[Feature] Support for Azure Virtual Network encryption for AKS

[denniszielke]

Is your feature request related to a problem? Please describe. As a customer I need to ensure encryption between host of an AKS cluster.

Describe the solution you'd like I would like to see support for AKS to use native azure vnet encryption as soon as that is available. The limitations seem great for most scenarios. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview

Describe alternatives you've considered Today we are using service mesh but that using istio/ linkerd just for encryption is a wast of computing power.

[SatyKrish]

When is the ETA for trying Vnet encryption in AKS?

[chasewilson]

We're currently evaluating if there are any impacts to AKS environments. No concrete timeline but are looking to implement.

[peteneville]

Hi, is this available now? We were assuming it was following GA across our regions (UKS/UKW) in April, but testing today shows VNet flow logs reporting no layer 4 encryption between AKS VMSS instances.

[chasewilson]

The VNet Encryption was only for VNet's themselves. We still haven't turned them on in AKS due to the impact evaluation and resource limitations. We're still considering and happy to hear that you're wanting this functionality.

[peteneville]

The VNet Encryption was only for VNet's themselves. We still haven't turned them on in AKS due to the impact evaluation and resource limitations. We're still considering and happy to hear that you're wanting this functionality.

Thanks for quick reply. We're spending a lot of time and effort moving off OSM to Istio, but VNet encryption would be so much better as we only use a mesh for encryption between pods. Envoy uses up so much memory and adds complexity, so would like this feature asap. I've raised with our Microsoft support people, so now looking for ETAs.

[snps-kattav]

@chasewilson Any update on this feature, whether it is enabled now for AKS?

[ivanthelad]

@denniszielke @chasewilson isn't it already supported https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview#supported-scenarios or am i understanding the document correctly. you're original ask is not requesting explicitly pod to pod communication on the same host to be encrypted

[patst]

If I understand the limitations correct it does not work for any pod traffic (even when the Pods are on different nodes) while using Azure CNI Dynamic Ip Assignment.

Would be great to see the AKS support being improved

[paulgmiller]

From the docs ivanthelad linked above

Azure Kubernetes Service (AKS) | - 

Supported on AKS using Azure CNI (regular or overlay mode), Kubenet, or BYOCNI: node and pod traffic is encrypted.- 
Partially supported on AKS using Azure CNI Dynamic Pod IP Assignment (podSubnetId specified): node traffic is encrypted, but pod traffic isn't encrypted.-
 Traffic to the AKS managed control plane egresses from the virtual network and thus isn't in scope for virtual network encryption. However, this traffic is always encrypted via TLS.

Trying to restate this if you don't set podsubnetid anything that leaves the node is encrypted includign pod to pod traffic.

We don't turn it on for managed vnet yet so you have to bring your own vnet. Maybe we should break this into 2 or 3 issues.

1. fix pod subnet with vnet encryption or block it
2. managed vnet support for encrytion.

This is also good doc https://learn.microsoft.com/en-us/azure/aks/container-network-security-wireguard-encryption-concepts#comparison-with-virtual-network-encryption