Azure Virtual Network Encryption

What is Azure Virtual Network Encryption?

Azure Virtual Network encryption provides a layer of security that encrypts virtual network traffic, specifically between Azure Virtual Machines that communicate securely within a subnet or across different subnets. It utilizes the industry-standard IPsec (Internet Protocol Security) encryption protocol to create secure pathways for data transmission. This encryption process ensures that all data exchanged over your network remains private and protected from unauthorized access or interception.

Key Features:

• Encryption in Transit: Azure VNet encryption focuses on securing data as it moves between virtual machines, regardless of whether they reside within the same VNet or in peered VNets.
• Support for Standard Protocols: Leveraging IPsec, a tried and tested networking protocol, helps in maintaining compatibility and security standards.
• Integrated Management: Encryption settings are managed centrally through the Azure portal, allowing for streamlined setup and maintenance without the need for specialized hardware.

What Can You Do with Azure Virtual Network Encryption?

Implementing Azure VNet encryption allows organizations to:

• Secure Sensitive Data: Encrypt sensitive or regulated data as it moves within the cloud, ensuring compliance with privacy standards and regulations such as GDPR, HIPAA, or PCI-DSS.
• Enhance Data Security: Protect against potential threats like data sniffing and interception carried out by malicious actors within the cloud environment.
• Network Segmentation: Securely segment networks by encrypting traffic moving between different parts of your cloud environment, such as between production and development environments within Azure.

Why Would You Use Azure Virtual Network Encryption?

Compliance and Regulatory Requirements:

Many industries are bound by stringent regulatory requirements that mandate the protection of data in transit. Azure VNet encryption helps organizations meet these requirements by providing a robust mechanism to secure network traffic using encryption standards recognized globally.

Enhanced Security Posture:

With the increasing sophistication of cyber threats, securing internal network traffic is as crucial as protecting data at rest and in transit to and from the cloud. Azure VNet encryption enhances your overall security posture by adding an extra layer of security within your cloud environment, helping protect against internal and external threats.

Using Azure VNet encryption gives businesses peace of mind, knowing that their internal communications are not visible to external parties. This is especially important in scenarios where you are deploying virtual machines that handle sensitive data that could be vulnerable during transmission.

How to Implement Azure Virtual Network Encryption

Implementing Azure Virtual Network encryption requires careful consideration of the prerequisites to ensure that your virtual machines (VMs) and network configurations are compatible and optimally set up for encryption. Here’s a detailed look at the requirements and a step-by-step guide on how to enable encryption for your Azure VNet.

Requirements for Azure Virtual Network Encryption for Virtual Machines

Before you begin implementing Azure VNet encryption, ensure that your setup meets the following requirements:

1. Supported VM Instance Sizes:
   • Encryption is supported on certain Azure VM sizes that are generally from the general-purpose and memory-optimized categories. Supported series include D-series, D-series V5, E-series, E-series V5, LSv3, and M-series VMs.
2. Accelerated Networking:
   • This feature must be enabled on the network interface of each VM involved in the encrypted communication. Accelerated Networking enhances the performance by reducing latency, jitter, and CPU utilization on the network interface.
3. Encryption Scope:
   • The encryption covers traffic between VMs within an Azure VNet. Specifically, it applies to traffic where both the source and destination addresses are private IP addresses within the virtual network.
4. Global Peering:
   • Supported in conjunction with encryption in regions where both features are available. Global peering enables seamless network connectivity across different Azure regions, facilitating encrypted communications over broader geographic areas.
5. Start/Stop of VMs:
   • Once you enable encryption in a virtual network, you must restart any existing VMs to ensure they utilize the new encryption configuration.
6. Traffic to Unsupported VMs:
   • Traffic to or from VMs that do not meet the encryption requirements remains unencrypted. It’s essential to use Azure Virtual Network Flow Logs to verify whether the traffic flow between specific VMs is encrypted.

Step-by-Step Guide to Enabling Azure Virtual Network Encryption for Virtual Machines

1. Verify VM Compatibility:
   • Check that your VMs are of the supported sizes and configurations for encryption.
2. Enable Accelerated Networking:
   • Go to the Azure portal, find the Network Interfaces associated with the VMs, and ensure Accelerated Networking is enabled. This setting is typically available under the ‘Networking’ tab of the network interface properties.
3. Configure Virtual Network Settings:
   • Navigate to the settings of your Virtual Network. Under the ‘Security’ section, find the option to enable encryption for the subnet or the entire VNet as required.
4. Set Up Global Peering (if applicable):
   • If your deployment spans multiple regions, set up global peering by going to the ‘Peering’ settings in your VNet configuration and enable encryption across the peered networks.
5. Restart Your VMs:
   • After enabling the encryption settings, restart your VMs to apply the new network security configurations.
6. Verify Encryption:
   • Use Azure Virtual Network Flow Logs to check and confirm that the traffic between your VMs is indeed encrypted. This step is crucial to ensure that your data is protected as intended.

