Create a virtual network with encryption using Azure PowerShell
Azure Virtual Network encryption is a feature of Azure Virtual Network. Virtual network encryption allows you to seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Azure Virtual Network encryption protects data traversing your virtual network virtual machine to virtual machine and virtual machine to on-premises.
Prerequisites
An Azure account with an active subscription. Create an account for free.
Azure PowerShell installed locally or Azure Cloud Shell.
Sign in to Azure PowerShell and ensure you've selected the subscription with which you want to use this feature. For more information, see Sign in with Azure PowerShell.
Ensure your
Az.Networkmodule is 4.3.0 or later. To verify the installed module, use the command Get-InstalledModule -NameAz.Network. If the module requires an update, use the command Update-Module -NameAz.Networkif necessary.
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Create a resource group
An Azure resource group is a logical container into which Azure resources are deployed and managed.
Create a resource group with New-AzResourceGroup named test-rg in the eastus2 location.
$rg =@{
Name = 'test-rg'
Location = 'eastus2'
}
New-AzResourceGroup @rg
Create a virtual network
In this section, you create a virtual network and enable virtual network encryption.
Use New-AzVirtualNetwork and New-AzVirtualNetworkSubnetConfig to create a virtual network.
## Create backend subnet config ##
$subnet = @{
Name = 'subnet-1'
AddressPrefix = '10.0.0.0/24'
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet
## Create the virtual network ##
$net = @{
Name = 'vnet-1'
ResourceGroupName = 'test-rg'
Location = 'eastus2'
AddressPrefix = '10.0.0.0/16'
Subnet = $subnetConfig
EnableEncryption = 'true'
EncryptionEnforcementPolicy = 'AllowUnencrypted'
}
New-AzVirtualNetwork @net
Enable on existing virtual network
You can also enable encryption on an existing virtual network using Set-AzVirtualNetwork.
## Place the virtual network configuration into a variable. ##
$net = @{
Name = 'vnet-1'
ResourceGroupName = 'test-rg'
}
$vnet = Get-AzVirtualNetwork @net
## Enable encryption on the virtual network ##
$vnet.Encryption = @{
Enabled = 'true'
Enforcement = 'allowUnencrypted'
}
$vnet | Set-AzVirtualNetwork
Important
Azure Virtual Network encryption requires supported virtual machine SKUs in the virtual network for traffic to be encrypted. For more information, see Azure Virtual Network encryption requirements.
Verify encryption enabled
You can check the encryption parameter in the virtual network to verify that encryption is enabled on the virtual network.
Use Get-AzVirtualNetwork to view the encryption parameter for the virtual network you created previously.
## Place the virtual network configuration into a variable. ##
$net = @{
Name = 'vnet-1'
ResourceGroupName = 'test-rg'
}
$vnet = Get-AzVirtualNetwork @net
To view the parameter for encryption, enter the following information.
$vnet.Encryption
Enabled Enforcement
------- -----------
True allowUnencrypted
Clean up resources
When you're done with the virtual network, use Remove-AzResourceGroup to remove the resource group and all its resources.
Remove-AzResourceGroup -Name 'test-rg' -Force
Next steps
For more information about Azure Virtual Networks, see What is Azure Virtual Network?.
For more information about Azure Virtual Network encryption, see What is Azure Virtual Network encryption?.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for