Merge pull request #90982 from cherylmc/charley2

new

Author: American-Dipper

articles/expressroute/TOC.yml

@@ -44,6 +44,8 @@
     href: expressroute-erdirect-about.md
   - name: About ExpressRoute Global Reach
     href: expressroute-global-reach.md
+  - name: About ExpressRoute encryption
+    href: expressroute-about-encryption.md
   - name: Connect Azure to public cloud
     href: expressroute-connect-azure-to-public-cloud.md
   - name: Backend Connectivity Interoperability
@@ -121,6 +123,8 @@
       href: expressroute-howto-erdirect.md
     - name: Azure CLI
       href: expressroute-howto-expressroute-direct-cli.md
+  - name: Configure MACsec for ExpressRoute Direct ports
+    href: expressroute-howto-macsec.md
   - name: Configure route filters for Microsoft peering
     items:
     - name: Azure portal

articles/expressroute/expressroute-about-encryption.md

@@ -0,0 +1,44 @@
+---
+title: About Encryption - Azure ExpressRoute| Microsoft Docs
+description: Learn about ExpressRoute encryption. 
+services: expressroute
+author: cherylmc
+
+ms.service: expressroute
+ms.topic: conceptual
+ms.date: 10/07/2019
+ms.author: cherylmc
+
+---
+# ExpressRoute encryption
+ 
+ExpressRoute supports a couple encryption technologies to ensure confidentiality and integrity of the data traversing between your network and Microsoft's network.
+
+## Point-to-point encryption by MACsec FAQ
+MACsec is an [IEEE standard](https://1.ieee802.org/security/802-1ae/). It encrypts data at the Media Access control (MAC) level or Network Layer 2. You can use MACsec to encrypt the physical links between your network devices and Microsoft's network devices when you connect to Microsoft via ExpressRoute Direct. MACsec is disabled on ExpressRoute Direct ports by default. You bring your own MACsec key for encryption and store it in Azure Key Vault. You decide when to rotate the key. See other FAQs below.
+### Can I enable MACsec on my ExpressRoute circuit provisioned by an ExpressRoute provider?
+No. MACsec encrypts all traffic on a physical link with a key owned by one entity (i.e. customer). Therefore, it's available on ExpressRoute Direct only.
+### Can I encrypt some of the ExpressRoute circuits on my ExpressRoute Direct ports and leave other circuits on the same ports unencrypted? 
+No. Once MACsec is enabled all network control traffic, for example, the BGP data traffic, and customer data traffic are encrypted. 
+### When I enable/disable MACsec or update MACsec key will my on-premises network lose connectivity to Microsoft over ExpressRoute?
+Yes. For the MACsec configuration, we support the pre-shared key mode only. It means you need to update the key on both your devices and on Microsoft's (via our API). This change is not atomic, so you'll lose connectivity when there's a key mismatch between the two sides. We strongly recommend that you schedule a maintenance window for the configuration change. To minimize the downtime, we suggest you update the configuration on one link of ExpressRoute Direct at a time after you switch your network traffic to the other link.  
+### Will traffic continue to flow if there's a mismatch in MACsec key between my devices and Microsoft's?
+No. If MACsec is configured and a mismatch in key occurs, you lose connectivity to Microsoft. In other words, we won't fall back to an unencrypted connection, exposing your data. 
+### Will enabling MACsec on ExpressRoute Direct degrade network performance?
+MACsec encryption and decryption occurs in hardware on the routers we use. There's no performance impact on our side. However, you should check with the network vendor for the devices you use and see if MACsec has any performance implication.
+
+## End-to-end encryption by IPsec FAQ
+IPsec is an [IETF standard](https://tools.ietf.org/html/rfc6071). It encrypts data at the Internet Protocol (IP) level or Network Layer 3. You can use IPsec to encrypt an end-to-end connection between your on-premises network and your virtual network (VNET) on Azure. See other FAQs below.
+### Can I enable IPsec in addition to MACsec on my ExpressRoute Direct ports?
+Yes. MACsec secures the physical connections between you and Microsoft. IPsec secures the end-to-end connection between you and your virtual networks on Azure. You can enable them independently. 
+### Can I use Azure VPN gateway to set up the IPsec tunnel between my on-premises network and my Azure virtual network?
+Yes. You can set up this IPsec tunnel over Microsoft Peering of your ExpressRoute circuit. Follow our [configuration guide](site-to-site-vpn-over-microsoft-peering.md).
+### Can I use Azure VPN gateway to set up the IPsec tunnel over Azure Private Peering?
+No. You have to deploy a third-party VPN gateway in your Azure virtual network and establish an IPsec tunnel between it and your on-premises VPN gateway.
+### What is the throughput I will get after enabling IPsec on my ExpressRoute connection?
+If Azure VPN gateway is used, check the [performance numbers here](../vpn-gateway/vpn-gateway-about-vpngateways.md). If a third-party VPN gateway is used, check with the vendor for the performance numbers.
+
+## Next steps
+See [Configure MACsec](expressroute-howto-macsec.md) for more information about the MACsec configuration.
+
+See [Configure IPsec](site-to-site-vpn-over-microsoft-peering.md) for more information about the IPsec configuration.