For the IaC/Bicep people like me, here is an example on how to enable the accelerated networking:

param location string = 'westeurope'
param vmSize string = 'Standard_D2s_v3' // Example VM size that supports Accelerated Networking
param adminUsername string
param adminPassword string

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
  name: 'myVNet'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'subnet1'
        properties: {
          addressPrefix: '10.0.1.0/24'
        }
      }
      {
        name: 'subnet2'
        properties: {
          addressPrefix: '10.0.2.0/24'
        }
      }
    ]
  }
}

resource nic1 'Microsoft.Network/networkInterfaces@2022-01-01' = {
  name: 'vm1-nic'
  location: location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: {
            id: virtualNetwork.properties.subnets[0].id
          }
          privateIPAllocationMethod: 'Dynamic'
        }
      }
    ]
    enableAcceleratedNetworking: true
  }
}

resource nic2 'Microsoft.Network/networkInterfaces@2022-01-01' = {
  name: 'vm2-nic'
  location: location
  properties: {
    ipConfigurations: [
      {
        name: 'ipconfig1'
        properties: {
          subnet: {
            id: virtualNetwork.properties.subnets[1].id
          }
          privateIPAllocationMethod: 'Dynamic'
        }
      }
    ]
    enableAcceleratedNetworking: true
  }
}

resource vm1 'Microsoft.Compute/virtualMachines@2022-01-01' = {
  name: 'vm1'
  location: location
  properties: {
    hardwareProfile: {
      vmSize: vmSize
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftWindowsServer'
        offer: 'WindowsServer'
        sku: '2019-Datacenter'
        version: 'latest'
      }
    }
    osProfile: {
      computerName: 'vm1'
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic1.id
        }
      ]
    }
  }
}

resource vm2 'Microsoft.Compute/virtualMachines@2022-01-01' = {
  name: 'vm2'
  location: location
  properties: {
    hardwareProfile: {
      vmSize: vmSize
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftWindowsServer'
        offer: 'WindowsServer'
        sku: '2019-Datacenter'
        version: 'latest'
      }
    }
    osProfile: {
      computerName: 'vm2'
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    networkProfile: {
      networkInterfaces: [
        {
          id: nic2.id
        }
      ]
    }
  }
}

VNet and Subnets: The template creates a virtual network (myVNet) with two subnets (subnet1 and subnet2).

Network Interfaces: Two network interfaces (nic1 and nic2) are created with Accelerated Networking enabled.

Virtual Machines: Two VMs (vm1 and vm2) are deployed into these subnets. The VMs are configured with Windows Server 2019 Datacenter edition.

Implementing Azure Virtual Network Encryption for Application Gateway and App Service Environment

While Azure Virtual Network (VNet) encryption is primarily known for securing traffic between virtual machines (VMs), it’s also relevant for other compute resources like Azure Application Gateway and Azure App Service Environment. Here’s how you can ensure these services are integrated securely with encrypted network traffic within your Azure environment.

Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Though the gateway itself does not directly support VNet encryption in the same way VMs do, you can secure its communications within a VNet through proper network design and configuration.

Requirements:

• VNet Integration: Application Gateway must be deployed within a virtual network.
• Subnet Configuration: Dedicated subnet within the VNet specifically for Application Gateway.
• SSL Termination: Configuration of SSL termination at the Application Gateway for secure HTTPS traffic management.

Steps to Secure Application Gateway:

1. Deploy Application Gateway in a VNet:
   • Ensure that the Application Gateway is deployed within a dedicated subnet of your Azure VNet.
2. Configure SSL Termination:
   • Set up SSL termination at the Application Gateway to handle SSL/TLS encryption, ensuring that encrypted HTTPS traffic is managed effectively.
3. Monitor and Secure Traffic:
   • Utilize Azure Monitor and Network Watcher to inspect and log the traffic to ensure that it complies with your security and compliance requirements.

App Service Environment

Azure App Service Environment (ASE) provides a fully isolated and dedicated environment for securely running Azure App Services. Encryption within an ASE can be configured to ensure that network traffic remains secure.

Requirements:

• VNet Integration: ASE must be deployed within an Azure VNet.
• IPsec Encryption: For ASEs that communicate with resources in other VNets or on-premises networks, IPsec VPN or ExpressRoute with Microsoft peering configured for encryption can be used.

Steps to Secure App Service Environment:

1. Deploy ASE within a VNet:
   • Ensure that your ASE is deployed within a VNet, providing isolation and the ability to leverage VNet features such as network security groups and route tables.
2. Configure IPsec Encryption:
   • If your ASE needs to connect to remote networks, configure IPsec VPNs or use ExpressRoute with encryption to securely link your ASE with these networks.
3. Implement Network Security Controls:
   • Use network security groups (NSGs) and application gateway WAF (Web Application Firewall) policies to further secure and manage the flow of traffic to and from your ASE.
4. Monitor Traffic:
   • Regularly monitor the traffic using tools like Azure Monitor and Network Watcher to ensure that all communications are secure and meet compliance requirements.

