0

I'm in the process of splitting the functions of a single VM web server on Azure across two VMs on the same Vnet.

I want to check, can I assume that traffic between them is absolutely isolated and private?

For example, one will host an SMTP server, the other will host the web app that uses it.

Is it perfectly safe to ignore STARTTLS and simply send credentials in the clear, between them?

If so, can you point me to some kind of statement from Microsoft that affirms this privacy?

It seems obvious that this should be the case, and yet I'm finding it really hard to get definitive clarity on it.

stephen
  • 43
  • 3

2 Answers2

0

There is large article talking about different types of isolations here https://docs.microsoft.com/en-us/azure/security/fundamentals/isolation-choices

In these subarticles MS mentions Vlan and network isolation https://docs.microsoft.com/en-us/azure/security/fundamentals/isolation-choices#vlan-isolation

https://docs.microsoft.com/en-us/azure/security/fundamentals/isolation-choices#networking-isolation

Azure deployment has multiple layers of network isolation. The following diagram shows various layers of network isolation Azure provides to customers. These layers are both native in the Azure platform itself and customer-defined featuresemphasized text

Jarnstrom
  • 705
  • 4
  • 9
0

There is no absolute guarantee to perfect network isolation and privacy.

Although intended and designed to be secure and private you will be using a shared environment that uses software to create logical boundaries between other customers and your virtual network.

Somebody with access to the physical infrastructure can breach/override such logical separation.

Additionally there may be now or in the future (currently unknown) flaws in the configuration/ code / implementation that might disclose your network data.

———

The overhead to set up and use transport encryption is almost negligible and nowadays best practice is to use that even in private and trusted networks.

Bob
  • 1