articles/expressroute/expressroute-howto-macsec.md

@@ -0,0 +1,134 @@
+---
+title: 'Configure MACsec - ExpressRoute: Azure | Microsoft Docs'
+description: This article helps you configure MACsec to secure the connections between your edge routers and Microsoft's edge routers.
+services: expressroute
+author: cherylmc
+
+ms.service: expressroute
+ms.topic: conceptual
+ms.date: 10/07/2019
+ms.author: cherylmc
+
+---
+
+# Configure MACsec on ExpressRoute Direct ports
+
+This article helps you configure MACsec to secure the connections between your edge routers and Microsoft's edge routers using PowerShell.
+
+## Before you begin
+
+Before you start configuration, confirm the following:
+
+* You understand [ExpressRoute Direct provisioning workflows](expressroute-erdirect-about.md).
+* You've created an [ExpressRoute Direct port resource](expressroute-howto-erdirect.md).
+* If you want to run PowerShell locally, verify that the latest version of Azure PowerShell is installed on your computer.
+
+### Working with Azure PowerShell
+
+[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
+
+[!INCLUDE [expressroute-cloudshell](../../includes/expressroute-cloudshell-powershell-about.md)]
+
+### Sign in and select the right subscription
+
+To start the configuration, sign in to your Azure account and select the subscription that you want to use.
+
+   [!INCLUDE [sign in](../../includes/expressroute-cloud-shell-connect.md)]
+
+## 1. Create Azure Key Vault, MACsec secrets, and user identity
+
+1. Create a Key Vault instance to store MACsec secrets in a new resource group.
+
+    ```azurepowershell-interactive
+    New-AzResourceGroup -Name "your_resource_group" -Location "resource_location"
+    $keyVault = New-AzKeyVault -Name "your_key_vault_name" -ResourceGroupName "your_resource_group" -Location "resource_location" -EnableSoftDelete 
+    ```
+
+    If you already have a key vault or a resource group, you can reuse them. However, it is critical that you enable the [**soft-delete** feature](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete) on your existing key vault. If soft-delete is not enabled, you can use the following commands to enable it:
+
+    ```azurepowershell-interactive
+    ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName "your_existing_keyvault").ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
+    Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties
+    ```
+2. Create a user identity.
+
+    ```azurepowershell-interactive
+    $identity = New-AzUserAssignedIdentity  -Name "identity_name" -Location "resource_location" -ResourceGroupName "your_resource_group"
+    ```
+
+    If New-AzUserAssignedIdentity is not recognized as a valid PowerShell cmdlet, install the following module (in Administrator mode) and rerun the above command.
+
+    ```azurepowershell-interactive
+    Install-Module -Name Az.ManagedServiceIdentity
+    ```
+3. Create a connectivity association key (CAK) and a connectivity association key name (CKN) and store them in the key vault.
+
+    ```azurepowershell-interactive
+    $CAK = ConvertTo-SecureString "your_key" -AsPlainText -Force
+    $CKN = ConvertTo-SecureString "your_key_name" -AsPlainText -Force
+    $MACsecCAKSecret = Set-AzKeyVaultSecret -VaultName "your_key_vault_name" -Name "CAK_name" -SecretValue $CAK
+    $MACsecCKNSecret = Set-AzKeyVaultSecret -VaultName "your_key_vault_name" -Name "CKN_name" -SecretValue $CKN
+    ```
