2.2.3. ExpressRoute Security and MACSec Encryption
💡 First Principle: ExpressRoute provides private connectivity to Azure that doesn't traverse the public internet. However, "private" doesn't automatically mean "encrypted"—the traffic is dedicated but readable without additional encryption.
Scenario: You need a connection to Azure with bandwidth between 10-100 Gbps where all traffic must be encrypted.
ExpressRoute Encryption Options
| Method | Layer | Bandwidth | Use Case |
|---|---|---|---|
| Site-to-Site VPN over ExpressRoute | Layer 3 | Up to 10 Gbps | Moderate bandwidth needs |
| MACSec (ExpressRoute Direct) | Layer 2 | Up to 100 Gbps | High bandwidth, full encryption |
⚠️ Common Pitfall: Assuming ExpressRoute is encrypted by default. ExpressRoute provides private connectivity but not encryption. For encrypted traffic over ExpressRoute, you must use VPN overlay or MACSec with ExpressRoute Direct.
Key Decision: If you need encrypted connectivity with bandwidth between 10-100 Gbps, use ExpressRoute Direct with MACSec. Standard ExpressRoute with VPN overlay is limited to ~10 Gbps.