You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/virtual-network-encryption-overview.md
+30-5Lines changed: 30 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,8 @@ ms.service: virtual-network
6
6
author: asudbring
7
7
ms.author: allensu
8
8
ms.topic: overview
9
-
ms.date: 05/06/2024
10
-
ms.custom: template-overview, references_regions
9
+
ms.date: 07/16/2024
10
+
ms.custom: references_regions
11
11
# Customer intent: As a network administrator, I want to learn about encryption in Azure Virtual Network so that I can secure my network traffic.
12
12
13
13
---
@@ -55,10 +55,35 @@ Azure Virtual Network encryption has the following limitations:
55
55
56
56
-**AllowUnencrypted** is the only supported enforcement at general availability. **DropUnencrypted** enforcement will be supported in the future.
57
57
58
-
- Virtual networks with encryption enabled do not support [Azure DNS Private Resolver](/azure/dns/dns-private-resolver-overview).
58
+
- Virtual networks with encryption enabled don't support [Azure DNS Private Resolver](/azure/dns/dns-private-resolver-overview).
59
59
60
-
## Next steps
60
+
## Supported scenarios
61
61
62
-
- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview)
62
+
Virtual network encryption is supported in the following scenarios:
63
+
64
+
| Scenario | Support |
65
+
| --- | --- |
66
+
| VMs in the same virtual network (including virtual machine scale sets and their internal load balancer) | Supported on traffic between VMs from these [SKUs](#requirements). |
67
+
| Virtual network peering | Supported on traffic between VMs across regional peering. |
68
+
| Global virtual network peering | Supported on traffic between VMs across global peering. |
69
+
| VM to Azure VPN Gateway | Supported on Dv5 VM SKUs (SKU not controlled by user). |
70
+
| VM to Azure Application Gateway | Not supported <sup>1</sup>. |
71
+
| VM to Azure Firewall | Not supported <sup>1</sup>. |
72
+
| Azure Kubernetes Service (AKS) | - Supported on AKS using Azure CNI (regular or overlay mode), Kubenet, or BYOCNI: node and pod traffic will be encrypted.<br> - Partially supported on AKS using Azure CNI Dynamic Pod IP Assignment (podSubnetId specified): node traffic will be encrypted, but pod traffic won't be encrypted.<br> - Traffic to the AKS managed control plane egresses from the virtual network and thus isn't in scope for virtual network encryption. However, this traffic is always encrypted via TLS. |
73
+
| Azure App Service | Not supported <sup>1</sup>. |
74
+
| Azure SQL Database | Not supported <sup>1</sup>. |
75
+
| Azure Storage | Not supported <sup>1</sup>. |
76
+
| Azure Functions Premium | Not supported <sup>1</sup>. |
77
+
| Private Endpoint | Not supported <sup>1</sup>. |
78
+
| Azure NetApp Files | Not supported <sup>1</sup>. |
79
+
| VM to ExpressRoute gateway | Not supported <sup>1</sup>. |
80
+
| VM to internet (using public IP address or load balancer) | Not supported <sup>1</sup>. |
81
+
82
+
<sup>1</sup> Data flows unencrypted in these scenarios.
63
83
84
+
> [!NOTE]
85
+
> VM to PaaS injected services requires onboarding of the PaaS services to support encryption using supported VM SKUs.
64
86
87
+
## Next step
88
+
89
+
- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview)
0 commit comments