MicrosoftDocs
diff --git a/‎articles/expressroute/about-upgrade-circuit-bandwidth.md
Lines changed: 13 additions & 8 deletions b/‎articles/expressroute/about-upgrade-circuit-bandwidth.md
Lines changed: 13 additions & 8 deletions
diff --git a/‎articles/expressroute/configure-expressroute-private-peering.md
Lines changed: 1 addition & 1 deletion b/‎articles/expressroute/configure-expressroute-private-peering.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/expressroute/expressroute-about-encryption.md
Lines changed: 22 additions & 21 deletions b/‎articles/expressroute/expressroute-about-encryption.md
Lines changed: 22 additions & 21 deletions
@@ -5,35 +5,40 @@ services: expressroute
 author: duongau
 ms.service: azure-expressroute
 ms.topic: concept-article
-ms.date: 10/16/2023
+ms.date: 01/31/2025
 ms.author: duau
 ---
 
 # About upgrading ExpressRoute circuit bandwidth
 
-ExpressRoute is a dedicated and private connection to Microsoft's global network. Connectivity is facilitated through an ExpressRoute partner's network, or a direct connection to the Microsoft Enterprise Edge (MSEE) devices. Once physical connectivity has been configured and tested, you can enable layer-2 and layer-3 connectivity by creating an ExpressRoute circuit and configuring peering.
+ExpressRoute provides a dedicated, private connection to Microsoft's global network. You can establish this connectivity through an ExpressRoute partner's network or directly to the Microsoft Enterprise Edge (MSEE) devices. After setting up and testing the physical connection, you can enable layer-2 and layer-3 connectivity by creating an ExpressRoute circuit and configuring peering.
 
 ## <a name="considerations"></a>Capacity considerations
 
 ### Insufficient capacity for physical connection
 
-An ExpressRoute circuit is created on a physical connection between Microsoft and a ExpressRoute Partner. The physical connection has a fixed capacity. If you're unable to increase your circuit size that means that the underlying physical connection for your existing circuit doesn’t have capacity for the upgrade. You need to create a new circuit if you want to change the circuit size. For more information, see [Migrate to a new ExpressRoute circuit](circuit-migration.md).
+If you're unable to increase your circuit size, it means the underlying physical connection for your existing circuit lacks the capacity for the upgrade. In this case, you need to create a new circuit. For more information, see [Migrate to a new ExpressRoute circuit](circuit-migration.md).
 
-After you've successfully created the new ExpressRoute circuit, you should link your existing virtual networks to this circuit. You can then test and validate the connectivity of the new ExpressRoute circuit before you deprovision the old circuit. These recommended migration steps minimize down time and disruption to your production work load.
+After creating the new ExpressRoute circuit, link your existing virtual networks to it. Test and validate the connectivity of the new circuit before deprovisioning the old one. These steps help minimize downtime and disruption to your production workload.
 
 ### <a name="bandwidth"></a>Insufficient ExpressRoute partner bandwidth
 
-If you're unable to create a new ExpressRoute circuit because of a capacity error. It means this ExpressRoute partner doesn’t have capacity to connect to Microsoft at this peering location. Contact your ExpressRoute partner to request for more capacity.
+If you're unable to create a new ExpressRoute circuit due to a capacity error, it means the ExpressRoute partner doesn’t have sufficient capacity at the peering location to connect to Microsoft. Contact your ExpressRoute partner to request additional capacity.
 
-Once the new capacity gets provisioned, you can use the methods contained in the [Upgrade circuit bandwidth](#upgrade) section to create a new circuit, configure connectivity, and delete the old circuit.
+Once the new capacity is provisioned, you can follow the methods in the [Upgrade circuit bandwidth](#upgrade) section to create a new circuit, configure connectivity, and delete the old circuit.
 
 ### <a name="bandwidth"></a>Insufficient ExpressRoute Direct bandwidth
 
-If the ExpressRoute Direct doesn't have sufficient capacity, you have two options. You can either delete circuits that are associated to the ExpressRoute Direct resource that you no longer need, or create a new ExpressRoute Direct resource. For guidance on managing the ExpressRoute Direct resource, refer to [How to configure ExpressRoute Direct](how-to-expressroute-direct-portal.md).
+If ExpressRoute Direct lacks sufficient capacity, you have two options: 
+
+- Delete any unnecessary circuits associated with the ExpressRoute Direct resource.
+- Create a new ExpressRoute Direct resource.
+
+For detailed guidance on managing ExpressRoute Direct resources, see [How to configure ExpressRoute Direct](how-to-expressroute-direct-portal.md).
 
