CIPU-based hardware encryption that auto-encrypts all VPC traffic with zero performance impact.
Overview
VPC traffic encryption is in invitational preview. To use it, submit a ticket.
VPC traffic encryption uses CIPU hardware offloading and the AES-GCM-256 algorithm to transparently encrypt and decrypt private network traffic between ECS instances. With centralized key lifecycle management from KMS, transmitted data resists decryption with zero business awareness. The performance impact stays within microsecond-level differences.
After you enable VPC traffic encryption, all data in transit is encrypted. Even if attackers intercept data packets through physical layer hijacking, they cannot parse the original content due to the encryption algorithm's computational complexity. This blocks the risk of sensitive information leakage.
Combine VPC traffic encryption with confidential computing and disk encryption to achieve end-to-end encryption.
Use cases
VPC traffic encryption suits cloud scenarios with strict security and performance requirements, such as:
-
High-frequency financial trading: Real-time payment processing and trading require protection against tampering and eavesdropping. VPC traffic encryption secures data without affecting network performance, meeting financial compliance requirements.
-
Medical health information management: Electronic medical records and diagnostic data must comply with privacy regulations such as HIPAA. VPC traffic encryption protects patient data without affecting medical system responsiveness, reducing privacy compliance risks.
Limitations
Region
VPC traffic encryption is available in the following regions and zones:
|
Region name |
Region ID |
|
China (Shanghai) |
cn-shanghai |
|
China (Hong Kong) |
cn-hongkong |
Instance type
-
Supported on specific instance families: g9ae, c9ae, r9ae, ebmg9ae, ebmc9ae, and ebmr9ae.
NoteSupported instance types are in invitational preview. To use them, submit a ticket.
-
VPC traffic encryption is disabled by default. You can enable or disable it when creating or after creating an instance.
-
Call DescribeInstanceTypes to check support. NetworkEncryptionSupport returns true if the instance type supports this feature.
-
Instance type changes may affect VPC traffic encryption support. Confirm compatibility before making changes.
Encryption scope
-
Supports encryption between ECS instances within the same VPC or across VPCs in the same region connected through VPC peering connection.
-
Traffic is encrypted only when both instances support and have enabled encryption. If either instance uses an unsupported instance type or has encryption disabled, traffic between them is not encrypted.
-
Cross-region encryption is not supported. Encryption for traffic with other cloud products such as Server Load Balancer (SLB) and NAT Gateway is also not supported.
Enable or disable VPC traffic encryption
Console
-
Enable or disable when creating an instance
On the instance creation page, select a region and instance type that supports VPC traffic encryption, then enable or disable traffic encryption.

-
Modify VPC traffic encryption for existing instances
Enable or disable traffic encryption on the ECS instance details page.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
-
Find the instance that supports VPC traffic encryption, click to go to the instance details page, and in All Operations, select .
-
In the Modify Instance Properties dialog box, enable or disable VPC traffic encryption.

API
-
Call RunInstances to create instances with VPC traffic encryption enabled or disabled. Set EnableNetworkEncryption to true or false in NetworkOptions.
-
Call ModifyInstanceAttribute to modify VPC traffic encryption. Set EnableNetworkEncryption to true or false.
-
Call DescribeInstanceAttribute to query VPC traffic encryption status. The returned EnableNetworkEncryption value indicates whether encryption is enabled.
Within the supported encryption scope, after VPC traffic encryption is enabled, all private network traffic between instances is forcibly encrypted.