This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Does MACsec for Cloud Interconnect actually encrypt traffic or not?

Posted a week ago
anlex_N
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

MACsec for Cloud Interconnect overview have two statements:

1. MACsec for Cloud Interconnect doesn't provide encryption in transit within Google.

2. The following diagrams show how MACsec encrypts traffic

This docs is generated by AI/Machine?

Everyone and @DarwinVinoth 

1 3 66
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @anlex_N,

Welcome to Google Cloud Community.

No, the public documentation for Google Cloud is not generated by AI or Machine. It is written, reviewed and maintained by the professionals like Technical Writers and Engineers who work together to create accurate and helpful documentation.

MACsec is a layer 2 security and primary purpose is to secure the connection between your on-premise network and Google’s network. MACsec encryption's job is to protect the traffic on physical attacks (i.e. wiretapping, Data Injection etc.) before entering the Google Network. Once the traffic is decrypted on Google's peering edge the MACsec job is completed. Thus, the statement “MACsec for Cloud Interconnect doesn't provide encryption in transit within Google” is correct. And same with the diagram shown in the documentation where MACsec encryption is located in between the Google peering edge and On-premises router or Service provider peering edge.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

Posted on --/--/---- --:-- AM
anlex_N
Bronze 1
Bronze 1
In response to kensan
Reply posted on --/--/---- --:-- AM

Hello, @kensan . If I use MACsec for Cloud Interconnect, I don't need to use HA VPN over Cloud Interconnect. right?

0 Likes

Posted on --/--/---- --:-- AM
DarwinVinoth
Silver 2
Silver 2
In response to anlex_N
Reply posted on --/--/---- --:-- AM

If you use MACsec with Cloud Interconnect, it provides encryption at Layer 2 directly on the physical connection between your on-premises router and Google’s edge router. This secures the traffic on the dedicated link.

Using HA VPN over Cloud Interconnect in addition to MACsec is not strictly required for securing the link because MACsec already ensures encryption and integrity on the physical path.

However, here’s the key difference:

  • MACsec:

    • Protects Layer 2 link (physical security of the connection).

    • Does not provide site-to-site failover or path redundancy beyond the physical link.

    • No overlay encryption beyond the direct interconnect.

  • HA VPN:

    • Protects Layer 3 traffic with IPsec encryption.

    • Provides redundancy and failover across Google’s global network.

    • Adds an additional security layer at the IP level.

0 Likes
Top Labels in this Space
Top Solution Authors
View all