|
| 1 | +--- |
| 2 | +title: Azure HPC Cache Security Information |
| 3 | +description: Security information for Azure HPC Cache |
| 4 | +author: ronhogue |
| 5 | +ms.service: hpc-cache |
| 6 | +ms.topic: how-to |
| 7 | +ms.date: 04/06/2022 |
| 8 | +ms.author: rohogue |
| 9 | +--- |
| 10 | + |
| 11 | +# Security information for Azure HPC Cache |
| 12 | + |
| 13 | +This security information applies to Microsoft Azure HPC Cache. It addresses common security questions about the configuration and operation of Azure HPC Cache. |
| 14 | + |
| 15 | +## Access to the HPC Cache service |
| 16 | + |
| 17 | +The HPC Cache Service is only accessible through your private virtual network. Microsoft cannot access your virtual network. |
| 18 | + |
| 19 | +Learn more about [connecting private networks](/security/benchmark/azure/baselines/hpc-cache-security-baseline.md). |
| 20 | + |
| 21 | +## Network infrastructure requirements |
| 22 | + |
| 23 | +Your network needs a dedicated subnet for the Azure HPC Cache, DNS support so the cache can access storage, and access from the subnet to additional Microsoft Azure infrastructure services like NTP servers and the Azure Queue Storage service. |
| 24 | + |
| 25 | +Learn more about [network infrastructure requirements](hpc-cache-prerequisites.md#network-infrastructure). |
| 26 | + |
| 27 | +## Access to NFS storage |
| 28 | + |
| 29 | +The Azure HPC Cache needs specific NFS configurations like outbound NFS port access to on-premises storage. |
| 30 | + |
| 31 | +Learn more about [configuring your NFS storage](hpc-cache-prerequisites.md#nfs-storage-requirements) to work with Azure HPC Cache. |
| 32 | + |
| 33 | +## Encryption |
| 34 | + |
| 35 | +HPC Cache data is encrypted at rest. Encryption keys may be Azure-managed or customer-managed. |
| 36 | + |
| 37 | +Learn more about [implementing customer-managed keys](customer-keys.md). |
| 38 | + |
| 39 | +HPC Cache only supports AUTH_SYS security for NFSv3 so it’s not possible to encrypt NFS traffic between clients and the cache. If, however, data is traveling over ExpressRoute, you could [tunnel traffic with IPSEC](../virtual-wan/vpn-over-expressroute.md) for in-transit traffic encryption. |
| 40 | + |
| 41 | +## Access policies based on IP address |
| 42 | + |
| 43 | +You can set CIDR blocks to allow the following access control policies: none, read, read/write, and squashed. |
| 44 | + |
| 45 | +Learn more how to [configure access policies](access-policies.md) based on IP addresses. |
| 46 | + |
| 47 | +You can also optionally configure network security groups (NSGs) to control inbound access to the HPC Cache subnet. This restricts which IP addresses are routed to the HPC Cache subnet. |
| 48 | + |
| 49 | +## Next steps |
| 50 | + |
| 51 | +* Review [Azure HPC Cache security baseline](/security/benchmark/azure/baselines/hpc-cache-security-baseline.md). |
0 commit comments