About encryption for Azure ExpressRoute
ExpressRoute supports encryption technologies to ensure the confidentiality and integrity of data between your network and Microsoft's network. By default, traffic over an ExpressRoute connection isn't encrypted.
MACsec is an IEEE standard that encrypts data at the Media Access Control (MAC) level (Network Layer 2). You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when connecting via ExpressRoute Direct. MACsec is disabled on ExpressRoute Direct ports by default. You must bring your own MACsec key for encryption and store it in Azure Key Vault. You decide when to rotate the key.
Yes, ExpressRoute is a trusted Microsoft service. You can configure Azure Key Vault firewall policies to allow trusted services to bypass the firewall. For more information, see Configure Azure Key Vault firewalls and virtual networks.
No. MACsec encrypts all traffic on a physical link with a key owned by one entity (for example, the customer). Therefore, it's available only on ExpressRoute Direct.
Can I encrypt some ExpressRoute circuits on my ExpressRoute Direct ports and leave others unencrypted?
No. Once MACsec is enabled, all network control traffic (for example, BGP data traffic) and customer data traffic are encrypted.
Will my on-premises network lose connectivity to Microsoft over ExpressRoute when I enable/disable MACsec or update the MACsec key?
Yes. We support the preshared key mode only for MACsec configuration, meaning you need to update the key on both your devices and Microsoft's (via our API). This change isn't atomic, so you lose connectivity when there's a key mismatch. We strongly recommend scheduling a maintenance window for the configuration change. To minimize downtime, update the configuration on one link of ExpressRoute Direct at a time after switching your network traffic to the other link.
No. If MACsec is configured and a key mismatch occurs, you lose connectivity to Microsoft. Traffic doesn't fall back to an unencrypted connection, ensuring your data remains protected.
MACsec encryption and decryption occur in hardware on the routers we use, so there's no performance degradation on our side. However, check with your network vendor to see if MACsec has any performance implications for your devices.
We support the following standard ciphers:
- GCM-AES-128
- GCM-AES-256
- GCM-AES-XPN-128
- GCM-AES-XPN-256
Yes, you can set Secure Channel Identifier (SCI) on the ExpressRoute Direct ports. For more information, see Configure MACsec.
IPsec is an IETF standard that encrypts data at the Internet Protocol (IP) level (Network Layer 3). You can use IPsec to encrypt an end-to-end connection between your on-premises network and your virtual network on Azure.
Yes. MACsec secures the physical connections between you and Microsoft, while IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently.
Yes. If you use Azure Virtual WAN, follow the steps in VPN over ExpressRoute for Virtual WAN to encrypt your end-to-end connection. If you have a regular Azure virtual network, follow site-to-site VPN connection over Private peering to establish an IPsec tunnel between Azure VPN gateway and your on-premises VPN gateway.
If you use Azure VPN gateway, review these performance numbers to see if they match your expected throughput. If you use a third-party VPN gateway, check with the vendor for their performance numbers.
For more information about the IPsec configuration, see Configure IPsec
For more information about the MACsec configuration, see Configure MACsec.