Merge pull request #243955 from MicrosoftDocs/release-vnet-encryption

Release vnet encryption --scheduled release at 4AM of 7/06

Author: huypub

articles/virtual-network/how-to-create-encryption-cli.md

@@ -0,0 +1,95 @@
+---
+title: Create a virtual network with encryption - Azure CLI
+titleSuffix: Azure Virtual Network
+description: Learn how to create an encrypted virtual network using the Azure CLI. A virtual network lets Azure resources communicate with each other and with the internet. 
+author: asudbring
+ms.service: virtual-network
+ms.topic: how-to
+ms.date: 05/24/2023
+ms.author: allensu
+
+---
+
+# Create a virtual network with encryption using the Azure CLI
+
+Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
+
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
+
+- The how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
+
+## Create a resource group
+
+An Azure resource group is a logical container into which Azure resources are deployed and managed.
+
+Create a resource group with [az group create](/cli/azure/group#az-group-create) named **test-rg** in the **eastus2** location.
+
+```azurecli-interactive
+  az group create \
+    --name test-rg \
+    --location eastus2
+```
+
+## Create a virtual network
+
+In this section, you create a virtual network and enable virtual network encryption.
+
+Use [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) to create a virtual network.
+
+```azurecli-interactive
+  az network vnet create \
+    --resource-group test-rg \
+    --location eastus2 \
+    --name vnet-1 \
+    --enable-encryption true \
+    --encryption-enforcement-policy allowUnencrypted \
+    --address-prefixes 10.0.0.0/16 \
+    --subnet-name subnet-1 \
+    --subnet-prefixes 10.0.0.0/24 
+```
+
+> [!IMPORTANT]
+> Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. For more information, see [Azure Virtual Network encryption requirements](virtual-network-encryption-overview.md#requirements).
+
+## Verify encryption enabled
+
+You can check the encryption parameter in the virtual network to verify that encryption is enabled on the virtual network.
+
+Use [az network vnet show](/cli/azure/network/vnet#az-network-vnet-show) to view the encryption parameter for the virtual network you created previously.
+
+```azurecli-interactive
+  az network vnet show \
+    --resource-group test-rg \
+    --name vnet-1 \
+    --query encryption \
+    --output tsv
+```
+
+```output
+user@Azure:~$ az network vnet show \
+    --resource-group test-rg \
+    --name vnet-1 \
+    --query encryption \
+    --output tsv
+True   AllowUnencrypted
+```
+
+## Clean up resources
+
+When you're done with the virtual network, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all its resources.
+
+```azurecli-interactive
+az group delete \
+    --name test-rg \
+    --yes
+```
+
+## Next steps
+
+- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview).
+
+- For more information about Azure Virtual Network encryption, see [What is Azure Virtual Network encryption?](virtual-network-encryption-overview.md).

