is necessary for encryption. For more details, refer to the documentation on Accelerated Networking.
  • Encryption Scope: Encryption only applies to traffic between virtual machines within the same virtual network. Specifically, it secures communication from one private IP address to another.
  • Unsupported VMs: If a virtual machine does not support encryption, the traffic to and from it will not be encrypted. You can use Virtual Network Flow Logs to check if encryption is active between your virtual machines.
  • VM Restart Required: After enabling encryption on a virtual network, you will need to restart any existing virtual machines for the encryption to take effect.
  • Note: Supported VM SKUs will be updated by Microsoft and latest information is available on this document: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview

Limitations

Azure Virtual Network encryption has the following limitations:

  • In scenarios where a PaaS is involved, the virtual machine where the PaaS is hosted dictates if virtual network encryption is supported. The virtual machine must meet the listed requirements.
  • For Internal load balancer, all virtual machines behind the load balancer must be a supported virtual machine SKU.
  • AllowUnencrypted is the only supported enforcement at general availability. DropUnencrypted enforcement will be supported in the future.
  • Virtual networks with encryption enabled don’t support Azure DNS Private Resolver.
  • Note: Other services that currently don’t support virtual network encryption are included in Microsoft’s future roadmap.

Supported Scenarios for Virtual Network Encryption

Virtual network encryption can be used in the following situations:

  • VMs in the Same Virtual Network: Encryption is supported for traffic between virtual machines (including those in virtual machine scale sets and those using an internal load balancer) if they use the supported VM sizes.
  • Virtual Network Peering: Encryption is supported for traffic between virtual machines across regional peered virtual networks.
  • Global Virtual Network Peering: Encryption is also supported for traffic between virtual machines across globally peered virtual networks.
  • Azure Kubernetes Service (AKS):
  • Fully Supported: Encryption is supported when using Azure CNI (in both regular and overlay modes), Kubenet, or BYOCNI. Both node and pod traffic are encrypted.
  • Partially Supported: When using Azure CNI Dynamic Pod IP Assignment (with podSubnetId specified), only node traffic is encrypted, but pod traffic is not.
  • Managed Control Plane: Traffic from the virtual network to the AKS managed control plane isn’t covered by virtual network encryption, but this traffic is always encrypted using TLS.

Deploy Azure VNET with Terraform

Below is an example of Terraform code that creates an Azure Virtual Network (VNet) and enables encryption on the virtual network. This code includes the steps to deploy a VNet and the required configuration to enable encryption.

Step 1: Initialize Your Terraform Configuration

Before using the code, ensure that Terraform is installed on your local machine. You will also need to authenticate with Azure using the Azure CLI (az login).

Step 2: Terraform Code for Azure VNet with Encryption

# Define the provider and required version
provider "azurerm" {
  features {}
}

# Define the resource group
resource "azurerm_resource_group" "rg" {
  name     = "rg-vnet-encryption-demo"
  location = "East US"
}

# Define the virtual network
resource "azurerm_virtual_network" "vnet" {
  name                = "vnet-encryption-demo"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  address_space       = ["10.0.0.0/16"]

  # Enable encryption on the virtual network
  encryption {
    enabled = true

    # Optional: Specify encryption for different types of traffic
    enforce_encryption_on_resource_links = true
  }
}

# Define a subnet within the virtual network
resource "azurerm_subnet" "subnet" {
  name                 = "subnet1"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.0.1.0/24"]
}

# Define a Network Security Group (NSG) for the subnet (optional)
resource "azurerm_network_security_group" "nsg" {
  name                = "nsg-subnet1"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
}

# Associate the NSG with the subnet
resource "azurerm_subnet_network_security_group_association" "nsg_association" {
  subnet_id                 = azurerm_subnet.subnet.id
  network_security_group_id = azurerm_network_security_group.nsg.id
}

# Define a virtual machine within the subnet (optional)
resource "azurerm_linux_virtual_machine" "vm" {
  name                = "vm1"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  size                = "Standard_DS1_v2"
  admin_username      = "adminuser"

  network_interface_ids = [
    azurerm_network_interface.vm_nic.id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "18.04-LTS"
    version   = "latest"
  }

  admin_ssh_key {
    username   = "adminuser"
    public_key = file("~/.ssh/id_rsa.pub")
  }
}

# Define the network interface for the virtual machine
resource "azurerm_network_interface" "vm_nic" {
  name                = "nic-vm1"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.subnet.id
    private_ip_address_allocation = "Dynamic"
  }

  enable_accelerated_networking = true # Enable Accelerated Networking
}

# Output the VNet ID
output "vnet_id" {
  value = azurerm_virtual_network.vnet.id
}

# Output the Subnet ID
output "subnet_id" {
  value = azurerm_subnet.subnet.id
}

Step 3: Deploy the VNet with Terraform

  1. Save the above code to a file named main.tf.
  2. Initialize Terraform in your working directory:
   terraform init
  1. Review the plan to see what will be created:
   terraform plan
  1. Apply the Terraform configuration to create the resources:
   terraform apply

Confirm the apply action when prompted.

Explanation of the Code

  • azurerm_virtual_network: Defines the virtual network, with encryption enabled using the encryption block.
  • azurerm_subnet: Defines a subnet within the virtual network.
  • azurerm_network_security_group and azurerm_subnet_network_security_group_association: Optionally associate an NSG with the subnet for added security.
  • azurerm_linux_virtual_machine: Optionally deploys a Linux VM in the subnet.
  • encryption { enabled = true }: This block in the virtual network resource enables encryption for the VNet.

Notes

  • Make sure you replace "East US" with the region of your choice.
  • This example includes a Linux VM and NSG for context, but they are optional and can be removed if not needed.
  • Accelerated Networking is enabled for the network interface, which is required for encryption.