Add vnet encryption page

ronhogue · ronhogue · commit e8f81cc77453 · 2025-07-21T08:54:24.000-04:00
diff --git a/azure-managed-lustre/TOC.yml b/azure-managed-lustre/TOC.yml
@@ -48,6 +48,8 @@
       href: configure-network-security-group.md
     - name: Use customer-managed encryption keys
       href: customer-managed-encryption-keys.md
+    - name: Enable VNet encryption
+      href: vnet-encryption.md
 - name: Monitoring metrics and logs
   items:
     - name: Monitor a file system
diff --git a/azure-managed-lustre/index.yml b/azure-managed-lustre/index.yml
@@ -74,6 +74,8 @@ landingContent:
             url: configure-network-security-group.md
           - text: Use customer-managed encryption keys
             url: customer-managed-encryption-keys.md
+          - text: Enable VNet encryption
+            url: vnet-encryption.md
   - title: Self-paced learning
     linkLists:
       - linkListType: learn
diff --git a/azure-managed-lustre/vnet-encryption.md b/azure-managed-lustre/vnet-encryption.md
@@ -0,0 +1,95 @@
+---
+title: Enable and Validate VNet Encryption with Azure Managed Lustre
+description: Learn how to enable and test VNet encryption for the Azure Managed Lustre file system.
+ms.topic: how-to
+author: pauljewellmsft
+ms.author: pauljewell
+ms.reviewer: brianl
+ms.date: 07/18/2025
+ms.lastreviewed: 07/21/2023
+zone_pivot_groups: select-os
+---
+
+# Enable and Validate VNet Encryption with Azure Managed Lustre
+
+Azure Managed Lustre (AMLFS) supports Virtual Network (VNet) Encryption, enabling encryption of data in transit between AMLFS and client virtual machines (VMs). This feature is particularly valuable for customers in regulated industries such as finance, healthcare, and government, where data confidentiality is paramount.
+
+## How VNet Encryption Works
+
+VNet Encryption in Azure uses Datagram Transport Layer Security (DTLS) 1.2 to secure traffic at the network layer. Key characteristics include:
+
+- **Encryption Protocol**: DTLS 1.2 with AES-GCM-256 encryption.
+- **Key Exchange**: Session keys are negotiated using ECDSA certificates.
+- **Performance**: Encryption is offloaded to inline FPGAs on the VM host, ensuring high throughput and low latency.
+
+## Enable VNet Encryption for AMLFS
+
+To enable VNet Encryption with AMLFS:
+
+1. **Enable VNet Encryption on the virtual network** where AMLFS is deployed.  
+   Use the Azure CLI or portal to enable encryption on the VNet.  
+   Example CLI command:
+
+   ```bash
+   az network vnet update --name <vnet-name> --resource-group <rg-name> --enable-encryption true
+   ```
+
+1. Ensure Client VM Compatibility
+
+Only specific VM series support VNet Encryption:
+
+- Dsv6-series  
+- Ebsv5-series  
+
+> [!IMPORTANT]  
+> Unsupported VMs will not encrypt traffic, even if the VNet is encrypted.  
+> Existing VMs must be rebooted for encryption to be enabled.
+
+3. Deploy AMLFS into an Encrypted VNet
+
+You can deploy Azure Managed Lustre (AMLFS) into:
+
+- An encrypted VNet  
+- A peered VNet that also has encryption enabled  
+
+> [!NOTE]  
+> If you enable VNet Encryption on a VNet after deploying AMLFS, the cluster will not immediately support encrypted traffic.  
+> Encryption capability is activated only after a maintenance event and cluster reboot.  
+> Refer to the AMLFS maintenance window documentation for guidance on scheduling and managing updates.
+
+## Enforcement Mode
+
+Azure currently supports only the `AllowUnencrypted` enforcement mode:
+
+- Unencrypted traffic is still allowed, even when VNet Encryption is enabled.
+- The stricter `DropUnencrypted` mode is not generally available and requires special feature registration.
+
+## Validate Encrypted Traffic
+
+To confirm that traffic between AMLFS and client VMs is encrypted:
+
+1. **Use Azure Network Watcher**  
+   - Enable Network Watcher in the region.  
+   - Use packet capture on the client VM to inspect traffic headers.  
+   - Encrypted traffic will show DTLS encapsulation.
+
+1. **Run Diagnostic Reports**  
+   - Use Azure Monitor or custom scripts to validate encrypted traffic paths.  
+   - Check VM metrics and logs for encryption status indicators.
+
+1. **Check VM Capabilities**  
+   Use the following command to verify if a VM supports VNet Encryption:
+
+   ```bash
+   az vm show --name <vm-name> --resource-group <rg-name> --query "storageProfile.osDisk.managedDisk.encryptionSettingsCollection"
+   ```
+
+> [!TIP]
+> For more information on verifying encryption, understanding performance impact, and managing certificate handling, see the #.
+
+## Caveats and Limitations
+
+- **Encryption enforcement**: AMLFS does not enforce encryption; it relies on the configuration of the VNet and VM.
+- **Unsupported VMs**: Traffic from unsupported VM series remains unencrypted, even if VNet Encryption is enabled.
+- **Firewall visibility**: Azure Firewall cannot inspect traffic encrypted at the network layer.
+- **Enforcement mode**: The `DropUnencrypted` mode is not generally available (GA) and must be explicitly enabled via feature registration.
