Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Managed Lustre (AMLFS) supports Virtual Network (VNet) Encryption, enabling encryption of data in transit between AMLFS and client virtual machines (VMs). This feature is valuable for customers in regulated industries such as finance, healthcare, and government, where data confidentiality is paramount.
How VNet Encryption Works
VNet Encryption in Azure uses Datagram Transport Layer Security (DTLS) 1.2 to secure traffic at the network layer. Key characteristics include:
- Encryption Protocol: DTLS 1.2 with AES-GCM-256 encryption.
- Key Exchange: Session keys are negotiated using ECDSA certificates.
- Performance: Encryption is offloaded to inline FPGAs on the VM host, ensuring high throughput and low latency.
Enable VNet Encryption for AMLFS
To enable VNet Encryption with AMLFS:
Enable VNet Encryption on the virtual network where AMLFS is deployed.
Use the Azure CLI or portal to enable encryption on the VNet.
Example CLI command:az network vnet update --name <vnet-name> --resource-group <rg-name> --enable-encryption trueEnsure Client VM Compatibility
Azure only supports specific VM series for VNet Encryption. Unsupported VMs do not encrypt traffic, even if the VNet is encrypted. See Azure Virtual Network encryption requirements for requirements and a list of VM SKUs that support encryption.
Existing VMs must be rebooted for encryption to be enabled.
Deploy AMLFS into an Encrypted VNet
You can deploy Azure Managed Lustre (AMLFS) into:
- An encrypted VNet
- A peered VNet that also has encryption enabled
Note
If you enable VNet Encryption on a VNet after deploying AMLFS, the cluster won't immediately support encrypted traffic. Encryption capability is activated only after a maintenance event and cluster reboot.
Refer to the AMLFS maintenance window documentation for guidance on scheduling and managing updates.
Enforcement Mode
Azure currently supports only the AllowUnencrypted enforcement mode:
- Unencrypted traffic is still allowed, even when VNet Encryption is enabled.
- The stricter
DropUnencryptedmode isn't generally available and requires special feature registration.
Validate Encrypted Traffic
To confirm that traffic between AMLFS and client VMs is encrypted:
Use Azure Network Watcher
- Enable Network Watcher in the region.
- To inspect traffic headers, use packet capture on the client VM.
- Encrypted traffic shows DTLS encapsulation.
Run Diagnostic Reports
- Use Azure Monitor or custom scripts to validate encrypted traffic paths.
- Check VM metrics and logs for encryption status indicators.
Check VM Capabilities
Use the following command to verify if a VM supports VNet Encryption:az vm show --name <vm-name> --resource-group <rg-name> --query "storageProfile.osDisk.managedDisk.encryptionSettingsCollection"Tip
For more information on verifying encryption, understanding performance impact, and managing certificate handling, see the FAQ for Azure Virtual Network encryption.
Caveats and Limitations
- Encryption enforcement: AMLFS doesn't enforce encryption; it relies on the configuration of the VNet and VM.
- Unsupported VMs: Traffic from unsupported VM series remains unencrypted, even if VNet Encryption is enabled.
- Firewall visibility: Azure Firewall can't inspect traffic encrypted at the network layer.
- Enforcement mode: The
DropUnencryptedmode isn't generally available (GA) and must be explicitly enabled via feature registration.
Next steps
To learn more about Azure encryption, see the following articles: