Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Managed Lustre supports virtual network encryption to encrypt data in transit between Managed Lustre and client virtual machines (VMs). This feature is valuable for customers in regulated industries, such as finance, healthcare, and government, where data confidentiality is paramount.
How virtual network encryption works
Virtual network encryption in Azure uses Datagram Transport Layer Security (DTLS) 1.2 to secure traffic at the network layer. Key characteristics include:
- Encryption Protocol: DTLS 1.2 with AES-GCM-256 encryption.
- Key Exchange: Session keys are negotiated by using ECDSA certificates.
- Performance: Encryption is offloaded to inline field-programmable gate arrays (FPGAs) on the VM host to help ensure high throughput and low latency.
Enable virtual network encryption for Managed Lustre
To enable virtual network encryption with Managed Lustre:
Enable virtual network encryption on the virtual network: To enable virtual network encryption where Managed Lustre is deployed, use the Azure CLI or the Azure portal.
Example Azure CLI command:
az network vnet update --name <virtual-network-name> --resource-group <resource-group-name> --enable-encryption trueEnsure client VM compatibility: Azure supports only specific VM series for virtual network encryption. Unsupported VMs don't encrypt traffic, even if the virtual network is encrypted. For requirements and a list of VM SKUs that support encryption, see Azure virtual network encryption requirements.
Existing VMs must be rebooted for encryption to be enabled.
Deploy Managed Lustre to an encrypted virtual network: You can deploy Managed Lustre to:
- An encrypted virtual network
- A peered virtual network that also has encryption enabled
Note
If you enable virtual network encryption on a virtual network after you deploy Managed Lustre, the cluster doesn't immediately support encrypted traffic. Encryption capability is activated only after a maintenance event and cluster reboot. For more information about scheduling and managing updates, see Maintenance window for Managed Lustre.
Enforcement mode
Azure currently supports only AllowUnencrypted enforcement mode:
- Unencrypted traffic is still allowed, even when virtual network encryption is enabled.
- The stricter
DropUnencryptedmode isn't generally available and requires special feature registration.
Validate encrypted traffic
To confirm that traffic between Managed Lustre and client VMs is encrypted:
Use Azure Network Watcher.
- Enable Network Watcher in the region.
- To inspect traffic headers, use packet capture on the client VM.
- Encrypted traffic shows DTLS encapsulation.
Run diagnostic reports.
- Use Azure Monitor or custom scripts to validate encrypted traffic paths.
- Check VM metrics and logs for encryption status indicators.
Check VM capabilities.
Use the following command to determine whether a VM supports virtual network encryption:
az vm show --name <vm-name> --resource-group <rg-name> --query "storageProfile.osDisk.managedDisk.encryptionSettingsCollection"Tip
For more information on verifying encryption, understanding performance impact, and managing certificate handling, see the FAQ for Azure Virtual Network encryption.
Caveats and limitations
- Encryption enforcement: Managed Lustre doesn't enforce encryption. It relies on the configuration of the virtual network and VM.
- Unsupported VMs: Traffic from unsupported VM series remains unencrypted, even if virtual network encryption is enabled.
- Firewall visibility: Azure Firewall can't inspect traffic encrypted at the network layer.
- Enforcement mode:
DropUnencryptedmode isn't generally available and must be explicitly enabled via feature registration.