I'm looking for some information on Azure Virtual Network security for data in transit.
We use Application Gateway to terminate the TLS connection (443) and forward the (unecrypted) request (80) to a backend server in the same virtual network but in a different subnet.
Microsoft states that VNETs are private and secure.
I could not find any information if traffic within a VNET is encrypted. That it wouldn't be possible to inspect traffic from outside of the VNET for anyone.
The HTTP request itself is not encrypted, but would the VNET traffic transporting the request be encrypted?
For inter-region traffic the documentation states: data-link layer encryption using MACsec
Azure Datacenter data-in-transit is encrypted at data link layer using MACsec which means other customers or data sniff with in MS Azure is not possible. VNET traffic is part of your network and Transport or Application layer encryption is customer responsibility. You can use Ipsec or tls at transport layer