Time to time, during our Microsoft Cloud projects, we get pretty much the same question: “Do Azure VPN or ExpressRoute provide traffic encryption?” So, here is an explanation :)…
Azure VPN tunnels, for Site-to-Site connectivity, are by design (and yes, it’s by default) encrypted using IPSEC. Encryption is also provided for Point-to-Site using Secure Socket Tunneling Protocol (SSTP).
ExpressRoute is an Azure service that lets us create private connections between Microsoft datacenters and infrastructure that’s on our premises or in a colocation facility. ExpressRoute connections do not go over the public Internet! Express Route does not provide network traffic encryption for its circuits!
If you need encryption you would need to implement this which could be done a number of ways:
- Application level encryption
- OS level encryption using technologies such as IPSec
- Third-party appliance that performs encryption