MACsec for Cloud Interconnect helps you secure traffic on Cloud Interconnect connections, specifically between your on-premises router and Google's edge routers. MACsec for Cloud Interconnect uses IEEE standard 802.1AE Media Access Control Security (MACsec) to encrypt traffic between your on-premises router and Google's edge routers.
MACsec for Cloud Interconnect doesn't provide encryption in transit within Google. For stronger security, we recommend that you use MACsec with other network security protocols, such as IP Security (IPsec) and Transport Layer Security (TLS). For more information about using IPsec to secure your network traffic to Google Cloud, see the HA VPN over Cloud Interconnect overview.
MACsec for Cloud Interconnect is available for 10‑Gbps and 100‑Gbps circuits. However, to order MACsec for Cloud Interconnect for 10‑Gbps circuits, you must contact your account manager.
MACsec for Cloud Interconnect supports all VLAN attachment features, including IPv4, IPv6, and IPsec.
The following diagrams show how MACsec encrypts traffic. Figure 1 depicts MACsec encrypting traffic on Dedicated Interconnect. Figure 2 depicts MACsec encrypting traffic on Partner Interconnect.
To use MACsec on Partner Interconnect, work with your service provider to ensure that your network traffic is encrypted through your providers' network.
How MACsec for Cloud Interconnect works
MACsec for Cloud Interconnect helps secure traffic between your on-premises router and Google's peering edge router. You use the Google Cloud CLI (gcloud CLI) or the Google Cloud console to generate a GCM-AES-256 connectivity association key (CAK) and connectivity association key name (CKN) values. You configure your router to use the CAK and CKN values to configure MACsec. After you enable MACsec on your router and in Cloud Interconnect, MACsec encrypts your traffic between your on-premises router and Google's peering edge router.
Supported on-premises routers
You can use on-premises routers with MACsec for Cloud Interconnect that support the MACsec specifications listed in the following table.
| Setting | Value |
|---|---|
| MACsec cipher suite |
|
| CAK cryptographic algorithm | AES_256_CMAC |
| Key server priority | 15 |
| Secure association key (SAK) rekey interval | 28800 seconds |
| MACsec confidentiality offset | 0 |
| Window size | 64 |
| Integrity check value (ICV) indicator | yes |
| Secure Channel Identifier (SCI) | enabled |
MACsec for Cloud Interconnect supports hitless key rotation for up to five keys.
Several routers manufactured by Cisco, Juniper, and Arista satisfy the specifications. We can't recommend specific routers. We recommend that you consult with your router vendor to determine which model best suits your needs.
Before you use MACsec for Cloud Interconnect
Ensure that you meet the following requirements:
Understand basic network interconnections, so that you can order and configure network circuits.
Understand the differences between and the requirements for Dedicated Interconnect and Partner Interconnect.
Have administrator access to your on-premises edge router.
Check that MACsec is available at your colocation facility.
MACsec for Cloud Interconnect setup steps
After you verify that MACsec for Cloud Interconnect is available at your colocation facility, check if you already have a MACsec-capable Cloud Interconnect connection. If not, order a MACsec-capable Cloud Interconnect connection.
After your Cloud Interconnect connection completes testing and is ready for use, you can set up MACsec by creating MACsec pre-shared keys and configuring your on-premises router. You can then enable MACsec and verify that it's enabled for your link and is operational. Finally, you can monitor your MACsec connection to ensure that it's operating correctly.
MACsec availability
MACsec for Cloud Interconnect is supported on all Cloud Interconnect 100‑Gbps connections, regardless of location.
MACsec for Cloud Interconnect is not available at all colocation facilities for 10‑Gbps circuits. For more information about features available at colocation facilities, see the Locations table.
To discover which colocation facilities with 10‑Gbps circuits support MACsec for Cloud Interconnect, do the following. MACsec availability for 10‑Gbps circuits is only displayed for allow-listed projects. To order MACsec for Cloud Interconnect for 10‑Gbps circuits, you must contact your account manager.