articles/virtual-network/how-to-create-encryption-portal.md

@@ -0,0 +1,83 @@
+---
+title: Create a virtual network with encryption - Azure portal
+titleSuffix: Azure Virtual Network
+description: Learn how to create an encrypted virtual network using the Azure portal. A virtual network lets Azure resources communicate with each other and with the internet. 
+author: asudbring
+ms.service: virtual-network
+ms.topic: how-to
+ms.date: 07/07/2023
+ms.author: allensu
+
+---
+
+# Create a virtual network with encryption using the Azure portal
+
+Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
+
+## Create a virtual network
+
+In this section, you create a virtual network and enable virtual network encryption.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. In the search box at the top of the portal, begin typing **Virtual networks**. When **Virtual networks** appears in the search results, select it.
+
+1. In **Virtual networks**, select **+ Create**.
+
+1. Enter or select the following information in the **Basics** tab of **Create virtual network**:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **Project details** |  |
+    | **Subscription** | Select your subscription. |
+    | **Resource group** | Select **Create new**, then enter **test-rg** in **Name**. Select **OK**. |
+    | **Instance details** |  |
+    | Virtual network name | Enter **vnet-1**. |
+    | Region | Select **(US) East US 2**. |
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+
+> [!IMPORTANT]
+> Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. The setting **dropUnencrypted** will drop traffic between unsupported virtual machine SKUs if they are deployed in the virtual network. For more information, see [Azure Virtual Network encryption requirements](virtual-network-encryption-overview.md#requirements).
+
+## Enable encryption
+
+1. In the search box at the top of the portal, begin typing **Virtual networks**. When **Virtual networks** appears in the search results, select it.
+
+1. Select **vnet-1**.
+
+1. In the **Overview** of **vnet-1**, select the **Properties** tab.
+
+1. Select **Disabled** next to **Encryption**:
+
+    :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties.png" alt-text="Screenshot of properties of the virtual network.":::
+
+1. Select the box next to **Virtual network encryption**.
+
+1. Select **Save**.
+
+## Verify encryption enabled
+
+1. In the search box at the top of the portal, begin typing **Virtual networks**. When **Virtual networks** appears in the search results, select it.
+
+1. Select **vnet-1**.
+
+1. In the **Overview** of **vnet-1**, select the **Properties** tab.
+
+1. Verify that **Encryption** is set to **Enabled**.
+
+    :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties-encryption-enabled.png" alt-text="Screenshot of properties of the virtual network with encryption enabled.":::
+
+[!INCLUDE [portal-clean-up.md](../../includes/portal-clean-up.md)]
+
+## Next steps
+
+- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview)
+
+- For more information about Azure Virtual Network encryption, see [What is Azure Virtual Network encryption?](virtual-network-encryption-overview.md)

articles/virtual-network/how-to-create-encryption-powershell.md

@@ -0,0 +1,113 @@
+---
+title: Create a virtual network with encryption - Azure PowerShell
+titleSuffix: Azure Virtual Network
+description: Learn how to create an encrypted virtual network using Azure PowerShell. A virtual network lets Azure resources communicate with each other and with the internet. 
+author: asudbring
+ms.service: virtual-network
+ms.topic: how-to
+ms.date: 07/07/2023
+ms.author: allensu
+
+---
+
+# Create a virtual network with encryption using Azure PowerShell
+
+Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+- Azure PowerShell installed locally or Azure Cloud Shell.
+
+- Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature.  For more information, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).
+
+- Ensure your `Az.Network` module is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -Name `Az.Network`. If the module requires an update, use the command Update-Module -Name `Az.Network` if necessary.
+
+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-Az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
+
+## Create a resource group
+
+An Azure resource group is a logical container into which Azure resources are deployed and managed.
+
+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) named **test-rg** in the **eastus2** location.
+
+```azurepowershell-interactive
+$rg =@{
+    Name = 'test-rg'
+    Location = 'eastus2'
+}
+New-AzResourceGroup @rg
+```
+
+## Create a virtual network
+
+In this section, you create a virtual network and enable virtual network encryption.
+
+Use [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork) and [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) to create a virtual network.
+
+```azurepowershell-interactive
+## Create backend subnet config ##
+$subnet = @{
+    Name = 'subnet-1'
+    AddressPrefix = '10.0.0.0/24'
+}
+$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 
+
+## Create the virtual network ##
+$net = @{
+    Name = 'vnet-1'
+    ResourceGroupName = 'test-rg'
+    Location = 'eastus2'
+    AddressPrefix = '10.0.0.0/16'
+    Subnet = $subnetConfig
+    EnableEncryption = 'true'
+    EncryptionEnforcementPolicy = 'AllowUnencrypted'
+}
+New-AzVirtualNetwork @net
+
+```
+
+> [!IMPORTANT]
+> Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. For more information, see [Azure Virtual Network encryption requirements](virtual-network-encryption-overview.md#requirements).
+
+## Verify encryption enabled
+
+You can check the encryption parameter in the virtual network to verify that encryption is enabled on the virtual network.
+
+Use [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork) to view the encryption parameter for the virtual network you created previously.
+
+```azurepowershell-interactive
+## Place the virtual network configuration into a variable. ##
+$net = @{
+    Name = 'vnet-1'
+    ResourceGroupName = 'test-rg'
+}
+$vnet = Get-AzVirtualNetwork @net
+```
+
+To view the parameter for encryption, enter the following information.
+
+```azurepowershell-interactive
+$vnet.Encryption
+```
+
+```output
+Enabled Enforcement
+------- -----------
+True   allowUnencrypted
+```
+
+## Clean up resources
+
+When you're done with the virtual network, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all its resources.
+
+```azurepowershell-interactive
+Remove-AzResourceGroup -Name 'test-rg' -Force
+```
+
+## Next steps
+
+- For more information about Azure Virtual Networks, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview).
+
+- For more information about Azure Virtual Network encryption, see [What is Azure Virtual Network encryption?](virtual-network-encryption-overview.md).

