All Products
Search
Document Center

Elastic Compute Service:What is VPC traffic encryption

Last Updated:May 15, 2026

CIPU-based hardware encryption that auto-encrypts all VPC traffic with zero performance impact.

Overview

Important

VPC traffic encryption is in invitational preview. To use it, submit a ticket.

VPC traffic encryption uses CIPU hardware offloading and the AES-GCM-256 algorithm to transparently encrypt and decrypt private network traffic between ECS instances. With centralized key lifecycle management from KMS, transmitted data resists decryption with zero business awareness. The performance impact stays within microsecond-level differences.

After you enable VPC traffic encryption, all data in transit is encrypted. Even if attackers intercept data packets through physical layer hijacking, they cannot parse the original content due to the encryption algorithm's computational complexity. This blocks the risk of sensitive information leakage.

Combine VPC traffic encryption with confidential computing and disk encryption to achieve end-to-end encryption.

Use cases

VPC traffic encryption suits cloud scenarios with strict security and performance requirements, such as:

  • High-frequency financial trading: Real-time payment processing and trading require protection against tampering and eavesdropping. VPC traffic encryption secures data without affecting network performance, meeting financial compliance requirements.

  • Medical health information management: Electronic medical records and diagnostic data must comply with privacy regulations such as HIPAA. VPC traffic encryption protects patient data without affecting medical system responsiveness, reducing privacy compliance risks.

Limitations

Region

VPC traffic encryption is available in the following regions and zones:

Region name

Region ID

China (Shanghai)

cn-shanghai

China (Hong Kong)

cn-hongkong

Instance type

  • Supported on specific instance families: g9ae, c9ae, r9ae, ebmg9ae, ebmc9ae, and ebmr9ae.

    Note

    Supported instance types are in invitational preview. To use them, submit a ticket.

  • VPC traffic encryption is disabled by default. You can enable or disable it when creating or after creating an instance.

  • Call DescribeInstanceTypes to check support. NetworkEncryptionSupport returns true if the instance type supports this feature.

  • Instance type changes may affect VPC traffic encryption support. Confirm compatibility before making changes.

Encryption scope

  • Supports encryption between ECS instances within the same VPC or across VPCs in the same region connected through VPC peering connection.

  • Traffic is encrypted only when both instances support and have enabled encryption. If either instance uses an unsupported instance type or has encryption disabled, traffic between them is not encrypted.

  • Cross-region encryption is not supported. Encryption for traffic with other cloud products such as Server Load Balancer (SLB) and NAT Gateway is also not supported.

Enable or disable VPC traffic encryption

Console

  • Enable or disable when creating an instance

    On the instance creation page, select a region and instance type that supports VPC traffic encryption, then enable or disable traffic encryption.

    image

  • Modify VPC traffic encryption for existing instances

    Enable or disable traffic encryption on the ECS instance details page.

    1. Go to ECS console - Instances.

    2. In the upper-left corner of the page, select a region and resource group.地域

    3. Find the instance that supports VPC traffic encryption, click to go to the instance details page, and in All Operations, select Instance Properties > Modify Instance Properties.

    4. In the Modify Instance Properties dialog box, enable or disable VPC traffic encryption.

      image

API

  • Call RunInstances to create instances with VPC traffic encryption enabled or disabled. Set EnableNetworkEncryption to true or false in NetworkOptions.

  • Call ModifyInstanceAttribute to modify VPC traffic encryption. Set EnableNetworkEncryption to true or false.

  • Call DescribeInstanceAttribute to query VPC traffic encryption status. The returned EnableNetworkEncryption value indicates whether encryption is enabled.

Within the supported encryption scope, after VPC traffic encryption is enabled, all private network traffic between instances is forcibly encrypted.