AZ-500 Microsoft Azure Security Technologies Exam
Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!
Practice Test
Expert
Practice Test
ExpertImplement encryption over ExpressRoute
ExpressRoute MACsec Encryption Configuration and Validation
MACsec is a technology that provides data-link layer encryption for ExpressRoute connections. It secures traffic between your on-premises edge routers and Microsoft’s network. To use MACsec, you need to manage two key items: the Connectivity Association Key (CAK) and the Connectivity Association Key Name (CKN). These keys help establish an encrypted channel and ensure your data stays confidential.
You store the CAK and CKN as secrets in Azure Key Vault. Then, you assign a user-assigned managed identity to your ExpressRoute port. This identity must have permission to read the secrets in Key Vault. Without these permissions, the service cannot retrieve the keys and encryption will not start.
Different ExpressRoute ports support different ciphers based on their bandwidth. For 10 Gbps ports, you can choose:
- GcmAes128
- GcmAes256
For 40 Gbps or greater, you also have:
- GcmAesXpn128
- GcmAesXpn256
Choosing the right cipher ensures stable sessions and avoids sporadic failures on high-speed links.
To enable MACsec, update the port’s MacSecConfig settings via Azure CLI, PowerShell, or an ARM template. You specify the CknSecretIdentifier, CakSecretIdentifier, and your chosen Cipher, then apply the changes. If a port is down, set its administrative state to Enabled and turn on the Secure Channel Identifier (SCI). Disabling MACsec simply involves clearing the secret identifiers and removing the identity—encryption stops immediately on the Microsoft side.
After setup, validate your configuration by checking BGP sessions and ARP resolution. Incorrect keys or cipher mismatches will block ARP or BGP, stopping traffic at Layer 2 or 3. For deeper checks, capture packets on your edge routers to confirm they are encrypted. You can also use Azure Monitor metrics to track encryption health and detect any failures.
Conclusion
In this section, you learned how to implement MACsec encryption on Azure ExpressRoute. You now understand how to store and protect the CAK and CKN in Azure Key Vault and assign the right managed identity. You know which ciphers to use based on port bandwidth and how to configure them using Azure tools. Finally, you can validate encryption by monitoring BGP, ARP, packet captures, and Azure Monitor metrics. These steps help ensure your ExpressRoute circuits remain secure and reliable.