articles/virtual-network/media/how-to-create-encryption-portal/virtual-network-properties-encryption-enabled.png

@@ -73,6 +73,12 @@
       href: /security/benchmark/azure/baselines/virtual-network-nat-security-baseline?toc=/azure/virtual-network/toc.json?toc=/azure/virtual-network/toc.json?toc=/azure/virtual-network/toc.json
     - name: Network isolation of Azure services
       href: vnet-integration-for-azure-services.md
+    - name: Virtual network encryption
+      items:
+      - name: Overview
+        href: virtual-network-encryption-overview.md
+      - name: FAQ
+        href: virtual-network-encryption-faq.yml
     - name: Network security groups
       items:
       - name: Overview
@@ -184,6 +190,14 @@
       href: deploy-container-networking.md
   - name: Security
     items:
+    - name: Create virtual network with encryption
+      items:
+      - name: Azure portal
+        href: how-to-create-encryption-portal.md
+      - name: Azure PowerShell
+        href: how-to-create-encryption-powershell.md
+      - name: Azure CLI
+        href: how-to-create-encryption-cli.md
     - name: Filter network traffic
       items:
       - name: Azure portal

articles/virtual-network/media/how-to-create-encryption-portal/virtual-network-properties.png

@@ -0,0 +1,40 @@
+### YamlMime:FAQ
+metadata:
+  title: Virtual Network encryption frequently asked questions
+  description: Answers to common questions about using Azure Virtual Network encryption.
+  ms.topic: faq
+
+title: Frequently asked questions for Azure Virtual Network encryption
+summary: |
+  Here are some answers to common questions about using Azure Virtual Network encryption.
+
+sections:
+  - name: Single section - ignored
+    questions:
+      - question: Can I enable virtual network encryption on an existing virtual network, virtual machine, network interface, or NSG? 
+        answer: |
+          Yes.
+      
+      - question: How do I verify my data is encrypted?
+        answer: |
+          Encryption verification is limited to the status of the network interface resource, vnetEncryptionSupported, and Accelerated networking during public preview. After public preview, virtual network flow logs can be used to see the encrypted and unencrypted flows between virtual machines.
+      
+      - question: Is there data not encrypted?
+        answer: |
+          Fragmented packets aren't offloaded to hardware and don't get encrypted. Use an MTU of 1500 in the network configuration of your virtual machines.
+
+      - question: What certificate is used for the DTLS establishment on the Azure Host? 
+        answer: |
+          Microsoft manages and has created certificates for each region. Customer provided certificates are a feature on the road map.
+      
+      - question: What is the performance effect?
+        answer: |
+          There's a minimal performance effect to throughput/bandwidth. The crypto operations are offloaded to a crypto-specialized FPGA. There's a minimal effect to an initial connection between two virtual machines, because a tunnel needs to be established.
+      
+      - question: Is VPN gateway, Application gateway, Azure Firewall, or PaaS supported? 
+        answer: |
+          It depends on the underlying VM size that the PaaS uses, and requires Accelerated Networking enabled.
+
+      - question: Where is the encryption terminated? 
+        answer: |
+          The encryption is terminated at the SmartNIC/FPGA on the Azure Host.