Enable MACsec

This page describes how to enable MACsec for Cloud Interconnect.

After you generate pre-shared keys and configure your on-premises router to usethem, you need to enable MACsec for Cloud Interconnect. AfterMACsec for Cloud Interconnect is enabled, you verify that yourCloud Interconnect configuration is correctly configured and is usingMACsecto help protect your data.

Before you begin

If you haven't completed set up, thenset up MACsecbefore enabling MACsec for Cloud Interconnect.

Important: When you enable MACsec on your Cloud Interconnectconnection, the connection temporarily experiences packet loss. To avoiddisruption to your connectivity, verify that there is no traffic on yourCloud Interconnect VLAN attachments before enablingMACsec for Cloud Interconnect. For more information, seeDisable VLANattachments.

Enable MACsec for Cloud Interconnect

Select one of the following options:

Console

  1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

    Go to Physical connections

  2. Select the connection that you want to modify.

  3. On theMACsec tab, clickEnable.

    A confirmation window is displayed. Read the message, and then clickConfirm to confirm that you want to enable MACsec, orCancel tocancel.

gcloud

To enable MACsec for Cloud Interconnect with default settings, run thefollowing command:

gcloud compute interconnects macsec updateINTERCONNECT_CONNECTION_NAME \    --enabled

ReplaceINTERCONNECT_CONNECTION_NAME with the name of yourCloud Interconnect connection.

Verify MACsec configuration

Select one of the following options:

Console

  1. In the Google Cloud console, go to the Cloud InterconnectPhysicalconnections tab.

    Go to Physical connections

  2. Select the connection that you want to view.

  3. TheLink circuit info section displays the following information:

    • Google circuit ID: the name of the link circuit.

    • Link state: the LACP member link's physical state displays a

    • MACsec key name: displays a

    • Receiving optical power: a

    • Transmitting optical power: a

    • Google demarc ID: the Google-assigned unique ID for the linkcircuit.

  4. Click theMACsec tab. TheMACsecconfiguration displays oneof the following for your MACsec configuration:

    • Enabled, fail open: MACsec encryption is enabled on thelink. If MACsec encryption isn't established between both ends, thenthe link operates without encryption.

    • Enabled, fail closed: MACsec encryption is enabled on thelink. If MACsec encryption isn't established between both ends, thenthe link fails.

gcloud

Run the following command:

gcloud compute interconnects describeINTERCONNECT_CONNECTION_NAME

The output is similar to the following 10 GB Cloud Interconnectexample; look foravailableFeatures set toIF_MACSEC and themacsecsection:

adminEnabled:trueavailableFeatures:-IF_MACSECcircuitInfos:-customerDemarcId:fake-peer-demarc-0googleCircuitId:LOOP-0googleDemarcId:fake-local-demarc-0creationTimestamp:'2021-10-05T03:39:33.888-07:00'customerName:Fake Companydescription:something importantgoogleReferenceId:'123456789'id:'12345678987654321'interconnectAttachments:-https://www.googleapis.com/compute/v1/projects/my-project1/regions/us-central1/interconnectAttachments/interconnect-123456-987654321-0interconnectType:IT_PRIVATEkind:compute#interconnectlabelFingerprint:12H17262736_linkType:LINK_TYPE_ETHERNET_10G_LRlocation:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnectLocations/cbf-zone2-65012macsec:failOpen:falsepreSharedKeys:-name:key1startTime:2023-07-01T21:00:01.000ZmacsecEnabled:truename:INTERCONNECT_CONNECTION_NAMEoperationalStatus:OS_ACTIVEprovisionedLinkCount:1requestedFeatures:-IF_MACSECrequestedLinkCount:1selfLink:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/INTERCONNECT_CONNECTION_NAMEselfLinkWithId:https://www.googleapis.com/compute/v1/projects/my-project1/global/interconnects/12345678987654321state:ACTIVE

The following items specify the Cloud Interconnect connection'sMACsec configuration:

  • availableFeatures: MACsec capability on theCloud Interconnect connection. This parameter is shown only for10 GB Cloud Interconnect connections, because all100 GB Cloud Interconnect connections are MACsec capableby default.

  • macsec.failOpen: the connection's behavior ifCloud Interconnect can't establish an MKA session with yourrouter. The value is either of the following:

    • false: if an MKA session can't be established, thenCloud Interconnect drops all traffic.

    • true: if an MKA session can't be established, thenCloud Interconnect passes unencrypted traffic.

  • macsec.preSharedKeys.name: the list of all pre-shared keysconfigured for Cloud Interconnect on this link.

  • macsec.preSharedKeys.startTime: the start time that the currentpre-shared key is considered valid. All keys have infinite validity.

  • macsecEnabled: MACsec status for Cloud Interconnect on thislink. The value is either of the following:

    • false: MACsec for Cloud Interconnect is off.
    • true: MACsec for Cloud Interconnect is on.

This command doesn't display MACsec operational status.

Enable MACsec on your on-premises router

Refer to your router vendor's documentation to enable MACsec on your on-premisesrouter.

Undrain your Cloud Interconnect connection

If you previously drained your Cloud Interconnect connection,enableVLAN attachments.

What's next?

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.