Console
In the Google Cloud console, go to the Cloud Interconnect Physical connections tab.
Click Set up physical connection.
Select Dedicated Interconnect, and then click Continue.
Select Order new Dedicated Interconnect, and then click Continue.
In the Google Cloud location field, click Choose.
In the Choose colocation facility pane, find the city that you want a Cloud Interconnect connection in. In the Geographic location field, select a geographic area. The MACsec support for current project column shows the circuit sizes that are available for MACsec for Cloud Interconnect.
gcloud
Authenticate to the Google Cloud CLI:
gcloud auth loginTo discover if a colocation facility supports MACsec for Cloud Interconnect, do one of the following:
Verify that a specific colocation facility supports MACsec for Cloud Interconnect:
gcloud compute interconnects locations describe COLOCATION_FACILITYReplace
COLOCATION_FACILITYwith the colocation facility name listed in the locations table.The output is similar to the following sample. Take note of the
availableFeaturessection. MACsec-capable connections display the following:- For 10‑Gbps links:
linkType: LINK_TYPE_ETHERNET_10G_LRandavailableFeatures: IF_MACSEC - For 100‑Gbps links:
linkType: LINK_TYPE_ETHERNET_100G_LR; all 100‑Gbps links are MACsec capable
address: |- Equinix 47 Bourke Road Alexandria Sydney, New South Wales 2015 Australia availabilityZone: zone1 availableFeatures: - IF_MACSEC availableLinkTypes: - LINK_TYPE_ETHERNET_10G_LR - LINK_TYPE_ETHERNET_100G_LR city: Sydney continent: C_ASIA_PAC creationTimestamp: '2019-12-05T12:56:15.000-08:00' description: Equinix Sydney (SY3) facilityProvider: Equinix facilityProviderFacilityId: SY3 id: '1173' kind: compute#interconnectLocation name: syd-zone1-1605 peeringdbFacilityId: '1605' regionInfos: - region: https://www.googleapis.com/compute/v1/projects/my-project/regions/australia-southeast1 - region: https://www.googleapis.com/compute/v1/projects/my-project/regions/australia-southeast2 - region: https://www.googleapis.com/compute/v1/projects/my-project/regions/us-east7 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/interconnectLocations/syd-zone1-1605 status: AVAILABLE- For 10‑Gbps links:
List all colocation facilities that support MACsec for Cloud Interconnect on 10‑Gbps circuits:
gcloud compute interconnects locations list \ --filter "availableFeatures: (IF_MACSEC)"The output is similar to the following:
NAME DESCRIPTION FACILITY_PROVIDER ... <stripped> syd-zone1-1605 Equinix Sydney (SY3) Equinix ... <stripped>List all colocation facilities that have 100‑Gbps links, and therefore offer MACsec by default:
gcloud compute interconnects locations list \ --filter "availableLinkTypes: (LINK_TYPE_ETHERNET_100G_LR)"The output is similar to the following:
NAME DESCRIPTION FACILITY_PROVIDER ... <stripped> syd-zone1-1605 Equinix Sydney (SY3) Equinix ... <stripped>
MACsec support on existing Cloud Interconnect connections
MACsec for Cloud Interconnect is supported on existing 100‑Gbps Cloud Interconnect connections.
If you have a 10‑Gbps connection, check MACsec availability at your colocation facility. If MACsec support is available at your colocation facility, then verify that Cloud Interconnect is MACsec capable.
Can I enable MACsec if my existing Cloud Interconnect connection doesn't support it?
If your colocation facility doesn't support MACsec, you can do one of the following:
Request a new Cloud Interconnect connection and request MACsec as a required feature.
Contact your Google Cloud account manager to schedule a migration of your existing Cloud Interconnect connection to MACsec-capable ports.
Physically migrating connections can take several weeks to complete due to scheduling constraints. Migrations require a maintenance window that requires your Cloud Interconnect connections to be free of any production traffic.