MACsec for Cloud Interconnect overview

MACsec for Cloud Interconnect helps you secure traffic on Cloud Interconnectconnections, specifically between your on-premises router and Google's edgerouters. MACsec for Cloud Interconnect uses IEEE standard802.1AE Media Access Control Security (MACsec)to encrypt traffic between your on-premises router and Google's edgerouters.

MACsec for Cloud Interconnect doesn't provide encryption in transit withinGoogle. For stronger security, we recommend that you use MACsec with othernetwork security protocols, such as IP Security (IPsec) and Transport LayerSecurity (TLS). For more information about using IPsec to secure your networktraffic to Google Cloud, see theHA VPN over Cloud Interconnectoverview. For more informationabout encryption in Cross-Site Interconnect,seeEncryption options.

MACsec for Cloud Interconnect is available for 10‑Gbps and100‑Gbps circuits. However, to order MACsec for Cloud Interconnectfor 10‑Gbps circuits, you must contact your account manager.

MACsec for Cloud Interconnect supports all VLAN attachment features,including IPv4, IPv6, and IPsec.

The following diagrams show how MACsec encrypts traffic:

  • Figure 1 depicts MACsec encrypting traffic on Dedicated Interconnect.The encryption shown in this diagram also applies to Cross-Site Interconnect.
  • Figure 2 depicts MACsec encrypting traffic on Partner Interconnect.
MACsec encrypts traffic on Dedicated Interconnect between Google's peering edge router and an on-premises router.
Figure 1. MACsec encrypts traffic on Dedicated Interconnect between Google's peering edge router and an on-premises router (click to enlarge).


MACsec encrypts traffic on Partner Interconnect between Google's peering edge router and the service provider's peering edge router.
Figure 2. MACsec encrypts traffic on Partner Interconnect between Google's peering edge router and the service provider's peering edge router (click to enlarge).

To use MACsec on Partner Interconnect, work with your serviceprovider to ensure that your network traffic is encrypted through yourproviders' network.

There is no additional cost for using MACsec for Cloud Interconnect.

How MACsec for Cloud Interconnect works

MACsec for Cloud Interconnect helps secure traffic between your on-premisesrouter and Google's peering edge router. You use the Google Cloud CLI(gcloud CLI) or the Google Cloud console to generate a GCM-AES-256connectivity association key (CAK) and connectivity association key name (CKN)values. You configure your router to use the CAK and CKN values to configureMACsec. After you enable MACsec on your router and inCloud Interconnect, MACsec encrypts your traffic between youron-premises router and Google's peering edge router.

We recommend a layered security approach for encryption. At Layer 2, MACsecencrypts traffic between adjacent routers. At Layer 3, IPsec secures trafficbetween customer on-premises networks and VPC networks. You canachieve further protection with application-level security protocols.

Supported on-premises routers

You can use on-premises routers with MACsec for Cloud Interconnect thatsupport the MACsec specifications listed in the following table.

SettingValue
MACsec cipher suite
  • GCM-AES-256-XPN
  • GCM-AES-256
Caution: The GCM-AES-256 cipher suite is supported, but not recommended for high-bandwidth links because it can cause dropped packets when the control plane is overloaded. We recommend using GCM-AES-256-XPN to avoid dropped packets.
CAK cryptographic algorithmAES_256_CMAC
Key server priority15
Secure association key (SAK) rekey interval28800 seconds
MACsec confidentiality offset0
Window size64
Integrity check value (ICV) indicatoryes
Secure Channel Identifier (SCI)enabled

MACsec for Cloud Interconnect supports hitless key rotation for up to fivekeys.

Several routers manufactured by Cisco, Juniper, and Arista satisfy thespecifications. We can't recommend specific routers. We recommend that youconsult with your router vendor to determine which model best suits your needs.

Before you use MACsec for Cloud Interconnect

Ensure that you meet the following requirements:

  • Understand basic networkinterconnections,so that you can order and configure network circuits.

  • Understand the differences between and the requirements forDedicated InterconnectandPartner Interconnect.

  • Have administrator access to your on-premises edge router.

  • Check that MACsec is available at your colocation facility.

MACsec for Cloud Interconnect setup steps

After you verify that MACsec for Cloud Interconnect is available at yourcolocation facility, check if you already have a MACsec-capableCloud Interconnect connection. If not, order a MACsec-capableCloud Interconnect connection. If you're usingCross-Site Interconnect, then your connections are MACsec-capableby default.

After your Cloud Interconnect connection completes testing and is readyfor use, you can set up MACsec by creating MACsec pre-shared keys andconfiguring your on-premises router. You can then enable MACsec and verify thatit's enabled for your link and is operational. Finally, you can monitor yourMACsec connection to ensure that it's operating correctly.

