Skip to content

Commit d3e8a1a

Browse files
duongauduongau
committed
fixed blockers
1 parent 98c0e6c commit d3e8a1a

File tree

1 file changed

+22
-21
lines changed

1 file changed

+22
-21
lines changed

articles/expressroute/secure-expressroute.md

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,9 @@ ms.author: duau
66
ms.service: azure-expressroute
77
ms.topic: conceptual
88
ms.custom: horz-security
9-
ms.date: 06/06/2025
9+
ms.date: 06/17/2025
1010
ai-usage: ai-assisted
11+
#Customer-intent: As a network administrator, I want to secure Azure ExpressRoute connections so that I can protect sensitive data and ensure compliance.
1112
---
1213

1314
# Secure your Azure ExpressRoute
@@ -20,30 +21,30 @@ This guide provides actionable recommendations for securing your Azure ExpressRo
2021

2122
Network security for ExpressRoute involves proper segmentation, traffic flow control, and monitoring to protect hybrid connectivity. Because ExpressRoute integrates with virtual networks, securing the network layer is critical to maintain isolation and prevent unauthorized access to cloud resources.
2223

23-
- **Configure MACsec encryption for ExpressRoute Direct**: Turn on MACsec (Media Access Control Security) encryption on ExpressRoute Direct connections to add Layer 2 encryption between your network equipment and Microsoft's edge routers. Store MACsec keys securely in Azure Key Vault. Learn more in [Configure MACsec encryption for ExpressRoute Direct](/azure/expressroute/expressroute-howto-macsec).
24+
- **Configure MACsec encryption for ExpressRoute Direct**: Turn on MACsec (Media Access Control Security) encryption on ExpressRoute Direct connections to add Layer 2 encryption between your network equipment and Microsoft's edge routers. Store MACsec keys securely in Azure Key Vault. Learn more in [Configure MACsec encryption for ExpressRoute Direct](expressroute-howto-macsec.md).
2425

25-
- **Deploy ExpressRoute gateways in dedicated subnets**: ExpressRoute gateways are deployed into virtual networks and provide secure connectivity by default. The gateway subnet (GatewaySubnet) is configured with appropriate security controls. For more information, see [ExpressRoute gateway](/azure/expressroute/expressroute-about-virtual-network-gateways).
26+
- **Deploy ExpressRoute gateways in dedicated subnets**: ExpressRoute gateways are deployed into virtual networks and provide secure connectivity by default. The gateway subnet (GatewaySubnet) is configured with appropriate security controls. For more information, see [ExpressRoute gateway](expressroute-about-virtual-network-gateways.md).
2627

27-
- **Control traffic with Network Security Groups**: Apply Network Security Groups (NSGs) to subnets with resources connected through ExpressRoute to restrict traffic by port, protocol, and source IP address. Create NSG rules to deny all inbound traffic by default and allow only necessary communication. For more information, see [Network Security Groups overview](/azure/virtual-network/network-security-groups-overview).
28+
- **Control traffic with Network Security Groups**: Apply Network Security Groups (NSGs) to subnets with resources connected through ExpressRoute to restrict traffic by port, protocol, and source IP address. Create NSG rules to deny all inbound traffic by default and allow only necessary communication. For more information, see [Network Security Groups overview](../virtual-network/network-security-groups-overview.md).
2829

29-
- **Use Azure Firewall or Network Virtual Appliances (NVAs)**: Deploy Azure Firewall or third-party network virtual appliances (NVA) to add security controls like application-level filtering, threat intelligence, and logging. These appliances inspect traffic through ExpressRoute and apply advanced security policies. For more information, see [Azure Firewall overview](/azure/firewall/overview).
30+
- **Use Azure Firewall or Network Virtual Appliances (NVAs)**: Deploy Azure Firewall or third-party network virtual appliances (NVA) to add security controls like application-level filtering, threat intelligence, and logging. These appliances inspect traffic through ExpressRoute and apply advanced security policies. For more information, see [Azure Firewall overview](../firewall/overview.md).
3031

