Here are some answers to common questions about using Azure Virtual Network encryption.
Can I enable virtual network encryption on an existing virtual network, virtual machine, network interface, or NSG?
Yes. For more information about enabling virtual network encryption on an existing virtual network, see Enable encryption.
How do I verify my data is encrypted?
Encryption verification is limited to the status of the network interface resource, vnetEncryptionSupported, and Accelerated networking during public preview. After public preview, virtual network flow logs can be used to see the encrypted and unencrypted flows between virtual machines.
Why are packets dropped in encrypted virtual networks, and how can I prevent it?
Fragmented packets are not offloaded to hardware and are therefore dropped. To avoid this, configure your virtual machines with a network MTU of 1400. For encrypted virtual networks, ensure the "Don't Fragment" (DF) flag is set. Packets exceeding the 1400 MTU limit will be dropped rather than fragmented.
What certificate is used for the DTLS establishment on the Azure Host?
Microsoft manages and has created certificates for each region. Customer provided certificates are a feature on the road map.
What is the performance effect?
There's a minimal performance effect to throughput/bandwidth. The crypto operations are offloaded to a crypto-specialized FPGA. There's a minimal effect to an initial connection between two virtual machines, because a tunnel needs to be established.
Is VPN gateway, Application gateway, Azure Firewall, or PaaS supported?
It depends on the underlying VM size that the PaaS uses, and requires Accelerated Networking enabled.
Where is the encryption terminated?
The encryption is terminated at the SmartNIC/FPGA on the Azure Host.
Is asymmetric encryption supported for a scenario where one direction is encryption enabled and the reverse is encryption disabled?
Asymmetric encryption can happen when there is asymmetric routing and traffic is flowing encrypted in one direction and un-encrypted in the other direction. Asymmetric encryption is not supported and is not recommended.