Ensuring Data Security with MS Azure ExpressRoute Encryption

In today’s digital landscape, data security is paramount. Microsoft ExpressRoute offers robust encryption technologies to ensure the confidentiality and integrity of data traversing between your network and Microsoft’s network. By default, traffic over an ExpressRoute connection isn’t encrypted, but you have options to enhance security through point-to-point encryption with MACsec and end-to-end encryption with IPsec.

Point-to-Point Encryption with MACsec
MACsec (Media Access Control Security) is an IEEE standard that encrypts data at the MAC level (Network Layer 2). This technology is particularly useful for encrypting the physical links between your network devices and Microsoft’s network devices when you connect via ExpressRoute Direct. Here are some key points about MACsec:

• Default State: MACsec is disabled on ExpressRoute Direct ports by default.
• Key Management: You bring your own MACsec key for encryption and store it in Azure Key Vault. You also decide when to rotate the key.
• Firewall Policies: You can enable Azure Key Vault firewall policies to allow trusted services to bypass the firewall, ensuring secure key storage.
• Availability: MACsec is available only on ExpressRoute Direct and not on circuits provisioned by an ExpressRoute provider.
• Encryption Scope: Once enabled, MACsec encrypts all network control traffic, including BGP data traffic and customer data traffic.

Operational Considerations:

• Connectivity Impact: Enabling, disabling, or updating the MACsec key will cause a temporary loss of connectivity due to the need for key synchronization between your devices and Microsoft’s. It’s recommended to schedule these changes during a maintenance window.
• Performance: MACsec encryption and decryption occur in hardware on the routers, so there’s no performance degradation on Microsoft’s side. However, check with your network vendor for any potential performance implications on your devices.
• Cipher Suites: Supported ciphers include GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128, and GCM-AES-XPN-256.
• Secure Channel Identifier (SCI): You can set SCI on the ExpressRoute Direct ports for additional security.

End-to-End Encryption with IPsec
IPsec (Internet Protocol Security) is an IETF standard that encrypts data at the IP level (Network Layer 3). This technology is ideal for securing end-to-end connections between your on-premises network and your virtual network on Azure. Here are some key points about IPsec:

• Compatibility: You can enable IPsec in addition to MACsec on your ExpressRoute Direct ports. While MACsec secures the physical connections, IPsec secures the end-to-end connection.
• Azure VPN Gateway: You can use Azure VPN gateway to set up the IPsec tunnel over Azure Private Peering. For Azure Virtual WAN, follow the steps in VPN over ExpressRoute for Virtual WAN. For regular Azure virtual networks, follow the site-to-site VPN connection over Private Peering.
• Performance: The throughput after enabling IPsec depends on the VPN gateway used. Review performance numbers for Azure VPN gateway or check with third-party vendors for their performance metrics.

By leveraging these encryption technologies, you can significantly enhance the security of your data as it travels between your network and Microsoft’s network. Whether you choose MACsec for point-to-point encryption or IPsec for end-to-end encryption, ExpressRoute provides the flexibility and security needed to protect your data in transit.