3132
> [!NOTE]
3233
> You can't configure NSGs directly on the GatewaySubnet.
3334
34-
- **Implement network segmentation**: Use virtual network peering and route tables to control traffic flow between network segments connected through ExpressRoute. This isolates sensitive workloads and limits the affect of security incidents. For more information, see [Virtual network peering](/azure/virtual-network/virtual-network-peering-overview) and [Route tables](/azure/virtual-network/virtual-networks-udr-overview).
35+
- **Implement network segmentation**: Use virtual network peering and route tables to control traffic flow between network segments connected through ExpressRoute. This isolates sensitive workloads and limits the effect of security incidents. For more information, see [Virtual network peering](/azure/virtual-network/virtual-network-peering-overview) and [Route tables](../virtual-network/virtual-networks-udr-overview.md).
3536

36-
- **Configure zone-redundant virtual network gateways**: Deploy ExpressRoute virtual network gateways across availability zones to ensure fault tolerance and high availability. Zone-redundant gateways keep connectivity operational even if one availability zone has an outage. For more information, see [Zone-redundant virtual network gateways](/azure/vpn-gateway/about-zone-redundant-vnet-gateways?toc=%2Fazure%2Fexpressroute%2Ftoc.json).
37+
- **Configure zone-redundant virtual network gateways**: Deploy ExpressRoute virtual network gateways across availability zones to ensure fault tolerance and high availability. Zone-redundant gateways keep connectivity operational even if one availability zone has an outage. For more information, see [Zone-redundant virtual network gateways](../vpn-gateway/about-zone-redundant-vnet-gateways.md?toc=%2Fazure%2Fexpressroute%2Ftoc.json).
3738

38-
- **Use different ExpressRoute service providers**: Choose different service providers for each circuit to ensure diverse paths and reduce the risk of network downtime from a single provider's outage. For more information, see [ExpressRoute locations and service providers](/azure/expressroute/expressroute-locations-providers).
39+
- **Use different ExpressRoute service providers**: Choose different service providers for each circuit to ensure diverse paths and reduce the risk of network downtime from a single provider's outage. For more information, see [ExpressRoute locations and service providers](expressroute-locations-providers.md).
3940

40-
- **Monitor ExpressRoute connections**: Enable diagnostic logging and monitoring to track connection health, performance, and security events. For more information, see [Monitoring Azure ExpressRoute](/azure/expressroute/monitor-expressroute).
41+
- **Monitor ExpressRoute connections**: Enable diagnostic logging and monitoring to track connection health, performance, and security events. For more information, see [Monitoring Azure ExpressRoute](monitor-expressroute.md).
4142

4243
## Identity management
4344

4445
ExpressRoute doesn't support traditional identity-based authentication for data plane access because it operates at the network layer. However, proper identity management is essential for controlling access to ExpressRoute resources and related services like Azure Key Vault for MACsec configuration.
4546

46-
- **Use Azure RBAC for management operations**: Apply role-based access control to limit who can create, modify, or delete ExpressRoute circuits, and gateways. Assign the minimum necessary permissions to users and service accounts. For more information, see [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview).
47+
- **Use Azure RBAC for management operations**: Apply role-based access control to limit who can create, modify, or delete ExpressRoute circuits, and gateways. Assign the minimum necessary permissions to users and service accounts. For more information, see [Azure role-based access control (RBAC)](../role-based-access-control/overview.md).
4748

4849
- **Secure MACsec secrets with Azure Key Vault**: Store MACsec encryption keys securely in Azure Key Vault instead of embedding them in configuration files. ExpressRoute uses managed identities to authenticate with Key Vault for retrieving these secrets. For more information, see [Configure MACsec encryption for ExpressRoute Direct](/azure/expressroute/expressroute-howto-macsec).
4950

@@ -53,29 +54,29 @@ ExpressRoute doesn't support traditional identity-based authentication for data
5354

5455
ExpressRoute provides private connectivity but doesn't encrypt data in transit by default. Add encryption and security measures to protect sensitive data as it flows between your on-premises environment and Azure services.
5556

