WireGuard in AKS: Microsoft Finally Gets Serious About In-Transit Encryption

Alright folks, let’s cut through the PR fluff. Microsoft just dropped WireGuard in-transit encryption for AKS (yep, still Public Preview), and it’s actually worth paying attention to.

What’s the Deal?

AKS now supports WireGuard-based encryption between pods that live on different nodes. This is baked into Azure CNI with Cilium, so you don’t need to duct-tape VPNs or babysit key managers yourself.

  • Each node spins up a cilium_wg0 interface.

  • Keys are generated automatically, rotated every 120 seconds.

  • Cilium handles the key exchange (via CiliumNode resources).

  • Apps don’t notice anything. No code changes, no YAML sorcery.

Sounds neat, right?

What Gets Encrypted (and What Doesn’t)

✅ Covered:

  • Pod-to-pod traffic when pods sit on different nodes.

❌ Not Covered:

  • Pod traffic inside the same node.

  • Traffic generated by the node itself.

Translation: Microsoft is encrypting the “dangerous” part (east-west across nodes) but not going all-in. You’ll still want TLS or app-level encryption for truly sensitive workloads.

Why This Is a Win

  1. Dead simple enablement – flip a flag during cluster create or update.

  2. Automatic key rotation – less room for human screw-ups.

  3. No app impact – developers keep coding, ops gets security.

  4. Integrated – no bolted-on VPNs or third-party hacks.

The Catch (Because There Always Is)

  • Preview status: expect bugs, missing docs, random sharp edges.

  • Not universal encryption: local pod traffic = still plain.

  • Performance overhead: WireGuard is lightweight, but it’s still CPU work. Your shiny clusters won’t run on fairy dust.

  • Compare with VNet Encryption:

Feature WireGuard (AKS) VNet Encryption
Coverage Pod-to-pod, cross-node only All VNet traffic
Requirements Works everywhere Specific Gen2 VMs, HW reqs
Performance Software-based, moderate load HW-accelerated, lower cost
Flexibility Hybrid / cross-cloud friendly Azure-only

When You Should Care

Use this if:

  • You’re running regulated workloads that need east-west encryption (finance, healthcare, gov).

  • VNet Encryption is overkill, unavailable, or just too damn expensive.

  • You don’t want to hand-roll VPNs or micromanage TLS everywhere.

Probably less useful if:

  • Most of your traffic stays within one node.

  • You already run TLS everywhere and don’t need another layer.

  • You’re chasing every last CPU cycle for performance.

My Take

This isn’t a revolution, but it’s a solid step forward. WireGuard is clean, fast, and battle-tested. Microsoft adding it to AKS networking is overdue, but welcome.

Don’t mistake it for a silver bullet — you’ll still need a layered defense strategy. But if you care about pod-to-pod traffic security and you don’t want to reinvent the wheel, this preview deserves a look.

And hey, automatic key rotation every 2 minutes? That’s Microsoft finally flexing in the right direction.

Bottom line: AKS finally speaks WireGuard. Try it, test it, break it — but don’t run it in production without a parachute.

rgds,

Alex