Driven by strict data security compliance requirements, the protection of core data for cloud users has become a critical component of business continuity assurance. Virtual private cloud (VPC) traffic encryption, based on Cloud Infrastructure Processing Unit (CIPU) hardware encryption offloading technology, implements automatic encryption of all traffic at the network protocol stack's lower layer through dedicated chips. It effectively defends against physical layer network attacks and host traffic hijacking while ensuring no performance loss for business operations. This meets high-strength encryption security requirements for sensitive scenarios such as financial transactions and medical data transmission.
What is VPC traffic encryption
The VPC traffic encryption feature is currently in invitational preview. To use it, please submit a ticket to request access.
VPC traffic encryption leverages CIPU hardware offloading capabilities and uses the AES-GCM-256 algorithm to transparently and automatically encrypt and decrypt private network traffic between ECS instances. Combined with centralized key lifecycle management from KMS service, it ensures transmitted data is resistant to decryption while maintaining zero business awareness. The encryption performance impact does not exceed microsecond-level differences.
After enabling VPC traffic encryption, the system provides high-strength encryption protection for dynamic data throughout transmission. Even if attackers intercept data packets through physical layer network hijacking or other means, they cannot parse the original content because of the computational complexity protection of the encryption algorithm. This fundamentally blocks the risk of sensitive information leakage.
You can further combine this with related security capabilities such as confidential computing and disk encryption to implement end-to-end encryption for your business.
Use cases
VPC traffic encryption uses chip-level capabilities to achieve high-performance, zero-awareness transmission security. It is suitable for various cloud scenarios that have strict security and performance requirements, such as financial transactions and medical data transmission:
High-frequency financial trading: High-frequency financial trading and real-time payment processing require strict protection against tampering and eavesdropping. VPC traffic encryption ensures data security without affecting network performance, meeting both performance and compliance requirements for financial business operations.
Medical health information management: Electronic medical records and diagnostic data transmission must comply with privacy regulations such as HIPAA. VPC traffic encryption protects patient data without affecting the real-time response of medical systems, reducing compliance risks related to privacy leakage.
Limits
Region
The VPC traffic encryption feature is being gradually made available. The following are the currently supported regions and zones:
Region name | Region ID | Zone name | Zone ID |
China (Beijing) | cn-beijing | Zone I | cn-beijing-i |
China (Shanghai) | cn-shanghai | Zone L | cn-shanghai-l |
Instance type
Currently supported on specific instance families, including g9ae, c9ae, r9ae, ebmg9ae, ebmc9ae, and ebmr9ae.
NoteSupported instance types are in invitational preview. To use them, please submit a ticket to request access.
VPC traffic encryption is disabled by default for ECS instances. You can enable/disable it when creating an instance or after the instance is created.
You can use the DescribeInstanceTypes API to check if an instance type supports this feature. The return value NetworkEncryptionSupport will be true if supported, false if not supported.
Instance type changes may affect VPC traffic encryption support. Please confirm before making changes.
Encryption scope
Currently only supports encryption between ECS instances within the same VPC or between instances in different VPCs in the same region connected through VPC peering connections.
Traffic is encrypted only when both instances support and have encryption enabled (for example, if one instance uses an unsupported instance type or has encryption disabled, the traffic between them will not be encrypted).
Cross-region encryption is not currently supported. Encryption for communication with other cloud products such as Server Load Balancer (SLB) and NAT Gateway is also not supported.
Enable or disable VPC traffic encryption
Console
Enable or disable when creating an instance
On the instance creation page, when you select a region and instance type that supports VPC traffic encryption, you can choose to enable or disable traffic encryption.
Modify VPC traffic encryption configuration for existing instances
After an instance is created, you can enable or disable traffic encryption on the ECS instance details page.
Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the created instance that supports VPC traffic encryption, click to go to the instance details page, and in All Actions, select .
In the Modify Instance Attributes dialog box, enable or disable VPC traffic encryption according to your needs.
API
You can call the RunInstances operation to create instances with VPC traffic encryption enabled or disabled. Set EnableNetworkEncryption to true or false in the NetworkOptions configuration.
You can call the ModifyInstanceAttribute operation to modify an instance's VPC traffic encryption configuration. Set the parameter EnableNetworkEncryption to true or false to enable or disable traffic encryption.
You can call the DescribeInstanceAttribute operation to query an instance's VPC traffic encryption configuration. The returned EnableNetworkEncryption value confirms whether VPC traffic encryption is enabled for the specified instance.
Within the supported encryption scope, after VPC traffic encryption is enabled for an ECS instance, all private network traffic between instances will be forcibly encrypted.