+4. Assign the GET permission to the user identity.
+
+    ```azurepowershell-interactive
+    Set-AzKeyVaultAccessPolicy -VaultName "your_key_vault_name" -PermissionsToSecrets get -ObjectId $identity.PrincipalId
+    ```
+
+   Now this identity can get the secrets, for example CAK and CKN, from the key vault.
+5. Set this user identity to be used by ExpressRoute.
+
+    ```azurepowershell-interactive
+    $erIdentity = New-AzExpressRoutePortIdentity -UserAssignedIdentityId $identity.Id
+    ```
+ 
+## 2. Configure MACsec on ExpressRoute Direct ports
+
+### To enable MACsec
+
+Each ExpressRoute Direct instance has two physical ports. You can choose to enable MACsec on both ports at the same time or enable MACsec on one port at a time. Doing it one port at time (by switching traffic to an active port while servicing the other port) can help minimize the interruption if your ExpressRoute Direct is already in service.
+
+1. Set MACsec secrets and cipher and associate the user identity with the port so that the ExpressRoute management code can access the MACsec secrets if needed.
+
+    ```azurepowershell-interactive
+    $erDirect = Get-AzExpressRoutePort -ResourceGroupName "your_resource_group" -Name "your_direct_port_name"
+    $erDirect.Links[0]. MacSecConfig.CknSecretIdentifier = $MacSecCKNSecret.Id
+    $erDirect.Links[0]. MacSecConfig.CakSecretIdentifier = $MacSecCAKSecret.Id
+    $erDirect.Links[0]. MacSecConfig.Cipher = "gcm-aes-128"
+    $erDirect.Links[1]. MacSecConfig.CknSecretIdentifier = $MacSecCKNSecret.Id
+    $erDirect.Links[1]. MacSecConfig.CakSecretIdentifier = $MacSecCAKSecret.Id
+    $erDirect.Links[1]. MacSecConfig.Cipher = "gcm-aes-128"
+    $erDirect.identity = $erIdentity
+    Set-AzExpressRoutePort -ExpressRoutePort $erDirect
+    ```
+2. (Optional) If the ports are in Administrative Down state you can run the following commands to bring up the ports.
+
+    ```azurepowershell-interactive
+    $erDirect = Get-AzExpressRoutePort -ResourceGroupName "your_resource_group" -Name "your_direct_port_name"
+    $erDirect.Links[0].AdminState = “Enabled”
+    $erDirect.Links[1].AdminState = “Enabled”
+    Set-AzExpressRoutePort -ExpressRoutePort $erDirect
+    ```
+
+    At this point, MACsec is enabled on the ExpressRoute Direct ports on Microsoft side. If you haven't configured it on your edge devices, you can proceed to configure them with the same MACsec secrets and cipher.
+
+### To disable MACsec
+
+If MACsec is no longer desired on your ExpressRoute Direct instance, you can run the following commands to disable it.
+
+```azurepowershell-interactive
+$erDirect = Get-AzExpressRoutePort -ResourceGroupName "your_resource_group" -Name "your_direct_port_name"
+$erDirect.Links[0]. MacSecConfig.CknSecretIdentifier = $null
+$erDirect.Links[0]. MacSecConfig.CakSecretIdentifier = $null
+$erDirect.Links[1]. MacSecConfig.CknSecretIdentifier = $null
+$erDirect.Links[1]. MacSecConfig.CakSecretIdentifier = $null
+$erDirect.identity = $null
+Set-AzExpressRoutePort -ExpressRoutePort $erDirect
+```
+
+At this point, MACsec is disabled on the ExpressRoute Direct ports on the Microsoft side.
+
+## Next steps
+1. [Create an ExpressRoute circuit on ExpressRoute Direct](expressroute-howto-erdirect.md)
+2. [Link an ExpressRoute circuit to an Azure virtual network](expressroute-howto-linkvnet-arm.md)
+3. [Verify ExpressRoute connectivity](expressroute-troubleshooting-expressroute-overview.md)