Introducing WireGuard In-Transit Encryption for AKS (Generally Available)

Microsoft

Sep 18, 2025

Update (Generally Available)

WireGuard in‑transit encryption for Azure Kubernetes Service (AKS) is now generally available for clusters using Azure CNI powered by Cilium and Advanced Container Networking Services.

The feature is production‑ready and no longer requires preview enrollment. The core behavior, scope, and configuration model remain unchanged from the public preview.

As organizations continue to scale containerized workloads in Azure Kubernetes Service (AKS), securing network traffic between applications and services is critical—especially in regulated or security‑sensitive environments.

WireGuard in‑transit encryption is now generally available in AKS, delivering transparent, node‑level encryption for inter‑node pod traffic as part of Advanced Container Networking Services, powered by Azure CNI built on Cilium.

What is WireGuard?

WireGuard is a modern, high-performance VPN protocol known for its simplicity, and robust cryptography. Integrated into the Cilium data plane and managed as part of AKS networking, WireGuard offers an efficient way to encrypt traffic transparently within your cluster.

With this new feature, WireGuard is now natively supported as part of Azure CNI powered by Cilium with Advanced Container Networking services, no need for third-party encryption tools or custom key management systems.

What Gets Encrypted?

The WireGuard integration in AKS focuses on the most critical traffic path:

✅ Encrypted:

Inter-node pod traffic: Network communication between pods running on different nodes in the AKS cluster. This traffic traverses the underlying network infrastructure and is encrypted using WireGuard to ensure confidentiality and integrity.

❌ Not encrypted:

Same-node pod traffic: Communication between pods that are running on the same node. Since this traffic does not leave the node, it bypasses WireGuard and remains unencrypted.
Node-generated traffic: Traffic initiated by the node itself, which is currently not routed through WireGuard and thus not encrypted.

This scope is designed to strike the right balance between strong protection and performance by securing the most critical traffic, which is data that leaves the host and traverses the network.

Key Benefits

Simple Configuration: Enable WireGuard with just a few flags during AKS cluster creation or update.
Automatic Key Management: Each node generates and exchanges WireGuard keys automatically, no need for manual configuration.
Transparent to Applications: No application-level changes are required. Encryption happens at the network layer.
Cloud-Native Integration: Fully managed as part of Advanced Container Networking Services and Cilium, offering a seamless and reliable experience

Architecture: How It Works

When WireGuard is enabled:

Each node generates a unique public/private key pair.
The public keys are securely shared between nodes via the CiliumNode custom resource.
A dedicated network interface (cilium_wg0) is created and managed by the Cilium agent running on each node.
Peers are dynamically updated, and keys are rotated automatically every 120 seconds to minimize risk.

This mechanism ensures that only validated nodes can participate in encrypted communication.

WireGuard and VNet Encryption

AKS now offers two powerful in-transit encryption options:

Feature	WireGuard Encryption	VNet Encryption
Scope	Pod-to-pod inter-node traffic	All traffic in the VNet
VM Support	Works on all VM SKUs	Requires hardware support (e.g., Gen2 VMs)
Deployment Flexibility	Cloud-agnostic, hybrid ready	Azure-only
Performance	Software-based, moderate CPU usage	Hardware-accelerated, low overhead

Choose WireGuard if you want encryption flexibility across clouds or have VM SKUs that don’t support VNet encryption . Choose VNet Encryption for full-network coverage and ultra-low CPU overhead.

Conclusion and Next Steps

With WireGuard now generally available in AKS, customers can secure inter‑node pod traffic using a lightweight, cloud‑native encryption mechanism that requires no application changes and minimal operational overhead

Ready to get started? Check out our how-to guide for step-by-step instructions on enabling WireGuard in your cluster and securing your container networking with ease.

Explore more about Advanced Container Networking Services: