Create a virtual network with encryption using the Azure CLI
Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.
Prerequisites
- An Azure account with an active subscription. Create one for free.
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
- The how-to article requires version 2.31.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Create a resource group
An Azure resource group is a logical container into which Azure resources are deployed and managed.
Create a resource group with az group create named test-rg in the eastus2 location.
az group create \
--name test-rg \
--location eastus2
Create a virtual network
In this section, you create a virtual network and enable virtual network encryption.
Use az network vnet create to create a virtual network.
az network vnet create \
--resource-group test-rg \
--location eastus2 \
--name vnet-1 \
--enable-encryption true \
--encryption-enforcement-policy allowUnencrypted \
--address-prefixes 10.0.0.0/16 \
--subnet-name subnet-1 \
--subnet-prefixes 10.0.0.0/24
Enable on existing virtual network
You can also enable encryption on an existing virtual network using az network vnet update.
az network vnet update \
--resource-group test-rg \
--name vnet-1 \
--enable-encryption true \
--encryption-enforcement-policy allowUnencrypted
Important
Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. For more information, see Azure Virtual Network encryption requirements.
Verify encryption enabled
You can check the encryption parameter in the virtual network to verify that encryption is enabled on the virtual network.
Use az network vnet show to view the encryption parameter for the virtual network you created previously.
az network vnet show \
--resource-group test-rg \
--name vnet-1 \
--query encryption \
--output tsv
user@Azure:~$ az network vnet show \
--resource-group test-rg \
--name vnet-1 \
--query encryption \
--output tsv
True AllowUnencrypted
Clean up resources
When you're done with the virtual network, use az group delete to remove the resource group and all its resources.
az group delete \
--name test-rg \
--yes
Next steps
For more information about Azure Virtual Networks, see What is Azure Virtual Network?.
For more information about Azure Virtual Network encryption, see What is Azure Virtual Network encryption?.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for