MACsec availability

MACsec for Cloud Interconnect is supported on allCloud Interconnect 100‑Gbps connections, regardless of location.

MACsec for Cloud Interconnect is not available at all colocation facilitiesfor 10‑Gbps circuits. For more information about features available atcolocation facilities, see the following, depending on your connection type:

To discover which colocation facilities with 10‑Gbps circuits supportMACsec for Cloud Interconnect, do the following. MACsec availabilityfor 10‑Gbps circuits is only displayed for allow-listed projects. To orderMACsec for Cloud Interconnect for 10‑Gbps circuits, you must contactyour account manager.

Console

  1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

    Go to Physical connections

  2. ClickSet up physical connection.

  3. SelectDedicated Interconnect, and then clickContinue.

  4. SelectOrder new Dedicated Interconnect, and then clickContinue.

  5. In theGoogle Cloud location field, clickChoose.

  6. In theChoose colocation facility pane, find the city that you want aCloud Interconnect connection in. In theGeographic locationfield, select a geographic area. TheMACsec support for current project column shows the circuit sizesthat are available for MACsec for Cloud Interconnect.

gcloud

  1. Authenticate to the Google Cloud CLI:

    gcloud auth login

  2. To discover if a colocation facility supports MACsec forCloud Interconnect, do one of the following:

    • Verify that a specific colocation facility supports MACsec forCloud Interconnect:

      gcloud compute interconnects locations describeCOLOCATION_FACILITY

      ReplaceCOLOCATION_FACILITY with thecolocation facility name listed in thelocations table.

      The output is similar to the following sample. Take note of theavailableFeatures section. MACsec-capable connections display thefollowing:

      • For 10‑Gbps links:linkType: LINK_TYPE_ETHERNET_10G_LR andavailableFeatures: IF_MACSEC
      • For 100‑Gbps links:linkType: LINK_TYPE_ETHERNET_100G_LR;all 100‑Gbps links are MACsec capable
      address:|-Equinix47BourkeRoadAlexandriaSydney,NewSouthWales2015AustraliaavailabilityZone:zone1availableFeatures:-IF_MACSECavailableLinkTypes:-LINK_TYPE_ETHERNET_10G_LR-LINK_TYPE_ETHERNET_100G_LRcity:Sydneycontinent:C_ASIA_PACcreationTimestamp:'2019-12-05T12:56:15.000-08:00'description:EquinixSydney(SY3)facilityProvider:EquinixfacilityProviderFacilityId:SY3id:'1173'kind:compute#interconnectLocationname:syd-zone1-1605peeringdbFacilityId:'1605'regionInfos:-region:https://www.googleapis.com/compute/v1/projects/my-project/regions/australia-southeast1-region:https://www.googleapis.com/compute/v1/projects/my-project/regions/australia-southeast2-region:https://www.googleapis.com/compute/v1/projects/my-project/regions/us-east7selfLink:https://www.googleapis.com/compute/v1/projects/my-project/global/interconnectLocations/syd-zone1-1605status:AVAILABLE

    • List all colocation facilities that supportMACsec for Cloud Interconnect on 10‑Gbps circuits:

      gcloud compute interconnects locations list \    --filter "availableFeatures: (IF_MACSEC)"

      The output is similar to the following:

      NAME                  DESCRIPTION              FACILITY_PROVIDER... <stripped>syd-zone1-1605        Equinix Sydney (SY3)     Equinix... <stripped>

    • List all colocation facilities that have 100‑Gbps links, andtherefore offer MACsec by default:

      gcloud compute interconnects locations list \    --filter "availableLinkTypes: (LINK_TYPE_ETHERNET_100G_LR)"

      The output is similar to the following:

      NAME                  DESCRIPTION              FACILITY_PROVIDER... <stripped>syd-zone1-1605        Equinix Sydney (SY3)     Equinix... <stripped>

MACsec support on existing Cloud Interconnect connections

MACsec for Cloud Interconnect is supported on existing 100‑GbpsCloud Interconnect connections.

If you have a 10‑Gbps connection,check MACsec availability at yourcolocation facility. If MACsec support is available atyour colocation facility, thenverify that Cloud Interconnect isMACsec capable.

Can I enable MACsec if my existing Cloud Interconnect connection doesn't support it?

If your colocation facility doesn't support MACsec, you can do one of thefollowing:

  • Request a new Cloud Interconnect connection and request MACsec as arequired feature.

  • Contact your Google Cloud account manager to schedule a migration of yourexisting Cloud Interconnect connection to MACsec-capable ports.

Physically migrating connections can take several weeks to completedue to scheduling constraints. Migrations require a maintenance window thatrequires your Cloud Interconnect connections to be free of anyproduction traffic.

What's next?

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.