As organizations continue to scale containerized workloads in Azure Kubernetes Service (AKS), the need to secure network traffic between applications and services has never been more critical especially in regulated or security-sensitive environments. We’re excited to announce the public preview of WireGuard-based in-transit encryption in AKS, a new capability in Advanced Container Networking Services that enhances inter-node traffic protection with minimal operational overhead.
What is WireGuard?
WireGuard is a modern, high-performance VPN protocol known for its simplicity, and robust cryptography. Integrated into the Cilium data plane and managed as part of AKS networking, WireGuard offers an efficient way to encrypt traffic transparently within your cluster.
With this new feature, WireGuard is now natively supported as part of Azure CNI powered by Cilium with Advanced Container Networking services, no need for third-party encryption tools or custom key management systems.
What Gets Encrypted?
The WireGuard integration in AKS focuses on the most critical traffic path:
✅ Encrypted:
- Inter-node pod traffic: Network communication between pods running on different nodes in the AKS cluster. This traffic traverses the underlying network infrastructure and is encrypted using WireGuard to ensure confidentiality and integrity.
❌ Not encrypted:
- Same-node pod traffic: Communication between pods that are running on the same node. Since this traffic does not leave the node, it bypasses WireGuard and remains unencrypted.
- Node-generated traffic: Traffic initiated by the node itself, which is currently not routed through WireGuard and thus not encrypted.
This scope strikes the right balance between strong protection and performance by securing the most critical traffic, which is data that leaves the host and traverses the network.
Key Benefits
- Simple Configuration: Enable WireGuard with just a few flags during AKS cluster creation or update.
- Automatic Key Management: Each node generates and exchanges WireGuard keys automatically—no need for manual configuration.
- Transparent to Applications: No application-level changes are required. Encryption happens at the network layer.
- Cloud-Native Integration: Fully managed as part of Advanced Container Networking Services and Cilium, offering a seamless and reliable experience
Architecture: How It Works
When WireGuard is enabled:
- Each node generates a unique public/private key pair.
- The public keys are securely shared between nodes via the CiliumNode custom resource.
- A dedicated network interface (cilium_wg0) is created and managed by the Cilium agent running on each node.
- Peers are dynamically updated, and keys are rotated automatically every 120 seconds to minimize risk.
This mechanism ensures that only validated nodes can participate in encrypted communication.
WireGuard and VNet Encryption
AKS now offers two powerful in-transit encryption options:
|
Feature |
WireGuard Encryption |
VNet Encryption |
|
Scope |
Pod-to-pod inter-node traffic |
All traffic in the VNet |
|
VM Support |
Works on all VM SKUs |
Requires hardware support (e.g., Gen2 VMs) |
|
Deployment Flexibility |
Cloud-agnostic, hybrid ready |
Azure-only |
|
Performance |
Software-based, moderate CPU usage |
Hardware-accelerated, low overhead |
Choose WireGuard if you want encryption flexibility across clouds or have VM SKUs that don’t support VNet encryption . Choose VNet Encryption for full-network coverage and ultra-low CPU overhead.
Conclusion and Next Steps
WireGuard in AKS, now in public preview, delivers strong encryption that protects traffic as it leaves the host and traverses the network right where it's needed most. It offers a balanced approach to securing container networking without compromising usability.
Ready to get started? Check out our how-to guide for step-by-step instructions on enabling WireGuard in your cluster and securing your container networking with ease.
Explore more about Advanced Container Networking Services:
Microsoft