 ## <a name="upgrade"></a>Upgrade circuit bandwidth
 
-To upgrade circuit bandwidth, the ExpressRoute Direct, or ExpressRoute partner needs to have [sufficient available bandwidth](#considerations) for the upgrade to succeed.
+To upgrade circuit bandwidth, ensure that the ExpressRoute Direct or ExpressRoute partner has [sufficient available bandwidth](#considerations) for the upgrade to succeed.
 
 If capacity is available, you can upgrade the circuit using the following methods:
 
 
@@ -6,7 +6,7 @@ author: duongau
 ms.author: duau
 ms.service: azure-expressroute
 ms.topic: tutorial
-ms.date: 01/02/2024
+ms.date: 01/31/2025
 # Customer intent: As a network engineer, I want to establish a private connection from my on-premises network to my Azure virtual network using ExpressRoute.
 ---
 
 
@@ -1,46 +1,47 @@
 ---
-title: 'Azure ExpressRoute: About Encryption'
-description: Learn about ExpressRoute encryption.
+title: 'About encryption for Azure ExpressRoute'
+description: Learn about the use of encryption with Azure ExpressRoute.
 services: expressroute
 author: duongau
 ms.service: azure-expressroute
 ms.custom:
   - ignite-2023
 ms.topic: concept-article
-ms.date: 11/15/2023
+ms.date: 01/31/2025
 ms.author: duau
 ---
-# ExpressRoute encryption
+
+# About encryption for Azure ExpressRoute
 
-ExpressRoute supports a couple of encryption technologies to ensure confidentiality and integrity of the data traversing between your network and Microsoft's network. By default traffic over an ExpressRoute connection isn't encrypted.
+ExpressRoute supports encryption technologies to ensure the confidentiality and integrity of data between your network and Microsoft's network. By default, traffic over an ExpressRoute connection isn't encrypted.
 
 ## Point-to-point encryption by MACsec FAQ
 
-MACsec is an [IEEE standard](https://1.ieee802.org/security/802-1ae/). It encrypts data at the Media Access control (MAC) level or Network Layer 2. You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via [ExpressRoute Direct](expressroute-erdirect-about.md). MACsec is disabled on ExpressRoute Direct ports by default. You bring your own MACsec key for encryption and store it in [Azure Key Vault](/azure/key-vault/general/overview). You decide when to rotate the key.
+MACsec is an [IEEE standard](https://1.ieee802.org/security/802-1ae/) that encrypts data at the Media Access Control (MAC) level (Network Layer 2). You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when connecting via [ExpressRoute Direct](expressroute-erdirect-about.md). MACsec is disabled on ExpressRoute Direct ports by default. You must bring your own MACsec key for encryption and store it in [Azure Key Vault](/azure/key-vault/general/overview). You decide when to rotate the key.
 
 ### Can I enable Azure Key Vault firewall policies when storing MACsec keys?
- 
-Yes, ExpressRoute is a trusted Microsoft service. You can configure Azure Key Vault firewall policies and allow trusted services to bypass the firewall. For more information, see [Configure Azure Key Vault firewalls and virtual networks](/azure/key-vault/general/network-security).
+
+Yes, ExpressRoute is a trusted Microsoft service. You can configure Azure Key Vault firewall policies to allow trusted services to bypass the firewall. For more information, see [Configure Azure Key Vault firewalls and virtual networks](/azure/key-vault/general/network-security).
 
 ### Can I enable MACsec on my ExpressRoute circuit provisioned by an ExpressRoute provider?
 
-No. MACsec encrypts all traffic on a physical link with a key owned by one entity (for example, customer). Therefore, it's available on ExpressRoute Direct only.
+No. MACsec encrypts all traffic on a physical link with a key owned by one entity (for example, the customer). Therefore, it's available only on ExpressRoute Direct.
 
-### Can I encrypt some of the ExpressRoute circuits on my ExpressRoute Direct ports and leave other circuits on the same ports unencrypted?
+### Can I encrypt some ExpressRoute circuits on my ExpressRoute Direct ports and leave others unencrypted?
 
-No. Once MACsec is enabled all network control traffic, for example, the BGP data traffic, and customer data traffic are encrypted. 
+No. Once MACsec is enabled, all network control traffic (for example, BGP data traffic) and customer data traffic are encrypted.
 
-### When I enable/disable MACsec or update MACsec key will my on-premises network lose connectivity to Microsoft over ExpressRoute?
+### Will my on-premises network lose connectivity to Microsoft over ExpressRoute when I enable/disable MACsec or update the MACsec key?
 
