1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Implementing Azure ExpressRoute

Configuring Encryption over ExpressRoute

Start course

As dependency on cloud services grows, so does the need for a reliable, low-latency network connection to the cloud. Also, some organizations and government agencies require a dedicated connection that does not pass network traffic over the public internet. Azure ExpressRoute provides a dedicated, redundant connection to Azure cloud services.  

In this course, we examine Azure ExpressRoute. Azure ExpressRoute creates a reliable, dedicated connection between an organization's on-premises environment and Microsoft Azure. We cover design considerations when planning for ExpressRoute, requirements for installing ExpressRoute, and management and troubleshooting tasks. The learning objectives for this course map to the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam.

Learning Objectives

  • Choose between provider and direct model (ExpressRoute Direct)
  • Design and implement Azure cross-region connectivity between multiple ExpressRoute locations
  • Select an appropriate ExpressRoute SKU and tier
  • Design and implement ExpressRoute Global Reach and ExpressRoute FastPath 
  • Choose between private peering only, Microsoft peering only, or both
  • Configure private peering and Microsoft peering
  • Create and configure an ExpressRoute gateway
  • Connect a virtual network to an ExpressRoute circuit
  • Recommend a route advertisement configuration
  • Configure encryption over ExpressRoute
  • Implement Bidirectional Forwarding Detection
  • Diagnose and resolve ExpressRoute connection issues

Intended Audience

  • System or network administrators with responsibilities for connecting an on-premises network to Azure
  • Anyone preparing for the Azure AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam


  • A basic understanding of networking, routing, and VPN concepts

Data security is important, including network data. In this lecture, we review configuration options for encrypting data on an ExpressRoute Circuit. Encryption is the process of encoding information in a way that only authorized parties can access it. Network encryption protects data in transit over public and private networks. Encryption often uses a shared secret, a key that only authorize parties know, or a certificate to encrypt and decrypt data. There are two options available for encryption with ExpressRoute. These are point-to-point encryption with MACsec and end-to-end encryption with IPsec.

Let's review each of in more detail next. We'll start with MACsec. MACsec stands for Media Access Control Security. With MACsec the encryption takes place at layer two, the data link layer of the OSI model. This is an important distinction for MACsec because at layer two, the encryption takes place on network devices and encrypts data over the physical link. With ExpressRoute, the encryption takes place on the physical link between the customer and Microsoft network devices. The rest of the path is unencrypted.

MACsec requires a shared key and because the key can only be owned by one party, the customer, MACsec is only available with ExpressRoute Direct. MACsec is disabled by default and once enabled, it will not fall back to unencrypted. MACsec is configured with PowerShell for ExpressRoute Direct. A Key Vault is used to hold the secrets. The Key is referred to as the Connectivity Association Key, or CAK. The Ciphers supported with MACsec are GCM-AES-128 or 256, GCM-AES-XPN 128 or 256. The steps to configure MACsec on the on-premises equipment will depend on the equipment manufacture.

Internet Protocol, or IP Sec encrypts data at the Network layer, layer three of the OSI model. IPsec supports end-to-end encryption between an on-premises network and a VNet. IPsec works with ExpressRoute, ExpressRoute Direct as well as MACsec on ExpressRoute Direct. There is a lot of flexibility in how IPsec can be implemented.

There are three basic models for configuring IPsec with ExpressRoute. They include a Site-to-site VPN over ExpressRoute Private Peering. This option creates an IPsec tunnel between on-premises networks and an Azure VNet over ExpressRoute Private Peering. This option uses internal, private IP addresses at each endpoint. There's an option to create a IPsec tunnel over ExpressRoute Microsoft Peering.

While a IPsec VPN over Private peering creates a tunnel between Private IPs, this option creates a VPN between Public IPs over ExpressRoute with Microsoft peering. We can also create an Ipsec VPN over ExpressRoute for Virtual WAN. This option creates an IPsec tunnel between an on-premises network and an Azure Hub VPN Gateway in an environment with virtual WAN. Azure Virtual WAN is a collection of Azure Networking services that creates a robust global network built on the Microsoft network to connected on-premises and Azure Resources.

Enabling encryption on ExpressRoute is optional. For regulated environments or government agencies that require an extra layer of security, ExpressRoute offers multiple solutions to meet data privacy requirements. Thank you for joining me in this lecture. I look forward to seeing you in the next.

About the Author
Travis Roberts
Cloud Infrastructure Architect

Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.