Always Encrypted feature in SQL server is a client side encryption technology, meaning it will encrypt the data in the driver of your client application. This means the data will be encrypted on the network between the client and SQL server, it is encrypted in the memory of SQL server and it is encrypted on disk. If implemented correctly, it can also protect the data from an intruder that gains admin privileges on SQL server (basically you will have to ensure that the encryption key is not stored on SQL Server and the intruder cannot get access to the encryption keys in any manner). I explain how to do this and the security guaranty provided by Always Encrypted here, in some detail. However, since SQL server cannot decrypt the data, there are some limitations on what operations you can perform on encrypted data. You can read more about those limitations here. You can learn more about always encrypted here.

Encrypting your data in transit should be handled by SSL/TLS.

See: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview

Emphasis mine:

All connections to Azure SQL Database require encryption (SSL/TLS) at all times while data is "in transit" to and from the database. In your application's connection string, you must specify parameters to encrypt the connection and not to trust the server certificate (this is done for you if you copy your connection string out of the Azure Classic Portal), otherwise the connection will not verify the identity of the server and will be susceptible to "man-in-the-middle" attacks. For the ADO.NET driver, for instance, these connection string parameters are Encrypt=True and TrustServerCertificate=False.