56-
- **Configure MD5 hash authentication**: Use MD5 hash authentication when setting up private peering or Microsoft peering to secure messages between your on-premises router and the Microsoft Enterprise Edge (MSEE) routers. This ensures data integrity and prevents tampering during transit. Learn more in [ExpressRoute routing requirements](/azure/expressroute/expressroute-routing).
57+
- **Configure MD5 hash authentication**: Use MD5 hash authentication when setting up private peering or Microsoft peering to secure messages between your on-premises router and the Microsoft Enterprise Edge (MSEE) routers. This ensures data integrity and prevents tampering during transit. Learn more in [ExpressRoute routing requirements](expressroute-routing.md).
5758

58-
- **Implement IPsec VPN over ExpressRoute**: To add encryption over ExpressRoute private peering, set up a VPN connection that uses the ExpressRoute circuit as transport. This adds end-to-end encryption for your traffic. Learn more in [Using S2S VPN as a backup for ExpressRoute private peering](/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering).
59+
- **Implement IPsec VPN over ExpressRoute**: To add encryption over ExpressRoute private peering, set up a VPN connection that uses the ExpressRoute circuit as transport. This adds end-to-end encryption for your traffic. Learn more in [Using S2S VPN as a backup for ExpressRoute private peering](use-s2s-vpn-as-backup-for-expressroute-privatepeering.md).
5960

6061
- **Encrypt sensitive data at the application layer**: Because ExpressRoute doesn't provide application-layer encryption, make sure applications encrypt sensitive data before transmission using TLS/SSL or application-specific encryption methods.
6162

6263
## Logging and threat detection
6364

6465
Monitoring ExpressRoute connections and related network activity is essential for detecting potential security threats and maintaining compliance. Proper logging helps identify unusual traffic patterns and connection issues that might indicate security incidents.
6566

66-
- **Enable ExpressRoute resource logs**: Set up diagnostic settings to send ExpressRoute resource logs to Azure Monitor, Log Analytics, or Azure Storage for analysis and retention. These logs show connection events and performance metrics. For more information, see [Monitoring Azure ExpressRoute](/azure/expressroute/monitor-expressroute).
67+
- **Enable ExpressRoute resource logs**: Set up diagnostic settings to send ExpressRoute resource logs to Azure Monitor, Log Analytics, or Azure Storage for analysis and retention. These logs show connection events and performance metrics. For more information, see [Monitoring Azure ExpressRoute](monitor-expressroute.md).
6768

68-
- **Set up alerts for service health and connection issues**: Use Azure Monitor to configure alerts for ExpressRoute circuit outages, performance degradation, configuration changes, and both planned and unplanned maintenance events. These alerts help you proactively manage connectivity and security posture. For more information, see [Monitor ExpressRoute circuits](/azure/expressroute/monitor-expressroute).
69+
- **Set up alerts for service health and connection issues**: Use Azure Monitor to configure alerts for ExpressRoute circuit outages, performance degradation, configuration changes, and both planned and unplanned maintenance events. These alerts help you proactively manage connectivity and security posture. For more information, see [Monitor ExpressRoute circuits](monitor-expressroute.md).
6970

70-
- **Monitor network traffic patterns**: Use Azure Network Watcher and Traffic Analytics to analyze traffic through your ExpressRoute connection. This helps find unusual patterns that might indicate security threats or misconfigurations. For more information, see [Azure Network Watcher](/azure/network-watcher/overview) and [Monitor network traffic with Traffic Analytics](/azure/network-watcher/traffic-analytics-overview).
71+
- **Monitor network traffic patterns**: Use Azure Network Watcher and Traffic Analytics to analyze traffic through your ExpressRoute connection. This helps find unusual patterns that might indicate security threats or misconfigurations. For more information, see [Azure Network Watcher](../network-watcher/overview.md) and [Monitor network traffic with Traffic Analytics](../network-watcher/traffic-analytics-overview.md).
7172

7273
- **Integrate with Microsoft Sentinel**: Send ExpressRoute logs to Microsoft Sentinel to detect advanced threats and correlate them with other security events across your hybrid environment.
7374

7475
## Asset management
7576

7677
Managing ExpressRoute resources effectively involves implementing proper governance, monitoring configurations, and ensuring compliance with organizational policies. Proper asset management helps maintain security posture and operational visibility.
7778

