Merge pull request #277225 from cachai2/peer-to-peer-encryption

init peer-to-peer encryption

Author: v-dirichards

articles/container-apps/ingress-overview.md

@@ -115,7 +115,7 @@ Azure Container Apps provides built-in authentication and authorization features
 
 You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see [Configure client certificates](client-certificate-authorization.md). 
 
-For details on how to use mTLS for environment level network encryption, see the [networking overview](./networking.md#mtls). 
+For details on how to use peer-to-peer environment level network encryption, see the [networking overview](./networking.md#peer-to-peer-encryption). 
 
 ## Traffic splitting
 

articles/container-apps/media/networking/peer-to-peer-encryption-traffic-diagram.png

@@ -278,20 +278,31 @@ You can fully secure your ingress and egress networking traffic workload profile
 
 - Configure UDR to route all traffic through [Azure Firewall](./user-defined-routes.md).
 
-## <a name="mtls"></a> Environment level network encryption (preview)
+## <a name="peer-to-peer-encryption"></a> Peer-to-peer encryption in the Azure Container Apps environment
 
-Azure Container Apps supports environment level network encryption using mutual transport layer security (mTLS). When end-to-end encryption is required, mTLS encrypts data transmitted between applications within an environment.
+Azure Container Apps supports peer-to-peer TLS encryption within the environment. Enabling this feature encrypts all network traffic within the environment with a private certificate that is valid within the Azure Container Apps environment scope. These certificates are automatically managed by Azure Container Apps. 
 
-Applications within a Container Apps environment are automatically authenticated. However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in mTLS.
+> [!NOTE]
+> By default, peer-to-peer encryption is disabled. Enabling peer-to-peer encryption for your applications may increase response latency and reduce maximum throughput in high-load scenarios.
 
-When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported. To learn more, see [configure client certificates](client-certificate-authorization.md).
+The following example shows an environment with peer-to-peer encryption enabled.
+:::image type="content" source="media/networking/peer-to-peer-encryption-traffic-diagram.png" alt-text="Diagram of how traffic is encrypted/decrypted with peer-to-peer encryption enabled.":::
 
-> [!NOTE]
-> Enabling mTLS for your applications may increase response latency and reduce maximum throughput in high-load scenarios.
+<sup>1</sup> Inbound TLS traffic is terminated at the ingress proxy on the edge of the environment.
+
+<sup>2</sup> Traffic to and from the ingress proxy within the environment is TLS encrypted with a private certificate and decrypted by the receiver. 
+
+<sup>3</sup> Calls made from app A to app B's FQDN are first sent to the edge ingress proxy, and are TLS encrypted.
+
+<sup>4</sup> Calls made from app A to app B using app B's app name are sent directly to app B and are TLS encrypted.
+
+Applications within a Container Apps environment are automatically authenticated. However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in peer-to-peer encryption.
+
+When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported. To learn more, see [configure client certificates](client-certificate-authorization.md).
 
 # [Azure CLI](#tab/azure-cli)
 
-You can enable mTLS using the following commands.
+You can enable peer-to-peer encryption using the following commands.
 
 On create:
 
@@ -300,7 +311,7 @@ az containerapp env create \
     --name <environment-name> \
     --resource-group <resource-group> \
     --location <location> \
-    --enable-mtls
+    --enable-peer-to-peer-encryption
 ```
 
 For an existing container app:
@@ -309,7 +320,7 @@ For an existing container app:
 az containerapp env update \
     --name <environment-name> \
     --resource-group <resource-group> \
-    --enable-mtls
+    --enable-peer-to-peer-encryption
 ```
 
 # [ARM template](#tab/arm-template)
@@ -320,8 +331,8 @@ You can enable mTLS in the ARM template for Container Apps environments using th
 {
   ...
   "properties": {
-       "peerAuthentication":{
-            "mtls": {
+       "peerTrafficConfiguration":{
+            "encryption": {
                 "enabled": "true|false"
             }
         }

articles/container-apps/networking.md

@@ -90,7 +90,7 @@ Your container app's ingress settings are enforced through a set of rules that c
 | Is ingress enabled? | Verify the **Enabled** checkbox is checked. |
 | Do you want to allow external ingress? | Verify that **Ingress Traffic** is set to **Accepting traffic from anywhere**. If your container app doesn't listen for HTTP traffic, set **Ingress Traffic** to **Limited to Container Apps Environment**. |
 | Does your client use HTTP or TCP to access your container app? | Verify **Ingress type** is set to the correct protocol (**HTTP** or **TCP**). |
-| Does your client support mTLS? | Verify **Client certificate mode** is set to **Require** only if your client supports mTLS. For more information, see [Environment level network encryption.](./networking.md#mtls) |
+| Does your client support mTLS? | Verify **Client certificate mode** is set to **Require** only if your client supports mTLS. For more information, see [configure client certificate authentication.](./client-certificate-authorization.md) |
 | Does your client use HTTP/1 or HTTP/2? | Verify **Transport** is set to the correct HTTP version (**HTTP/1** or **HTTP/2**). |
 | Is the target port set correctly? | Verify **Target port** is set to the same port your container app is listening on, or the same port exposed by your container app's Dockerfile. |
 | Is your client IP address denied? | If **IP Security Restrictions Mode** isn't set to **Allow all traffic**, verify your client doesn't have an IP address that is denied. |

articles/container-apps/troubleshooting.md

@@ -80,7 +80,7 @@ This article lists significant updates and new features available in Azure Conta
 | [Generally Available: Session affinity](./sticky-sessions.md) | Session affinity enables you to route all requests from a single client to the same Container Apps replica. This is useful for stateful workloads that require session affinity. |
 | [Generally Available: Azure Key Vault references for secrets](https://azure.microsoft.com/updates/generally-available-azure-key-vault-references-for-secrets-in-azure-container-apps/) | Azure Key Vault references enable you to source a container app’s secrets from secrets stored in Azure Key Vault. Using the container app's managed identity, the platform automatically retrieves the secret values from Azure Key Vault and injects it into your application's secrets. |
 | [Public preview: additional TCP ports](./ingress-overview.md#additional-tcp-ports) | Azure Container Apps now support additional TCP ports, enabling applications to accept TCP connections on multiple ports. This feature is in preview. |
-| [Public preview: environment level mTLS encryption](./networking.md#mtls) | When end-to-end encryption is required, mTLS will encrypt data transmitted between applications within an environment. |
+| [Public preview: environment level peer-to-peer encryption](./networking.md#peer-to-peer-encryption) | When end-to-end encryption is required, peer-to-peer encryption will encrypt data transmitted between applications within an environment. |
 | [Retirement: ACA preview API versions 2022-06-01-preview and 2022-11-01-preview](https://azure.microsoft.com/updates/retirement-azure-container-apps-preview-api-versions-20220601preview-and-20221101preview/) | Starting on November 16, 2023, Azure Container Apps control plane API versions 2022-06-01-preview and 2022-11-01-preview will be retired. Before that date, migrate to the latest stable API version (2023-05-01) or latest preview API version (2023-04-01-preview). |
 | [Dapr: Stable Configuration API](https://docs.dapr.io/developing-applications/building-blocks/configuration/) | Dapr's Configuration API is now stable and supported in Azure Container Apps. Learn how to do [Dapr integration with Azure Container Apps](./dapr-overview.md)|