Get started with MACsec on dedicated connections - Amazon Direct Connect
MACsec prerequisites Service-Linked rolesMACsec pre-shared CKN/CAK key considerations Step 1: Create a connection(Optional) Step 2: Create a link aggregation group (LAG)Step 3: Associate the CKN/CAK with the connection or LAGStep 4: Configure your on-premises routerStep 5: (Optional) Remove the association between the CKN/CAK and the connection or LAG
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Get started with MACsec on dedicated connections

The following tasks help you become familiar with MACsec on Amazon Direct Connect dedicated connections. There are no additional charges for using MACsec.

Before configuring MACsec on a dedicated connection, note the following:

  • MACsec is supported on 10 Gbps , 100 Gbps, and 400 Gbps dedicated Direct Connect connections at selected points of presence. For these connections, the following MACsec cipher suites are supported:

    • For 10Gbps connections, GCM-AES-256 and GCM-AES-XPN-256.

    • For 100 Gbps and 400 Gbps connections, GCM-AES-XPN-256.

  • Only 256-bit MACsec keys are supported.

  • Extended Packet Numbering (XPN) is required for 100Gbps and 400 Gbps connections. For 10Gbps connections Direct Connect supports both GCM-AES-256 and GCM-AES-XPN-256. High-speed connections, such as 100 Gbps and 400 Gbps dedicated connections, can quickly exhaust MACsec’s original 32-bit packet numbering space, which would require you to rotate your encryption keys every few minutes to establish a new Connectivity Association. To avoid this situation, the IEEE Std 802.1AEbw-2013 amendment introduced extended packet numbering, increasing the numbering space to 64-bits, easing the timeliness requirement for key rotation.

  • Secure Channel Identifier (SCI) is required and must be turned on. This setting can't be adjusted.

  • IEEE 802.1Q (Dot1q/VLAN) tag offset/dot1q-in-clear is not supported for moving a VLAN tag outside of an encrypted payload.

For additional information about Direct Connect and MACsec, see the MACsec section of the Amazon Direct Connect FAQs.

MACsec prerequisites

Complete the following tasks before you configure MACsec on a dedicated connection.

  • Create a CKN/CAK pair for the MACsec secret key.

    You can create the pair using an open standard tool. The pair must meet the requirements specified in Step 4: Configure your on-premises router.

  • Make sure that you have a device on your end of the connection that supports MACsec.

  • Secure Channel Identifier (SCI) must be turned on.

  • Only 256-bit MACsec keys are supported, providing the latest advanced data protection.

Service-Linked roles

Amazon Direct Connect uses Amazon Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Direct Connect. Service-linked roles are predefined by Amazon Direct Connect and include all of the permissions that the service requires to call other Amazon services on your behalf. A service-linked role makes setting up Amazon Direct Connect easier because you don’t have to manually add the necessary permissions. Amazon Direct Connect defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Direct Connect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. For more information, see Service-linked roles for Direct Connect.

MACsec pre-shared CKN/CAK key considerations

Amazon Direct Connect uses Amazon managed CMKs for the pre-shared keys that you associate with connections or LAGs. Secrets Manager stores your pre-shared CKN and CAK pairs as a secret that the Secrets Manager’s root key encrypts. For more information, see Amazon managed CMKs in the Amazon Key Management Service Developer Guide.

The stored key is read-only by design, but you can schedule a seven- to thirty-day deletion using the Amazon Secrets Manager console or API. When you schedule a deletion, the CKN cannot be read, and this might affect your network connectivity. We apply the following rules when this happens:

  • If the connection is in a pending state, we disassociate the CKN from the connection.

  • If the connection is in an available state, we notify the connection owner by email. If you do not take any action within 30 days, we disassociate the CKN from your connection.

When we disassociate the last CKN from your connection and the connection encryption mode is set to "must encrypt", we set the mode to "should_encrypt" to prevent sudden packet loss.

Step 1: Create a connection

To start using MACsec, you must turn the feature on when you create a dedicated connection. For more information, see Create a connection using the Connection wizard.

(Optional) Step 2: Create a link aggregation group (LAG)

If you use multiple connections for redundancy, you can create a LAG that supports MACsec. For more information, see MACsec considerations and Create a LAG.

Step 3: Associate the CKN/CAK with the connection or LAG

After you create the connection or LAG that supports MACsec, you need to associate a CKN/CAK with the connection. For more information, see one of the following:

Step 4: Configure your on-premises router

Update your on-premises router with the MACsec secret key. The MACsec secret key on the on-premises router and in the Amazon Direct Connect location must match. For more information, see Download the router configuration file.

Step 5: (Optional) Remove the association between the CKN/CAK and the connection or LAG

If you need to remove the association between the MACsec key and the connection or LAG, see one of the following: