Merge pull request #301935 from khdownie/kendownie062625

EiT for NFS GA

Author: v-ccolin

articles/storage/files/encryption-in-transit-for-nfs-shares.md

@@ -1,10 +1,10 @@
 ---
-title: How to Encrypt Data in Transit for NFS shares (preview)
+title: How to Encrypt Data in Transit for NFS shares
 description: This article explains how you can encrypt data in transit (EiT) for NFS Azure file shares by using a TLS channel.
 author: guptasonia
 ms.service: azure-file-storage
 ms.topic: how-to
-ms.date: 06/11/2025
+ms.date: 06/27/2025
 ms.author: kendownie
 ms.custom:
   - devx-track-azurepowershell
@@ -13,15 +13,11 @@ ms.custom:
 # Customer intent: As a network administrator, I want to securely encrypt data in transit for NFS Azure file shares using TLS, so that I can protect sensitive information from interception and ensure data confidentiality without complex network security or authentication setups.
 ---
 
-# Encryption in transit for NFS Azure file shares (preview)
+# Encryption in transit for NFS Azure file shares
 
-This article explains how you can encrypt data in transit for NFS Azure file shares.
+This article explains how you can encrypt data in transit for NFS Azure file shares. Azure Files NFS v4.1 volumes enhance network security by enabling secure TLS connections, protecting data in transit from interception, including MITM attacks.
 
-> [!IMPORTANT]
-> - Encryption in transit for Azure file shares NFS v4.1 is currently in **preview**. 
-> - See the [Preview Terms Of Use | Microsoft Azure](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-Azure Files NFS v4.1 volumes enhance network security by enabling secure TLS connections, protecting data in transit from interception, including MITM attacks.
+## Overview
 
 Using [Stunnel](https://www.stunnel.org/), an open-source TLS wrapper, Azure Files encrypts the TCP stream between the NFS client and Azure Files with strong encryption using AES-GCM, without needing Kerberos. This ensures data confidentiality while eliminating the need for complex setups or external authentication systems like Active Directory.
 
@@ -33,15 +29,25 @@ The [AZNFS](https://github.com/Azure/AZNFS-mount) utility package simplifies enc
 
 - **AZNFS watchdog**: The AZNFS package runs a background job that ensures stunnel processes are running, automatically restarts terminated tunnels, and cleans up unused processes after all associated NFS mounts are unmounted.
 
-## Supported regions
+> [!IMPORTANT]
+>
+> AZNFS supported Linux distributions are:
+>
+> - Ubuntu (18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS)
+> - Centos7, Centos8
+> - RedHat7, RedHat8, RedHat9
+> - Rocky8, Rocky9
+> - SUSE (SLES 15)
+> - Oracle Linux
+> - Alma Linux
 
-All regions that support Azure Premium Files now support encryption in transit.
+## Supported regions
 
+EiT is now Generally Available (GA) in all regions that support Azure Premium Files except China North3, New Zealand North, West Europe, US East2, US Central, US South and Korea Central. These remaining regions are currently running preview. You must register your subscription per the instructions below to use EiT in the preview regions.
 
-## Register for preview
+### Register for preview (not needed for GA regions)
 
-To enable encryption in transit for your NFS shares, you must register for the preview feature.
-
+To enable encryption in transit for your storage accounts and NFS shares in the preview regions (China North3, New Zealand North, West Europe, US East2, US Central, US South, and Korea Central), you must register for the preview. **No registration is needed in the GA regions.**
 
 ### [Portal](#tab/azure-portal)
 
@@ -72,16 +78,28 @@ az feature register --name AllowEncryptionInTransitNFS4 --namespace Microsoft.St
 
 ## Enforce encryption in transit
 
-By enabling the **Secure transfer required** setting on the storage account, you can ensure that all the mounts to the NFS volumes in the storage account are encrypted.
+By enabling the **Secure transfer required** setting on the storage account, you can ensure that all the mounts to the NFS volumes in the storage account are encrypted. EiT can be enabled on both new and existing storage accounts and NFS Azure file shares. There is no additional cost for enabling EiT.
 
