Strict data security and compliance mandates make protecting core data on the cloud critical for business continuity. With negligible performance impact, this feature defends against physical-layer network attacks and host traffic hijacking, meeting the stringent encryption requirements of sensitive scenarios such as financial transactions and medical data transmission.
Overview
The VPC traffic encryption feature is currently in invitational preview. To use this feature, submit a ticket.
VPC traffic encryption uses CIPU hardware offloading and the AES-GCM-256 algorithm to transparently encrypt and decrypt private network traffic between ECS instances. When combined with the centralized key management of the KMS service, this feature protects transmitted data from decryption attacks. The entire process is transparent to your applications and has a sub-microsecond performance impact.
When you enable VPC traffic encryption, the system encrypts all data in transit. If an attacker intercepts data packets through methods like physical network hijacking, the algorithm's computational complexity prevents them from deciphering the original content. This mitigates the risk of sensitive data leakage.
You can use this feature with other security services, such as confidential computing and disk encryption, to achieve end-to-end encryption for your services.
Use cases
VPC traffic encryption provides high-performance, transparent security for data in transit by using CIPU hardware offloading. This makes it suitable for cloud scenarios with strict security and performance requirements, including:
-
High-frequency financial trading: Real-time payment processing and high-frequency trading require strict protection against data tampering and eavesdropping. VPC traffic encryption secures data without impacting network performance, meeting the dual requirements for performance and compliance in the financial industry.
-
Healthcare information management: The transmission of electronic health records and diagnostic data must comply with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). VPC traffic encryption protects patient data without affecting the real-time responsiveness of medical systems, thereby reducing the compliance risk of privacy breaches.
Limitations
Region limitations
VPC traffic encryption is being rolled out to more regions. The following table lists the currently supported regions.
|
Region |
Region ID |
|
China (Shanghai) |
cn-shanghai |
|
China (Hong Kong) |
cn-hongkong |
Instance type limitations
-
This feature is supported only on specific instance families, including g9ae, c9ae, r9ae, ebmg9ae, ebmc9ae, and ebmr9ae.
NoteThe supported instance types are in invitational preview. To use them, submit a ticket.
-
VPC traffic encryption is disabled by default on an ECS instance. You can enable or disable this feature when you create an instance or after an instance is created.
-
You can call the DescribeInstanceTypes API operation to check whether an instance type supports this feature. If the feature is supported, the NetworkEncryptionSupport parameter in the response is true. Otherwise, it is false.
-
Changing an instance's type might affect its support for VPC traffic encryption. Verify the support status after changing the type.
Encryption scope limitations
-
Encryption is supported for traffic between ECS instances that are in the same VPC or connected through a VPC peering connection in the same region.
-
Traffic is encrypted only if both instances support this feature and have it enabled. For example, if one of the instances uses an unsupported instance type or has encryption disabled, the traffic between them is not encrypted.
-
Cross-region encryption is not supported. Encryption is also not supported for traffic to and from other cloud services, such as Server Load Balancer (SLB) and NAT Gateway.
Enable or disable VPC traffic encryption
Console
-
Enable or disable when you create an instance
On the instance creation page, you can enable or disable traffic encryption when you select a supported region and instance type.

-
Modify the VPC traffic encryption configuration of an existing instance
You can enable or disable traffic encryption on the instance details page.
Go to ECS console - Instances.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
-
Find the target instance and click its ID to open the Instance Details page. From the All Operations menu, select .
-
In the Modify Instance Properties dialog box, enable or disable VPC traffic encryption.

API
-
When you call the RunInstances operation, you can set the EnableNetworkEncryption parameter in NetworkOptions. Setting the parameter to true enables VPC traffic encryption for the new instance, while setting it to false disables it.
-
You can call the ModifyInstanceAttribute operation to change an instance's VPC traffic encryption setting. Set the EnableNetworkEncryption parameter to true to enable the feature, or false to disable it.
-
You can call the DescribeInstanceAttribute operation to check if VPC traffic encryption is enabled for an instance. The EnableNetworkEncryption parameter in the response returns true if the feature is enabled and false if it is disabled.
Within the supported encryption scope, after you enable VPC traffic encryption for an ECS instance, all private network traffic between applicable instances is automatically encrypted.