HTTPS for internal cluster communication?

Are there sufficient benefits in using HTTPS (instead of HTTP) for all internal cluster communication between microservices?

I’m using Azure Kubernetes Service. Single tenant, nothing exotic.

The only obvious threat this avoids is someone who compromises Azure Kubernetes Service itself. (The docs say: “Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned.”)

But if this happens, we seem pretty doomed anyway. And a downside of using HTTPS: adds some complexity.

Upon further research, it seems HTTP should suffice for my purposes. HTTPS would protect against attackers who can break Microsoft’s private virtual network model.

Azure Kubernetes Service seems to guarantee a “a private virtual network subnet, with no public IP addresses assigned”, but that private network isn’t encrypted. It is “private and isolated”.

Sources:

  1. Nodes are deployed into a private virtual network subnet, with no public IP addresses assigned.”

  2. Q: Is VNet peering traffic encrypted?
    “A: No. Traffic between resources in peered VNets is private and isolated. It remains completely on the Microsoft Backbone.”
    (This is about peering between different virtual networks, but I see no guarantees about traffic within one virtual network’s subnet. So I’ll assume it’s probably the same.)

  3. Network traffic between peered virtual networks is private. Traffic between the virtual networks is kept on the Microsoft backbone network. No public Internet, gateways, or encryption is required in the communication between the virtual networks.”