This page describes how to modify MACsec for Cloud Interconnect fail-open behavior.
You can choose to enable MACsec for Cloud Interconnect with fail-open behavior. Fail-open means that if Google's edge routers can't establish a MACsec key agreement (MKA) session with your router, then the Cloud Interconnect connection remains operational with unencrypted traffic. The default setting drops all traffic if an MKA session can't be established with your router.
You can change MACsec fail-over behavior only by using the Google Cloud CLI.
Enable fail-open behavior
Verify that there is no traffic on your Cloud Interconnect connection before enabling MACsec for Cloud Interconnect with fail-open behavior.
gcloud
Run the following commands:
gcloud compute interconnects macsec update INTERCONNECT_CONNECTION_NAME \
--no-enabled \
--fail-open
gcloud compute interconnects macsec update INTERCONNECT_CONNECTION_NAME \
--enabled
Disable fail-open behavior
If you have fail-open behavior enabled for MACsec for Cloud Interconnect, you can choose to later disable fail-open behavior. After fail-open behavior is disabled, if Google's edge routers can't establish a MACsec key agreement (MKA) session with your router, then the connection drops all traffic.
gcloud
Run the following commands:
gcloud compute interconnects macsec update INTERCONNECT_CONNECTION_NAME \
--no-enabled \
--no-fail-open
gcloud compute interconnects macsec update INTERCONNECT_CONNECTION_NAME \
--enabled