 :::image type="content" source="./media/encryption-in-transit-nfs-shares/storage-account-settings.png" alt-text="Screenshot showing how to enable Secure transfer on a storage account." lightbox="./media/encryption-in-transit-nfs-shares/storage-account-settings.png":::
 
 However, for users who prefer to maintain flexibility between TLS and non-TLS connections on the same storage account, the **Secure transfer** setting must remain OFF.
- 
-## How to encrypt data in transit for NFS shares (preview)
- 
+
+## Encrypt data in transit for NFS shares
+
+You can encrypt data in transit for NFS Azure file shares by using the Azure portal or Azure CLI.
+
+### Encrypt data in transit for NFS shares using the Azure portal
+
+Azure portal offers a step-by-step, ready-to-use installation script tailored to your selected Linux distribution for installing the AZNFS mount helper package. Once installed, you can use the provided AZNFS mount script to securely mount the NFS share, establishing an encrypted transmission channel between the client and the server.
+
+:::image type="content" source="./media/encryption-in-transit-nfs-shares/mount-using-encryption-in-transit.png" alt-text="Screenshot showing AZNFS mount instructions in the Azure portal." lightbox="./media/encryption-in-transit-nfs-shares/mount-using-encryption-in-transit.png":::
+
+Users who prefer to maintain flexibility in having TLS and non-TLS connections on the same storage account should ensure that the *Secure transfer required* setting remains disabled.
+
+### Encrypt data in transit for NFS shares using Azure CLI
+
 Follow these steps to encrypt data in transit:
- 
+
 1. Ensure the required AZNFS mount helper package is installed on the client.
 1. Mount the NFS file share with TLS encryption.
 1. Verify that the encryption of data succeeded.
@@ -142,17 +160,6 @@ sudo yum install -y aznfs
 ```
 ---
 
-> [!IMPORTANT]
->
-> AZNFS supported Linux distributions are:
->
-> - Ubuntu (18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS) 
-> - Centos7, Centos8 
-> - RedHat7, RedHat8, RedHat9 
-> - Rocky8, Rocky9 
-> - SUSE (SLES 15) 
-> - Oracle Linux
-> - Alma Linux
 
 ### Step 2: Mount the NFS file share
 
@@ -190,7 +197,7 @@ To have the share **mounted automatically on reboot**, create an entry in the `/
 
 Run the command `df -Th`.
 
-:::image type="content" source="./media/encryption-in-transit-nfs-shares/powershell-capture.png" alt-text="Diagram showing the Powershell screen to test if EiT is applied." lightbox="./media/encryption-in-transit-nfs-shares/powershell-capture.png":::
+:::image type="content" source="./media/encryption-in-transit-nfs-shares/powershell-capture.png" alt-text="Diagram showing the PowerShell screen to test if EiT is applied." lightbox="./media/encryption-in-transit-nfs-shares/powershell-capture.png":::
 
 It indicates that the client is connected through the local port 127.0.0.1, not an external network. The **stunnel** process listens on 127.0.0.1 (localhost) for incoming NFS traffic from the NFS client. Stunnel then **intercepts** this traffic and securely forwards it over **TLS** to the Azure Files NFS server on Azure.
 
@@ -217,6 +224,8 @@ To resolve this issue, remount the share using the clean option, which immediate
 sudo mount -t aznfs <storage-account-name>.file.core.windows.net:/<storage-account-name>/<share-name> /mount/<storage-account-name>/<share-name> -o vers=4,minorversion=1,sec=sys,nconnect=4,notls,clean
 ```
 
+If a VM is **custom domain joined**, use custom DNS FQDN or short names for file share in `/etc/fstab` as defined in the DNS. To verify the hostname resolution, check using `nslookup <hostname>` and `getent host <hostname>` commands. Before running the mount command, ensure that the environment variable `AZURE_ENDPOINT_OVERRIDE` is set.
+
 If mounting issues continue, check the log files for more troubleshooting details:
 
 - **Mount Helper and Watchdog Logs**: `/opt/microsoft/aznfs/data/aznfs.log`