How to Create and Configure ExpressRoute Circuits
One of the main objectives for an organization moving to a public cloud, in any type of shape or form, is regarding the overall performance experience: It cannot be a downgraded version of what they have with their on-premises services. Microsoft is well aware of that, therefore created some time back the possibility to use private connections from your datacenter to MS Azure’s datacenters in order to guarantee this performance.
ExpressRoute connections do not go over the public Internet, are available through specific connectivity providers. And also not all regions have ExpressRoute available.
Here are some of the main benefits of using ExpressRoute:
- Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
- Connectivity to Microsoft cloud services across all regions in the geopolitical region.
- Global connectivity to Microsoft services across all regions with the ExpressRoute premium add-on.
- Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
- Built-in redundancy in every peering location for higher reliability.
- Connection uptime SLA.
- QoS support for Skype for Business.
ExpressRoute Step by Step
Let’s jump into the step by step process on setting ExpressRoute in your environment:
- Sign in to the Azure Portal.
- Select New > Networking > ExpressRoute
- You’ll see the Create ExpressRoute circuit page. Complete the following values:
- Tier determines whether an ExpressRoute standard or an ExpressRoute premium add-on is enabled. You can specify Standard to get the standard SKU or Premium for the premium add-on.
- Data metering determines the billing type. You can specify Metered for a metered data plan and Unlimited for an unlimited data plan.
- Peering Location is the physical location where you are peering with Microsoft. The Peering Location indicates the physical location where you are peering with Microsoft. While they are not related, it is a good practice to choose a Network Resource Provider geographically close to the Peering Location of the circuit.
The following is an example using Equinix as a service provider.
- Access “All Resources” on the left side and check the properties of the circuit you just created.
- You should be able to see this information on the circuit:
- Provider status: Not provisioned
- Circuit status: Enabled
- In order to complete the provisioning process, you need to copy the service key and send it to your Internet service provider. Each of these keys is specified by each circuit, so if you have more than one ExpressRoute, you’ll need to send the service keys for each of them.
The following is a service key sample, it should not be the same value for you:
- After this step is completed by your service provider, you should be able to see the “Provisioned” value.
Understanding ExpressRoute Pairing Domains
An ExpressRoute circuit has multiple routing domains associated with it: Azure public, Azure private, and Microsoft. Each of the routing domains is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability.
- Azure private pairing: The private peering domain is considered to be a trusted extension of your core network into Microsoft Azure, this peering lets you connect to virtual machines and cloud services directly on their private IP addresses. You can set up bi-directional connectivity between your core network and Azure virtual networks (VNets).
- Azure public pairing: Connection related to services such as Azure Storage, SQL databases, and Web sites are offered on public IP addresses. You can privately connect to services hosted on public IP addresses, including VIPs of your cloud services. Usually, these connections with the public peering domain are integrated with organizations’ DMZ, connecting to all Azure services on their public IP addresses from their WAN without having to connect through the internet.
- Microsoft pairing: Connectivity to all other Microsoft online services (Office 365, Dynamics 365, and Azure PaaS services) is through the Microsoft peering. This type of pairing is not usually needed and only should be applied in special scenarios.
Configuring ExpressRoute and Azure Private Pairing
Having reviewed the peering types and domains, I’ll use the Private Pairing as an example since it is usually the most common ExpressRoute scenario.
- Before you begin, make sure you have the following pre-requisites:
- A /30 subnet for the primary link. The subnet must not be part of an address space reserved for virtual networks.
- A /30 subnet for the secondary link. The subnet must not be part of an address space reserved for virtual networks.
- A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
- AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering. Ensure that you are not using 65515.
- Optional – An MD5 hash if you choose to use one.
- Select the Azure Private peering row, as shown in the following example:
- Configure private peering with the pre-requisites mentioned earlier:
With that, you will have your ExpressRoute circuit available and configure with private peering, therefore you will be able to experience a solid and reliable performance with Microsoft Azure.