-Yes. For the MACsec configuration, we support the preshared key mode only. It means you need to update the key on both your devices and on Microsoft's (via our API). This change isn't atomic, so you lose connectivity when there's a key mismatch between the two sides. We strongly recommend that you schedule a maintenance window for the configuration change. To minimize the downtime, we suggest you update the configuration on one link of ExpressRoute Direct at a time after you switch your network traffic to the other link.
+Yes. We support the preshared key mode only for MACsec configuration, meaning you need to update the key on both your devices and Microsoft's (via our API). This change isn't atomic, so you lose connectivity when there's a key mismatch. We strongly recommend scheduling a maintenance window for the configuration change. To minimize downtime, update the configuration on one link of ExpressRoute Direct at a time after switching your network traffic to the other link.
 
-### Does traffic continue to flow if there's a mismatch in MACsec key between my devices and Microsoft's?
+### Does traffic continue to flow if there's a MACsec key mismatch between my devices and Microsoft's?
 
-No. If MACsec is configured and a key mismatch occurs, you lose connectivity to Microsoft. In other words, traffic doesn't fall back to an unencrypted connection, exposing your data. 
+No. If MACsec is configured and a key mismatch occurs, you lose connectivity to Microsoft. Traffic doesn't fall back to an unencrypted connection, ensuring your data remains protected.
 
 ### Does enabling MACsec on ExpressRoute Direct degrade network performance?
 
-MACsec encryption and decryption occur in hardware on the routers we use. There's no performance degradation on our side. However, you should check with the network vendor for the devices you use and see if MACsec has any performance implication.
+MACsec encryption and decryption occur in hardware on the routers we use, so there's no performance degradation on our side. However, check with your network vendor to see if MACsec has any performance implications for your devices.
 
 ### Which cipher suites are supported for encryption?
 
@@ -56,19 +57,19 @@ Yes, you can set [Secure Channel Identifier (SCI)](https://en.wikipedia.org/wiki
 
 ## End-to-end encryption by IPsec FAQ
 
-IPsec is an [IETF standard](https://tools.ietf.org/html/rfc6071). It encrypts data at the Internet Protocol (IP) level or Network Layer 3. You can use IPsec to encrypt an end-to-end connection between your on-premises network and your virtual network on Azure.
+IPsec is an [IETF standard](https://tools.ietf.org/html/rfc6071) that encrypts data at the Internet Protocol (IP) level (Network Layer 3). You can use IPsec to encrypt an end-to-end connection between your on-premises network and your virtual network on Azure.
 
 ### Can I enable IPsec in addition to MACsec on my ExpressRoute Direct ports?
 
-Yes. MACsec secures the physical connections between you and Microsoft. IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently.
+Yes. MACsec secures the physical connections between you and Microsoft, while IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently.
 
 ### Can I use Azure VPN gateway to set up the IPsec tunnel over Azure Private Peering?
 
-Yes. If you adopt Azure Virtual WAN, you can follow steps in [VPN over ExpressRoute for Virtual WAN](../virtual-wan/vpn-over-expressroute.md) to encrypt your end-to-end connection. If you have regular Azure virtual network, you can follow [site-to-site VPN connection over Private peering](../vpn-gateway/site-to-site-vpn-private-peering.md) to establish an IPsec tunnel between Azure VPN gateway and your on-premises VPN gateway.
+Yes. If you use Azure Virtual WAN, follow the steps in [VPN over ExpressRoute for Virtual WAN](../virtual-wan/vpn-over-expressroute.md) to encrypt your end-to-end connection. If you have a regular Azure virtual network, follow [site-to-site VPN connection over Private peering](../vpn-gateway/site-to-site-vpn-private-peering.md) to establish an IPsec tunnel between Azure VPN gateway and your on-premises VPN gateway.
 
-### What is the throughput I'll get after enabling IPsec on my ExpressRoute connection?
+### What is the throughput after enabling IPsec on my ExpressRoute connection?
 
-If Azure VPN gateway is used, review these [performance numbers](../vpn-gateway/vpn-gateway-about-vpngateways.md) to see if they match your expected throughput. If a third-party VPN gateway is used, check with the vendor for their performance numbers.
+If you use Azure VPN gateway, review these [performance numbers](../vpn-gateway/vpn-gateway-about-vpngateways.md) to see if they match your expected throughput. If you use a third-party VPN gateway, check with the vendor for their performance numbers.
 
 ## Next steps