For the IaC/Bicep people like me, here is an example on how to enable the accelerated networking:

param location string = 'westeurope'
param skuSize string = 'Standard_F1'  // Adjust as necessary for your use case
param gatewaySubnetAddressPrefix string = '10.0.0.0/24'
param appServiceSubnetAddressPrefix string = '10.0.1.0/24'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
  name: 'aiAppVNet'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'GatewaySubnet'  // This name is required for Application Gateway
        properties: {
          addressPrefix: gatewaySubnetAddressPrefix
        }
      },
      {
        name: 'AppServiceSubnet'
        properties: {
          addressPrefix: appServiceSubnetAddressPrefix
          serviceEndpoints: [
            {
              service: 'Microsoft.Web'
            }
          ]
        }
      }
    ]
  }
}

resource applicationGateway 'Microsoft.Network/applicationGateways@2022-01-01' = {
  name: 'aiAppGateway'
  location: location
  properties: {
    sku: {
      name: 'Standard_v2'
      tier: 'Standard_v2'
    }
    gatewayIPConfigurations: [
      {
        name: 'appGatewayIpConfig'
        properties: {
          subnet: {
            id: virtualNetwork.properties.subnets[0].id
          }
        }
      }
    ]
    frontendIPConfigurations: [
      {
        name: 'appGatewayFrontendIp'
        properties: {
          publicIPAddress: {
            id: publicIpAddress.id
          }
        }
      }
    ]
    frontendPorts: [
      {
        name: 'appGatewayFrontendPort'
        properties: {
          port: 80
        }
      }
    ]
    backendAddressPools: [
      {
        name: 'appGatewayBackendPool'
        properties: {
          backendAddresses: []
        }
      }
    ]
    backendHttpSettingsCollection: [
      {
        name: 'appGatewayBackendHttpSettings'
        properties: {
          port: 80
          protocol: 'Http'
          cookieBasedAffinity: 'Disabled'
        }
      }
    ]
    httpListeners: [
      {
        name: 'appGatewayHttpListener'
        properties: {
          frontendIPConfiguration: {
            id: applicationGateway.properties.frontendIPConfigurations[0].id
          }
          frontendPort: {
            id: applicationGateway.properties.frontendPorts[0].id
          }
          protocol: 'Http'
        }
      }
    ]
    requestRoutingRules: [
      {
        name: 'rule1'
        properties: {
          ruleType: 'Basic'
          httpListener: {
            id: applicationGateway.properties.httpListeners[0].id
          }
          backendAddressPool: {
            id: applicationGateway.properties.backendAddressPools[0].id
          }
          backendHttpSettings: {
            id: applicationGateway.properties.backendHttpSettingsCollection[0].id
          }
        }
      }
    ]
  }
  dependsOn: [
    publicIpAddress
  ]
}

resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = {
  name: 'aiAppPublicIp'
  location: location
  properties: {
    publicIPAllocationMethod: 'Dynamic'
  }
}

resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
  name: 'aiAppServicePlan'
  location: location
  properties: {
    reserved: false  // Set to true for Linux
    sku: {
      name: skuSize
    }
  }
}

resource appService 'Microsoft.Web/sites@2021-02-01' = {
  name: 'aiAppService'
  location: location
  properties: {
    serverFarmId: appServicePlan.id
    clientAffinityEnabled: false
  }
  dependsOn: [
    appServicePlan
  ]
}

Virtual Network: Sets up a VNet with two subnets, one for the Application Gateway and another for the App Service.

Application Gateway: Configured with a public IP, listens on HTTP port 80, and routes traffic to the backend pool (which you would configure to include your App Service).

Public IP Address: Necessary for accessing the Application Gateway externally.

App Service Plan and App Service: Hosts your application, which could be a GPT model or any other application. The service plan is configured with a specific SKU size.

Wrap-Up and Conclusion

Azure Virtual Network Encryption Now Globally Available which makes Azure Virtual Network encryption is a strategic step for securing your cloud infrastructure and ensuring that sensitive data transmitted between your compute resources remains protected. As we’ve explored in this blog, Azure provides robust tools and features to encrypt network traffic, not just for virtual machines but also across various services including Application Gateway and App Service Environment.

Key Takeaways:

1. Enhanced Security: Azure VNet encryption secures traffic between VMs, using industry-standard protocols like IPsec, to provide both privacy and protection against potential cyber threats.
2. Regulatory Compliance: By implementing encryption, organizations can meet stringent compliance requirements that mandate the protection of data in transit, thus aligning with global security standards.
3. Flexible Implementation: Azure offers the flexibility to implement VNet encryption across a variety of services and setups, ensuring that even complex architectures like those involving Application Gateways and App Services are covered.

Strategic Implementation:

While the technical details and requirements might seem daunting at first, the process of setting up VNet encryption is straightforward with Azure’s tools and interfaces. From setting up VMs with Accelerated Networking to configuring Application Gateways with integrated WAF for additional security, Azure makes it easier to deploy a secure and compliant environment.