Hello @Dimitri ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how safe ExpressRoute Circuit is over ExpressRoute Direct with MACSec enabled.
As mentioned in the ExpressRoute encryption FAQs,
MACsec encrypts data at the Media Access control (MAC) level or Network Layer 2. You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via ExpressRoute Direct.
Once MACsec is enabled all network control traffic, for example, the BGP data traffic, and customer data traffic are encrypted.
However, if you would like to secure the end-to-end connection between your on-premises and your virtual networks on Azure, then you can enable IPsec in addition to MACsec on your ExpressRoute Direct ports.
MACsec secures the physical connections between you and Microsoft. IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently.
MACsec encryption and decryption occur in hardware on the routers we use. There's no performance degradation on our side. However, you should check with the network vendor for the devices you use and see if MACsec has any performance implication.
Refer: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-encryption
Additional information on Encryption in Azure:
Whenever Azure customer traffic moves between datacenters, Microsoft applies a MACsec data-link layer encryption. This encryption is implemented to secure the traffic outside physical boundaries not controlled by Microsoft or on behalf of Microsoft. This method is applied from point-to-point across the underlying network hardware and is applicable to virtual network peering traffic. This MACsec encryption is on by default for all Azure traffic traveling within a region or between regions, and no action is required on customers’ part to enable.
https://learn.microsoft.com/en-us/azure/security/fundamentals/double-encryption
If you want to make sure that the traffic between your on-premises to Azure is encrypted end-to-end, then you can use IPSec VPN, ExR MACsec or IPsec tunnels over ExpressRoute private peering (as mentioned above).
And recently Azure introduced a feature called Azure Virtual Network encryption which allows you to seamlessly encrypt and decrypt traffic between Azure Virtual Machines. Virtual network encryption enables you to encrypt traffic between Virtual Machines and Virtual Machines Scale Sets within the same virtual network. It also encrypts traffic between regionally and globally peered virtual networks. Virtual network encryption enhances existing encryption in transit capabilities in Azure.
Refer: https://azure.microsoft.com/en-us/updates/public-preview-azure-virtual-network-encryption-2/
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-encryption-overview
For a more detailed understanding of Encryption requirements and flows, please refer the below doc:
If you've a particular question regarding the encryption mechanism, please let me know and I'll discuss the same with the ExpressRoute Product Group team to provide an answer for same.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.