Share via

VNET encryption and Azure Firewall

JeanSebastien NAHON 0 Reputation points
2025-04-11T07:39:28.6366667+00:00

Hello everyone,

I have a question. We have set up VNET encryption on all our VNET.

We have set up Azure firewall to allow only the necessary flows between the different VNET.

But I have seen on the page "What is Azure Virtual Network encryption?" in the "limitation" section that VNET encrpytion was not supported with Azure Firewall. So my question is ? is it really working ?

Is my network traffic encrypted ? is my firewall completely blind and actually filters nothing ?

what is happening basically ?

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
742 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shravan Addagatla 540 Reputation points Microsoft External Staff
    2025-04-11T08:51:36.73+00:00

    Hi JeanSebastien NAHON

    Yes, you are correct. Azure Virtual Network encryption is intended to encrypt traffic between virtual machines within a virtual network, but it does not support Azure DNS Private Resolver, Application Gateway, and Azure Firewall.

    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview#limitationsUser's image

    • Traffic between VMs in the same VNET is encrypted. However, when traffic passes through Azure Firewall, encryption may not be applied because Azure Firewall does not support Virtual Network encryption.

    Additionally, the Azure firewall filters traffic based on your set rules, but it does not decrypt or inspect encrypted traffic. If encryption is applied before traffic reaches the firewall, it may not enforce rules effectively.

    • If deep packet inspection is required, please explore alternative security solutions that offer encrypted traffic analysis at this time.

    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-faq

    Use Virtual Network Flow Logs to verify if traffic is encrypted between VMs.

    If you would like to request this feature, please post it in the Azure feedback. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Azure Networking Feedback Forum · Community

    Please add a comment below if you have any further questions.

    0 comments
  2. Luis Arias 8,516 Reputation points
    2025-04-11T08:57:30.36+00:00

    Hello JeanSebastien,

    Welcome to Q&A, Here responding your questions one by one: - Is it really working? : Yes, Virtual Network encryption is probably doing its job by encrypting traffic between virtual machines. But there's a catch, Azure Firewall isn’t totally on board with this encryption setup, so it might not work perfectly when dealing with encrypted traffic. (As mentioned in the documentation, Azure Firewall has limitations in handling encrypted traffic from Virtual Network encryption: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview)

    Virtual networks with encryption enabled don't support Azure DNS Private Resolver, Application Gateway, and Azure Firewall.

    • Is my network traffic encrypted? : If you've got Virtual Network encryption turned on, then yes, your traffic is encrypted. You can double-check by looking at your Virtual Network flow logs. Those will tell you if encryption is happening like it’s supposed to. (https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview)
    • Is my firewall completely blind and actually filters nothing?: Kind of, yes. Azure Firewall can’t peek at encrypted traffic to filter or inspect it properly. (https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues)
    • What is happening basically? Here’s the gist: Here’s the breakdown:
      1. Your Virtual Network encryption ensures traffic is encrypted at the network layer between virtual machines.
      2. Azure Firewall Premium's TLS inspection can decrypt and inspect application-layer encrypted traffic (TLS), but it cannot inspect network-layer encrypted traffic (Virtual Network encryption).
      3. As a result, while traffic is encrypted, Azure Firewall is unable to filter Virtual Network encryption traffic effectively, which may create security gaps. For a solution that meets both needs, you might need to consider additional configurations or workarounds, such as disabling Virtual Network encryption for traffic that requires firewall inspection.

    Additional references:

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Regards,

    Luis

    0 comments
  3. Abdelaziz Khajour 235 Reputation points Microsoft Employee
    2025-04-11T08:57:41.1+00:00

    Hello JeanSebastien NAHON

    Azure Virtual Network Encryption allows you to encrypt traffic between VMs and Virtual Machines Scale Sets within the same virtual network. It also encrypts traffic between regionally and globally peered virtual networks.

    Is Azure Firewall supported? It depends on the underlying VM size that the PaaS uses, and it requires Accelerated Networking to be enabled.

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-faq#is-vpn-gateway--application-gateway--azure-firewall--or-paas-supported

    You can use virtual network flow logs to see the encrypted and unencrypted flows between virtual machines.

    I hope this is helpful. please accept the answer if so.

    Abdelaziz

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.