78-
- **Implement resource tagging**: Use Azure resource tags to organize and track ExpressRoute circuits, gateways, and related resources. Tags help with cost management, security classification, and operational accountability. For more information, see [Azure resource tags](/azure/azure-resource-manager/management/tag-resources).
79+
- **Implement resource tagging**: Use Azure resource tags to organize and track ExpressRoute circuits, gateways, and related resources. Tags help with cost management, security classification, and operational accountability. For more information, see [Azure resource tags](../azure-resource-manager/management/tag-resources.md).
7980

8081
- **Track circuit utilization**: Monitor bandwidth usage and connection patterns to identify unusual activity that can indicate security threats or operational issues.
8182

@@ -85,15 +86,15 @@ Managing ExpressRoute resources effectively involves implementing proper governa
8586

8687
Ensure business continuity for your ExpressRoute connectivity by implementing backup solutions and recovery procedures. Although ExpressRoute circuits can't be backed up, create redundant connectivity options and document configuration settings.
8788

88-
- **Configure redundant ExpressRoute circuits**: Deploy multiple ExpressRoute circuits in different peering locations to ensure high availability and failover capabilities. This setup provides continued connectivity if one circuit experiences issue. For more information, see [ExpressRoute circuit redundancy](/azure/expressroute/expressroute-circuit-redundancy).
89+
- **Deploy redundant ExpressRoute circuits**: Set up multiple ExpressRoute circuits in separate peering locations to achieve high availability and automatic failover. This approach ensures your connectivity remains operational if one circuit encounters an issue. For more information, see [Design a resilient ExpressRoute connection](design-architecture-for-resiliency.md).
8990

90-
- **Implement VPN backup connectivity**: Set up site-to-site VPN connections as a backup for ExpressRoute private peering. This setup provides alternative connectivity if the primary ExpressRoute circuit fails. For more information, see [Using S2S VPN as a backup for ExpressRoute private peering](/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering).
91+
- **Implement VPN backup connectivity**: Set up site-to-site VPN connections as a backup for ExpressRoute private peering. This setup provides alternative connectivity if the primary ExpressRoute circuit fails. For more information, see [Using S2S VPN as a backup for ExpressRoute private peering](use-s2s-vpn-as-backup-for-expressroute-privatepeering.md).
9192

92-
- **Test failover procedures**: Regularly test backup connectivity options and failover procedures to ensure they work correctly when needed. Use tools like Azure Connectivity Toolkit to validate performance and connectivity. For more information, see [Azure Connectivity Toolkit](/azure/expressroute/expressroute-troubleshooting-network-performance).
93+
- **Test failover procedures**: Regularly test backup connectivity options and failover procedures to ensure they work correctly when needed. Use tools like Azure Connectivity Toolkit to validate performance and connectivity. For more information, see [Azure Connectivity Toolkit](expressroute-troubleshooting-network-performance.md).
9394

94-
- **Document configuration settings**: Maintain detailed documentation of ExpressRoute configurations, including circuit settings, routing configurations, and security policies. This documentation enables faster recovery in case of configuration issues or circuit replacement. For more information, see [ExpressRoute circuit configuration](/azure/expressroute/expressroute-circuit-configure).
95+
- **Document configuration settings**: Maintain detailed documentation of ExpressRoute configurations, including circuit settings, routing configurations, and security policies. This documentation enables faster recovery if there is configuration issues or circuit replacement. For more information, see [ExpressRoute circuit configuration](expressroute-circuit-peerings.md).
9596

96-
- **Validate recovery time objectives**: Test backup solutions to ensure they meet business requirements for recovery time objectives and validate that they provide adequate performance for critical workloads. For more information, see [ExpressRoute circuit failover and recovery](/azure/expressroute/expressroute-circuit-failover).
97+
- **Leverage Resiliency Insights and validation for recovery**: Use ExpressRoute Resiliency Insights to assess the resiliency of your connectivity and validate your recovery time objectives. Resiliency Insights help you identify configuration gaps, test failure scenarios, and validate that your backup and failover solutions meet business recovery requirements. Regularly perform resiliency validation to ensure your environment is prepared for outages and that recovery procedures are effective. For more information, see [ExpressRoute Resiliency Insights](resiliency-insights.md) and [ExpressRoute Resiliency Validation](resiliency-validation.md).
9798

9899
## Next steps
99100

0 commit comments

Comments
 (0)