[sneak]

People don't "need" to do that, and many don't. They are aided by the false assertions of jackass vendors like this that make false claims further reinforcing their mistaken beliefs.

The configuration overhead of OpenVPN on an internal network like this is lunacy. The correct answer is a secure L2 network... a private one.

Your VM vendor has access to your host ram. Encrypting isn't going to protect you from them. The threat model here is other customers, which are trivial to partition. They just didn't do it.