If it ends up in azure, even though it'll be in a "private" VM running inside docker compose with no ports exposed... I don't trust Microsoft. So I guess I'm being extra paranoid enabling SSL between the elastic containers, but it is also the default.

Odds are low I actually need to fuck with the security at this point and could have everything open. But screw sunk cost fallacy. I'm all in now. 

 That makes sense.  Although, couldn't Microsoft just tamper with the VM?