How safe is ExpressRoute Circuit over ExpressRouteDirect with MACSec enabled?

Dimitri 50 Reputation points

HI Community,

I have a question about ExpressRoute Circuit over ExpressRouteDirect with MACSec enabled. 

I wanted to use ExpressRoute Direct from Copenhagen secured with MACSec. The issue is, that in Copenhagen, there is no Compute from Microsoft, but only the network edge and the data would be transported to West Europe, where it is now, over MS-backbone. 

So, we have an encryption only on a physical link between my HW and MS-Edge-node in Copenhagen. The question is how Microsoft makes sure, that the traffic is transported secured till the VNET over ExpressRoute circuit from Copenhagen till Amsterdam(West Europe Region)? Over IPSec I can be sure, that the decryption is in my VNET, but on MACSec not.

I'm facing different performance and load balancing issues over multiple IPSec tunnel in my ExpressRoute Circuit (yes, different SKUs of GWs were used already), this is why I wanted to know, whether ExpressRoute Direct with MACSec would resolve my issues.

Thank you in advance for your answers/suggestions.

Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
268 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 42,506 Reputation points Microsoft Employee

    Hello @Dimitri ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how safe ExpressRoute Circuit is over ExpressRoute Direct with MACSec enabled.

    As mentioned in the ExpressRoute encryption FAQs,

    MACsec encrypts data at the Media Access control (MAC) level or Network Layer 2. You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via ExpressRoute Direct.

    Once MACsec is enabled all network control traffic, for example, the BGP data traffic, and customer data traffic are encrypted.

    However, if you would like to secure the end-to-end connection between your on-premises and your virtual networks on Azure, then you can enable IPsec in addition to MACsec on your ExpressRoute Direct ports.

    MACsec secures the physical connections between you and Microsoft. IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently.

    MACsec encryption and decryption occur in hardware on the routers we use. There's no performance degradation on our side. However, you should check with the network vendor for the devices you use and see if MACsec has any performance implication.


    Additional information on Encryption in Azure:

    Whenever Azure customer traffic moves between datacenters, Microsoft applies a MACsec data-link layer encryption. This encryption is implemented to secure the traffic outside physical boundaries not controlled by Microsoft or on behalf of Microsoft. This method is applied from point-to-point across the underlying network hardware and is applicable to virtual network peering traffic. This MACsec encryption is on by default for all Azure traffic traveling within a region or between regions, and no action is required on customers’ part to enable.


    If you want to make sure that the traffic between your on-premises to Azure is encrypted end-to-end, then you can use IPSec VPN, ExR MACsec or IPsec tunnels over ExpressRoute private peering (as mentioned above).

    And recently Azure introduced a feature called Azure Virtual Network encryption which allows you to seamlessly encrypt and decrypt traffic between Azure Virtual Machines. Virtual network encryption enables you to encrypt traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network. It also encrypts traffic between regionally and globally peered virtual networks. Virtual network encryption enhances existing encryption in transit capabilities in Azure.


    For a more detailed understanding of Encryption requirements and flows, please refer the below doc:

    If you've a particular question regarding the encryption mechanism, please let me know and I'll discuss the same with the ExpressRoute Product Group team to provide an answer for same.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful